We currently are not offering Customer Support on our Forum.
Please use our Store website for: Customer Service or Product Support.
 
 

Author Topic: Our Store Website is now using 100% Secure Pages  (Read 4109 times)

0 Members and 1 Guest are viewing this topic.

BigMike

  • Administrator
  • Online Gold Turtle Award
  • *
  • Turtle Points: 1340
  • Male Posts: 17,784
  • Member since Apr '02
  • 511:1 Club
    • Bone-Stock Plane-Jane 1981 Shortbed Pickup
Our Store Website is now using 100% Secure Pages
« on: Jul 03, 2014, 03:07:57 PM »
Hello Crawler Community,

I've been fighting to make this switch for a while, but today I finally decided to switch all of our Store traffic to a fully secured transfer protocol, which is what Facebook finally did last July (link), and many other sites are doing as well.

Currently, this change only applies to our Store Website, which will affect your browsing experience in the following ways:
1) Most noticeable is that you'll likely have to re-log back into our website (we are now using secure cookies so your session should be reset by your browser) (use this form to reset your password if you've forgotten it),
2) Your browsing experience may be slower, in terms of milliseconds, and
3) Our site is no longer http://www.marlincrawler.com; It is now https://www.marlincrawler.com. Your old bookmarks will still work as every http:// request will automatically be redirected to https:// requests (and our server will do the rest).

What does this mean for our server?
This will put a larger load on our server because each request is encrypted which takes more processing time to accomplish. I believe our server is up to the challenge such that any drop in browsing speed should be negligible.

What finally made us make the change?
We have a module called Secure Pages (link) that gives us the ability to configure which pages on our Store website as secure or not. Essentially, maximum security is only necessary when transmitting sensitive information, such as modifying your profile or placing/viewing an order. However, a few years ago a new vulnerability was discovered whereby a hacker can violate your secure session on our website by intercepting its cookie(s) and impersonating the host machine (more info). This risk is mitigated by standard network security, but it's not too uncommon these days to be on unsecured networks (at a cafe for example) where hackers sit back and wait to capture unsecured network traffic.

I subscribe to multiple network security newsletters and became aware of this vulnerability straight away and installed a helper module called Secure Pages Hijack Prevention (link) which injects an additional session ID cookie with a 'secure' flag to accompany your original cookie. Technically speaking, this method does not "prevent" hijacks, but rather it rejects additional requests if both cookies are not present (the hacker can't fake the additional secured cookie and the session fails validation). The means of rejection is to simply log the user out, thereby kicking the attacker out of our system (and your profile for example) without any additional information being sent (they get nothing!).

The problem is that we (our sales team, CruzrDave, Marlin's wife Christine, and myself) are constantly moving between secure pages and non-secure pages which often triggers the sensitive hijack prevention module forcing us to continually re-log into our site. We are doing this within our secured, wired network at work (ie. physically impossible to be hacked), however, it's quite annoying for us to re-log ourselves back into our website a few times throughout the day (we spend 10 hours straight every day on our website).

Additionally, there are inherent downsides to using mixed HTTP and HTTPS sessions (it's sometimes slow, some content won't load for some users, older browsers can't handle new security techniques, etc) and I've finally decided enough is enough: Let's just use fully 100% secure pages all the time every time.

What does this mean for your security?
1) Now every page on our Store website that you visit is encrypted along with any and all cookies,
2) There are fewer cookies being stored on your computer by our site, and
3) Any log out issues you may have experienced before should be gone for good.

Please let me know if you find our site suddenly much slower than before, and thank you for taking the time to read this as we deeply care about everyone's browsing experience. Have a happy 4th of July Holiday Weekend!

Regards,
BigMike
New Instagram: @SlowestTacoma

Check out our new Rock Crawling Videos!
2016 56-speed 580:1 Triple T/Case 3rd gen Tacoma Rock Crawler   
1981 36-speed 511:1 3RZ-FE Rock Crawler
1987 6-speed Supercharged 4A-GZE MR2
Error occurred because of error.
"The worst of both worlds, the best of neither." -abnormaltoy
Things are only impossible until they are not.

BigMike [OP]

  • Administrator
  • Online Gold Turtle Award
  • *
  • Turtle Points: 1340
  • Male Posts: 17,784
  • Member since Apr '02
  • 511:1 Club
    • Bone-Stock Plane-Jane 1981 Shortbed Pickup
Looks like we'll be switching our forum over to full HTTPS as well thanks to https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

I'll keep everyone posted :thumbs:

Regards,
BigMike
New Instagram: @SlowestTacoma

Check out our new Rock Crawling Videos!
2016 56-speed 580:1 Triple T/Case 3rd gen Tacoma Rock Crawler   
1981 36-speed 511:1 3RZ-FE Rock Crawler
1987 6-speed Supercharged 4A-GZE MR2
Error occurred because of error.
"The worst of both worlds, the best of neither." -abnormaltoy
Things are only impossible until they are not.

 
 
 
 
 

Related Topics

0 Replies
694 Views
Last post Dec 31, 2007, 09:30:28 AM
by Rocksurfer
21 Replies
2509 Views
Last post Jun 11, 2008, 08:42:47 AM
by TIMS89CRAWLER
34 Replies
2775 Views
Last post Apr 03, 2009, 07:13:30 AM
by unclejpl4x4
48 Replies
5490 Views
Last post Feb 09, 2011, 03:42:59 PM
by BigMike
1 Replies
1667 Views
Last post Oct 26, 2011, 03:44:37 PM
by CrawlerChick