There’s a lot of talk about website security, keeping sites updated and making sure passwords are strong, etc. These techniques might be great for your site itself but aren’t helping your privacy or your users and, in the right circumstances, can leave your fancy new passwords and other data open to anyone who might be listening.
We’ll look beyond passwords and updates at ways to protect your privacy, your users privacy and the data that is sent to and from our own sites as well as those we use every day.
MARK WILKINSON: Welcome everybody. Come and make yourself a seat, get yourself sat down. Just about ready to start. Hope you had a lovely lunch, filled yourself up, the first announcement is about dinner this evening, it’s slight later than planned it will be at 7.30, I think it’s originally at 7, so you have got a little bit longer to wait I hope you had a bit extra for lunch. Got some great talks lined up this afternoon, first up we have got Chris, Chris is a developer for the university of Florida, has been working with WordPress since 2008, so lots of experience, one of the largest security plugins on WordPress.org, presented at numerous WordCamps. Like me Chris loves to teach and taught computer security for St. Edward’s University will talk you to today all about encryption anticipate encrypting all the things I will pass you over to Chris. CHRIS WEIMGMAN: Thank you guys. As a web developer at University of Florida I have got security. I have been doing this stuff I have taught computer security in particular intro to cryptography at university of Texas. To get into the heart of this before I start actually giving links as to where to go I want to talk a little bit about what security is and what crypto is supposed to do in the first thing I want to do is talk about security is privacy. Namely they are not synonymous. When we start talking about crypto and web dev people thing https, or SSL, that’s part of it but it does a lot more than that. In particular, https is always taught as a security method as a way to protect your site that not so much what it is. In fact security by itself is not really involved in protecting in so much your site at all, it’s involved in the confidentiality, the availability, and the integrity of your data so when we’re talking about cryptography in the terms of practical communication and encrypting communication we’re not talking about protecting our websites anymore, we’re talking about keeping the data available and keeping it reliable. Then there’s other side of this which is the privacy which comes very much into crypto. If you were at Heather’s talk just before lunch, some of the privacy issues she brings up and privacy for our purposes in cryptography is the appropriate use of data. So, security is making sure that that data is available, where it needs to be, when it needs to be and it’s correct. Privacy then becomes the appropriate use of that data if I give you my email address in a contact form is that email address being used by you to contact me back, is it being sold off, is it something like that it’s that appropriate use.
Whether or not you are worried about your own website or its data, you owe to it you users to protect their privacy through encryption on both your site and related tools. In other words, this not so much about protecting your site it’s going to buy theme you will hear a lot from me, it’s about protecting the data of your users at this point, the data that you users want and well as the data your users provide back you to. It’s a two-way street which your user data is the most important thing you are trying to protect. Encryption will help you do that a couple of ways. Help protect privacy and security, this why it becomes so important in web dev is often overlooked. We will install things like theme security, enforce long password enforce changing passwords all these best practices, they are great and designed to help protect your site from being hacked. Encryption then steps in to make sure the data that’s being protected is actually taken care of.
It will protect your data and do this in two ways, it will protect your data first in transit. It will protect your data stored on a computer. Stored on a server, hard drive, stored on your phone, in your email in your messaging app, wherever that data comes into, protecting it and storage is just more than protecting in the mysql data, it’s wherever it’s stored. It does this with a key or password in many cases, that password is something that it’s really the only key available to that data. With that key, one of the key determines one of the most important things to realise about cryptography we’re not storing the pass word themselves, we’re not talking about how WordPress stores a password, that’s not encryption that’s what they call hashing. Here we’re talking about a way to make sure the data can be protected in storage, then retrieved whenever that keys available. The biggest thing here is crypto is two ways. It can encrypt the data and just as importantly it decrypts the data to make sure it always available to those who need there are some limits to it as well. It’s not user management. It’s not, your passwords storage it doesn’t care who the user is, whoever has the key has access to the data. It’s not a policy in of itself. You may have policies that require the encryption of data but that encryption of data itself is not a policy. You’re not, it can’t enforce policies, it does not care what you require to have encrypted it doesn’t care who should have access to the data. It’s simply a mechanism to store that data safely. It’s not a firewall it’s not a product like Securi or SiteLock, it’s not people coming into your data or trying to prevent them on based on their behaviour. It simply says do you know the pass word you know the password, here’s the data. Also, not an anti-virus, encryption is not that will stop you or protect you should somebody get through your defence. Your firewall is broken your password are hacked, the data can be manipulated at point at any which way somebody might want to do so. So, we’re not talking about any kind of mechanism past the unlocking of your data that would prevent the manipulation of that data. It’s not an antivirus. It’s not something that is going to go in once you are hacked and clean it up for you or prevent somebody from manipulating that data on your behalf.
