Hello Crawler Community,
I've been fighting to make this switch for a while, but today I finally decided to switch all of our Store traffic to a fully secured transfer protocol, which is what Facebook finally did last July (
link), and many other sites are doing as well.
Currently, this change only applies to our Store Website, which will affect your browsing experience in the following ways:1) Most noticeable is that you'll likely have to re-log back into our website (we are now using secure cookies so your session should be reset by your browser) (use
this form to reset your password if you've forgotten it),
2) Your browsing experience may be slower, in terms of milliseconds, and
3) Our site is no longer
http://www.marlincrawler.com; It is now
https://www.marlincrawler.com. Your old bookmarks will still work as every http:// request will automatically be redirected to https:// requests (and our server will do the rest).
What does this mean for our server?This will put a larger load on our server because each request is encrypted which takes more processing time to accomplish. I believe our server is up to the challenge such that any drop in browsing speed should be negligible.
What finally made us make the change?We have a module called Secure Pages (
link) that gives us the ability to configure which pages on our Store website as secure or not. Essentially, maximum security is only necessary when transmitting sensitive information, such as modifying your profile or placing/viewing an order. However, a few years ago a new vulnerability was discovered whereby a hacker can violate your secure session on our website by intercepting its cookie(s) and impersonating the host machine (
more info). This risk is mitigated by standard network security, but it's not too uncommon these days to be on unsecured networks (at a cafe for example) where hackers sit back and wait to capture unsecured network traffic.
I subscribe to multiple network security newsletters and became aware of this vulnerability straight away and installed a helper module called Secure Pages Hijack Prevention (
link) which injects an additional session ID cookie with a 'secure' flag to accompany your original cookie. Technically speaking, this method does not "prevent" hijacks, but rather it rejects additional requests if both cookies are not present (the hacker can't fake the additional secured cookie and the session fails validation). The means of rejection is to simply log the user out, thereby kicking the attacker out of our system (and your profile for example) without any additional information being sent (they get nothing!).
The problem is that we (our sales team, CruzrDave, Marlin's wife Christine, and myself) are constantly moving between secure pages and non-secure pages which often triggers the sensitive hijack prevention module forcing us to continually re-log into our site. We are doing this within our secured, wired network at work (ie. physically impossible to be hacked), however, it's quite annoying for us to re-log ourselves back into our website a few times throughout the day (we spend 10 hours straight every day on our website).
Additionally, there are inherent downsides to using mixed HTTP and HTTPS sessions (it's sometimes slow, some content won't load for some users, older browsers can't handle new security techniques, etc) and I've finally decided enough is enough: Let's just use fully 100% secure pages all the time every time.
What does this mean for your security?1) Now every page on our Store website that you visit is encrypted along with any and all cookies,
2) There are fewer cookies being stored on your computer by our site, and
3) Any log out issues you may have experienced before should be gone for good.
Please let me know if you find our site suddenly much slower than before, and thank you for taking the time to read this as we deeply care about everyone's browsing experience. Have a happy 4th of July Holiday Weekend!
Regards,
BigMike
