• Home
• Services
• Portfolio
• Profile
• Resources
• Contact

Black Cap Design Resources

Articles ~ March 2008

Web Security: 5 Tips for Protecting Your Site

Identity theft. Online fraud. Phishing. Spam. If you've been following the news lately, these are terms you're familiar with.

It's no secret that the Web is all about the sharing of information. If information is power, plugging into the Web is a good thing. Right?

Unfortunately, the Web has proven an effective tool for criminals and people engaged in unethical business practises.

So how can you actively participate online and protect your web site from spammers, hackers and other nefarious characters?

Tip #1 ~ Protect Your E-mail Addresses

Anyone with an e-mail account has had first hand experience with e-mail spam. Spam - not the canned meat variety - is unsolicited "junk" mail that is typically sent in mass mail-outs.

One reason spam is so widespread is that it's a very inexpensive system to operate. Spammers rely on the use of programs that scour the web harvesting e-mail addresses. These addresses are compiled into huge mailing lists - without the users' consent.

Once your e-mail address has been added to one of these lists, it's very likely your address will continue to circulate and wind up on multiple mass mailing lists.

Use your favourite search engine to run a search on your e-mail address. If the search finds sites containing your contact information, the chances are very good that your address is wide open to spam harvesting.

The best defence is to make sure your e-mail address is not out in the open for spam programs to pick up. Unless it's critical that your e-mail address is made public on those sites, contact them and ask them to replace your e-mail address with your web address.

The one place where you do want your e-mail addressed published is on your own web site. Fortunately, there are techniques available that allow you to provide a fully functional e-mail link that is hidden from e-mail address harvesting programs.

At Black Cap Design, every web site we develop includes spam protected e-mail links - a technique that hides your e-mail address from spam harvesting programs.

It's also a good idea to have at least one "disposable" account you can use when signing up for services you're not 100% sure about. You can sign up for a free web-mail account with a service like hotmail or gmail. If you start getting spammed at that address, ditch that one and create a new account.

Tip #2 ~ Make Use of Private WHOIS

Identity thieves steal and compile personal information (names, addresses, phone, social security and credit card numbers, usernames and passwords) from people like you and me. They can use that information to divert mail, access personal accounts, make fraudulent payments and apply for new credit - all without our knowledge.

If you are planning to purchase a domain name, consider protecting your personal information with Private WHOIS.

To purchase a domain name, you are required to provide a valid name, address, phone number and e-mail address. Once your domain is registered, that information is in the public domain and is accessible to anyone with an Internet connection.

In response to privacy concerns, domain registrars are increasingly offering Private WHOIS - an inexpensive service that protects your personal information. We have referred many Black Cap Design clients to Namespro, a domain registrar based in British Columbia, which offers Private WHOIS for a 1-time fee of $6.88. It's an inexpensive way to protect your personal information.

Tip #3 ~ Purchase an SSL Certificate to Encrypt the Transmission of Information and Guard Against Phishing

Contact forms and questionnaires are a great way to gather useful information from visitors to your site.

If you're collecting personal or confidential information, you should know that all Canadian businesses are required, by law, to comply with PIPEDA which provides guidelines for the collection, transmission and storage of confidential information.

When a visitor to your web site fills out a contact form or questionnaire and submits it, the contents of that form are visible as it makes its way the server where the the web site files are stored - much like the contents of a post card are visible en route to its destination.

One very effective way of securing this information is to encrypt it. This involves purchasing and installing an SSL certificate. With SSL, the message is encrypted as it leaves the visitors web browser. The only key that can decrypt the message resides on the web site that generated the form or questionnaire.

You can easily tell if a web page is encrypted with SSL: the address bar which usually begins with http:// will instead begin with https://. The "s" indicates the page is secured with SSL.

SSL also protects against phishing. Phishing happens when a fake site passes itself off as trusted, legitimate site. The fake site will collect private information, such as credit card numbers. SSL certificates are intended to verify that a given web site is legitimate.

The price for SSL certificates varies significantly: GoDaddy offers them for $24.99 / year while VeriSign charges $399.00 / year for an entry level SSL certificate. The difference has to do with brand recognition and the level of security. Large e-commerce sites pay a lot for the VeriSign name, but they also get a higher degree of encryption.

To install an SSL certificate you will also require a dedicated IP address. Your web host will likely charge you a nomimal monthly fee for this (typically a few dollars per month).

To inquire about setting up SSL on your web site, contact us at .

Tip #4 ~ Encrypt Your Contact Forms and E-mail Transactions

SSL encryption is fine unless you want the information contained in your forms to be converted to e-mail format. If that's the case, you might want to consider encrypted mail and secure forms, an excellent service offered by Hushmail.

The problem with converting secure form data to an e-mail message is that e-mail is not secure. Hushmail provides an encrypted mail service that works in conjunction with an ecrypted form to make this kind of form submission very secure - with no need for SSL.

Hushmail's mail encryption service means that you can send and receive encrypted mail with other Hushmail account holders. Your clients, associates and friends can sign up for free Hushmail encrypted mail accounts and you can share information with them without worrying about your mail being intercepted.

The annual fee for secure forms plus mail encryption is approximately $80 USD, plus a $10 USD setup fee.

Tip #5 ~ Add Password Protection to Pages Containing Sensitive Information

If you would like to post sensitive information online but don't want just anyone to have access to it, you can protect certain areas of your web site with password protection.

Many people and organizations use this method to manage access for:

• résumé or CV pages
• family photos
• memberships
• employee pages
• board member pages
• subscriptions

To find out more about password protection, SSL, secure forms, encrypted e-mail or any other issue pertaining to online security, please contact us at .