That’s what encryption is and why we should use it. When we talk about it in terms of what we want to use practically there’s a couple of types of encryption I want to keep in mind the first is what they call symmetric encryption. For all practices symmetric encryption is passwords. Everything is decrypted and encrypted with the same passkey or word for practical purposes, whoever knows it can get in. It’s symmetric. Both the encryption signed and the decryption side handle the same key. This is how we tend to think on cellphones if you have a password on your iOS device or Android device in order to encrypt the drive you enter a password. It’s symmetric encryption. The same password is used to both save and retrieve your data. Again, we’re talking about passwords accessing the data here we’re not talking about storing the passwords themselves because, if we need to know a key in order to open something up, that key can’t be part of what needs to be opened up that would defeat the purpose. In case of things like WordPress passwords we don’t encrypt them, we hash them, it’s a one-way encryption thing, it’s a one-way storage mechanism. Put in a piece of data, spit out a predictable string, and you can never take that string back to the original data. That’s hashing, it’s not it’s a little bit different than encryption. As I talk about pass words is I little about confusing but it’s sun to keep in mind.
Catch is it’s still a secret, the all these secrets all this stuff you want to protect it with it’s just a simple secret. There’s a little bit better way to do this. We can use what they call asymmetric encryption. Both sides have the same pass word to encrypt or decrypt, we can also use asymmetric where this a different password to encrypt than to decrypt. It’s a much stronger form of normal encryption it’s typically referred as to public key cryptography. If you browse people Facebook links in their Facebook profile if you look at the about page it will say their public key, Facebook can hold that. That’s public key cryptography, that they have made available to public you can encrypt something with that and send it to them, you can’t necessarily use that to both encrypt and decrypt it would require a different piece. With that two-sided ability, it becomes a lot stronger, and it allows for something very important, if the idea of the data is the confidentiality and reliability of the data, the use of public key cryptography will allow us to verify that data. How do we know that data we have downloaded is legitimate think of this when you download a piece of software, shareware, some of the private plugin they give you that MD5 key it’s a little bit different.
It’s a little bit difference to normal cryptography, you can re-encrypt the stuff and mash the keys up, if we re-encrypt it it’s got to be the right data, we know everything is correct and we can verify the data, we are implementing one of the key tenets of the encryption. It sounds complex, it’s actually fairly easy to use all you need to do is generate a key pair, I’ll go through a little more practically on this, you can give out your public key, anything sent to the public key, anything you encrypt with your private key, your secret passkey, can be decrypted by anybody with a public key, anything encrypted with the public key if they want to send something back to you, can only be decrypted with the private key, you know the person on one side or another who is sending it to you.
In this case if you want to do two different kinds of messages, if you both have a key pair you would always know who is sending the message is who they say they are, and the message that comes back to you, was from the in person intended. There is much less of a chance, of something like a man in the middle tack, where somebody can intercept the data, change it and pass it on, if it was just a password and somebody knew the password in between, intercept it undo it, change it, encrypt it and send it on to the final recipient, with the ability to have a different password now we know where the data is really coming from, it’s the deal, it’s the difference between what we call asymmetric, public key e encryption and symmetric, or simply passkey encryption.
