Despite the fact that I’m still very busy with the exam period it has been my task for the past few weeks to bring all TSA servers (both our dedicated servers and website) inline with good security practices. So without further adieu let’s go through some of the improvements I have made to our general security:
Side note:
It may be the view of some security experts that posting an article like this is in its self a bad security practice. However, it have always been my view when dealing with the security of our servers that security through obscurity is not much better than no security at all. Also we have numerous security measures that are not mentioned here (many of my own design) to protect our servers.
SSL Certificate:
You may have noticed recently that (depending on your browser) there is now padlock located next to our website address in your web browser, this is because the connection to and from our server is now protected with high grade encryption to prevent eavesdropping. This is the exact same encryption used by banks to protect their clients data and also the same encryption that Edward Snowden recommended should be used much more often.
sslsecurecert1
^ You can see our nice little clicky button showing that this site is secure above, and the explanation above to trick you into thinking that I didn’t just protect this site with SSL so that we could have a shiny nice looking clicky button on this post.
Web Application Firewall and Antivirus:
As well as the SSL certificate our website is protect by a web application firewall (WAF) that will use several different techniques like pattern matching to block malicious requests to this server, as well as an antivirus that will scan all website files for infection and attempt to automatically fix vulnerabilities faster than out security team can respond.
Login Sessions:
You should now see a new tab in the miscellaneous section of the User CP called MySessions. In this tab you can see all of the login sessions that are currently active (for example if you logged into a public computer some where this tab would show if you were still logged in there). This would be particularity useful if you left your account logged in on a friends computer. Although don’t forget if you believe you account has been compromised the first thing you should do is change your password, this will automatically and immediately log out any sessions that were using your old password.
Hopefully this will give you a little more trust that unlike some public forums we do take as many steps as we can to protect your data