A lot of, this is technical as I’ll get on this talk, I’ll promise, now we move on to a little bit of why you are actually here, in particular with your WordPress sites, when we talk about WordPress sites, we’re talking about a couple of things here, your file system which your uploads folder, MySQL database, database, stored user names, stored contact form information, whatever might be there, the truth is, those two items in most cases they’re not often, it’s not often practical to encrypt that data itself in storage, in WordPress what we deal with more is encrypting that data in transit, that’s where we use, we enable SSL, these days it’s very, very easy and very free in most cases, encrypt data, is a perfect example, a free SSL certificate that will encrypt your data in transit, name cheap, for 10 bucks they will let you use name cheap and encrypt your data in transit, 99% of the time you can contact your host, SiteGround, wpengine or somebody else and they’ll take care of the step for you. Again, you are not really worried here, it’s not going to protect your set, it will not prevent a hacker from getting into your site, it’s when you go to Starbucks and connect to the Wi-Fi and someone sifts the password out of the air, this is what this is going to stop. Or more importantly, when your user goes to Starbucks and your blog your site is somewhat controversial, instead of somebody being able to sift out what that person is doing that Starbucks or wherever they might be on a public Wi-Fi, the ability to encrypt the data back to your website protects that user, they might see what the website address is but they don’t know what they are getting from your website, if they send a contact form it can’t be particularity out of the air, it’s protected in transit, the key is public Wi-Fi, it’s primarily the modern reason for the need for SSL, a few years ago there was a Firefox extension that put a sidebar on your Firefox and it would sit there, watch for it and everything that came over Firefox, like your, when somebody logged in to Facebook, Gmail, Twitter it would appear on the column, you click on that person and you are now that person in their own Facebook, et cetera, it’s when all the companies started going to SSL themselves, when Facebook put a green bar at the top of the browser to say we are really Facebook and we will protect your data in transmit. That’s the type of data we are trying to protect when we talk about WordPress, at least in the sites themselves, what becomes is more important is where the data goes, once we get that data on our site, we are using it somewhere, we are not consuming it we have to login to our on-site to get that data at some point, whether that login is emailing you, messaging you, phone call system on-site, where the site will automatically call back with a piece of information, the information is getting to your computer of device at some point, it’s where we need to protect the storage in many cases, the first one is your computer, the idea here we want to protect the entire computer, not just the WordPress data or any communications you might have between customers and users, if you are a MacUser it simple, system preferences, security and privacy, turn it on, it’s that simple, one click in your settings and your entire hard drive is encrypted, it’s very strong encryption. Windows is also typically just as simple in many cases, many windows computers come with this turned on, if you go to system, about, to verify whether your driver is encrypted, if not go to start and environment, “Encryption”, and you can turn BitLocker on, it’s window’s encryption system, you can set up separate things to encrypt separate files independently, it’s a very strong system to make sure the false on your computer are safe.
Phones are about the same thing, if you get the email on your phone and you have contact information on your email, you need to have phones encrypted as well. Settings, touch ID and pass code, settings, touch ID and pass code are all it takes to turn on encryption on iOS you can look on the settings and if it says, data protection is on, typically if you have a password on or a pin code your iOS device should already be encrypted, Android depends a little bit, each Android manufacturer does it slightly differently, IWI could get into all of them, it’s in your setting, you should have that, depending on your manufacturer, it does the same thing, if you pick up your phone and you need a password to access it it’s probably an encrypted drive and your data is stored faithfully. One caveat is touch ID, if you have a newer iOS or new Android, as a US citizen, it’s something that is probably a little more important to me than many EU countries you visit the US, it’s more and more common wore them to tell you they want your phone, decrypt your phone, sniff everything of your phone, including contact data, user data so on and so forth, it’s been in the news somewhat regularly, we had NASA scientist a US citizen who had his phone taken from him, touch ID, at least in US law they can force you to give your fingerprint, I cannot speak for EU law in the US they can force you to give your fingerprint but not your password that’s something to consider if you are travelling over borders, turn off the fingerprint and done on the password you are somewhat more safe, it’s not to say they can’t confiscate the phone, stick you in a cell and do things differently, so far as common law in the US is concerned, turning off the touch ID will prevent them from being able to force you to put your password in, it’s just something to consider.
If you do have a password, it’s as close as I’m going to get to the whole password thing, make sure it’s a strong password, your fingerprint can reveal a four-letter pin, or with an Android with a swipe it’s trivially easy to watch and get the swipe pattern to unlock a phone, make sure you use a very strong password on the phones.
Then of course, that’s your devices we have talked a little bit about WordPress, we want to encrypt things transit and we have talked about what happens when it gets there, there is another point to this, the data between your WordPress and your computer, it’s not always the type of data, it can be a problem with a device like this, I’ve actually seen this particular device in use at a WordCamp, we did have to call the police for that one. This is what they call a Wi-Fi pineapple, it’s the size of my remote, it plugs in USB and it tells you, in the case of this room, it would appear as the London guest or whatever the network name is, once your login to it, it will just take everything that is going through it, save it and pass it back to me, or whoever is using the device.
There are ways around that, there is ways that you can protect against that and that’s why you want to use a VPM, a lot of people use them in many countries forgetting Netflix from a different country, it’s the same sort of software if you want the us Netflix, it’s basically the same type of software, it’s a VPM’s, virtual private network and wraps your Wi-Fi connections, if you are going to an unencrypted site, whether they at https from your computer it will wrap and protect it for you. If you are Apple, getcloak.com it looks at every connection you connect to if it doesn’t know it, it encrypts it, it’s very handy with Apple, [Inaudible] but if you ever connect to a Wi-Fi and you are not sure if it’s working, with these two things if it’s not connected to the VPM you can pretty much guess you are on [Inaudible], it’s a very effective solution, if you are developing and you want to do your own, there is torguard, some very sophisticated VPN, you can get a single IP address, some very advanced things with torguard that the other two don’t allow, the first two are designed to protect your data in transit, period, the last one can be used for a few other things if you want to get a little more fancy with it.
If you get your device or if you are talking to customers, communicating with a customer, SMS or iMessage it’s still your customer’s data it needs to be protected. The best way to do that is Signal it’s one of things they see advertised when I they talk about people like Edward Snowden it’s a highly-encrypted messaging network. If that’s not an option, WhatsApp, iMessage and Allo, can all encrypt data in transit how you encrypt it on your phone hopefully you have a password turned on your phone in theory your storage is ok, but the idea is you want to make sure it’s encrypted in transit as well. SMS, if you send a text message is not encrypted it perfectly easy to pull that right back out of the air. It’s something to consider with messaging as well. Maybe you have individual files, you are downloading files from the internet you want to protect them on to of what the access to your computer it’s a shared computer. Also, something very simple too if you have a password manager which hopefully here already does, one password and lass pass will take care of this for you very simply. Just log into them, go to a document section in one password, upload your document it’s encrypted for you. One file at a time in the case of both of these unless you want to zip something but they are very easy to use and they will tack right on to your password manager. If you want to get fancy, there’s Veracrypt, there used to be programme called Truecrypt that had its own security issues Veracrypt has inherited a lot of its customer base. It opens a folder on your computer that becomes encrypted in itself when you close that hole do you have a separate little encrypt drive on your computer. We have keybase.io, the easiest way to generate PGP key is keybase.io, it’s got all the software it can be messaging it has its own file system, it’s got anything you would need to encrypt a file and get yourself started in setting this up. Even when your computer is encrypted to the idea is if it has extra sensitive files a second layer is never a bad thing, that’s what these programmes do. Email. Proton mail. New service, well fairly new it’s recently relaunched service, that gives you a web interface and an iOS or Android app that completely takes care of the encryption in between as well as the encrypt data. It’s only a few bucks a month, it’s not US based I believe it’s Swiss but don’t quote me on the exact country as far as US data laws it’s a good way to bypass your Gmail account and other thing that maybe stored in the US it’s only about 20 dollars a year for a simple email account it will take care of all of it for you with the caveat you have to use its email client you cannot hook this up to your outlook or MacMail or anything else. If you want to use your own client or you have your own domain, you are set up on Google app something like that you will need the PGP or certificate or what they Saul an S mime certificate. The difference with PGP you generate your own keys go S/Mime is like getting an SSL certificate in fact you get it from the same place, instantSSL.com they give you the certificate it’s really the difference here. S/Mime can work on any big email client if you outlook or MacMail user or Thunderbird it’s basically built in. PGP, once you install it you will need something else you will need a client for doing it, the biggest ones for Mac is GPG tools, for PC then. And keybase.io can generate these for as well if you’re a mac user you install GPG tools all you have to do to encrypt your email is use it. If it has a certificate for you and it walks you through fairly easily how to generate the certificate when you log into your mail you get that little green thing up here it will take care of signing, and encrypting you email where possible if it has the other person’s key, remember this requires two sides of the keys if it sees both sides of the keys is will take care of all of it for you. Otherwise it will just sign them which effectively just give your key to the other person so the next message can be a little bit more secure. On windows and Mac, Thunderbird is probably your best bet if you want something a little more fancy there’s a postbox email client, both of them can have Enigmail, that will take care of the PGP queues for you. You still have to generate one, but it will allow you to use it with your near email client, post box is basically a fancy dress on a Thunderbird. Both work very effectively there’s ad on for outlook, there’s an ad on for air mail if you are air mail user if you an email user on iOS, there’s apps you can by, there’s dozen on therefore depending on what client you use, all kinds of apps you can buy depending what you clients an tastes are, these are just the easiest to get started with that takes care of email.
So that will get you started. There’s a couple of resource’s Tozny.com, 20 minutes, they have done great blog series just this year on practically setting up a lot of these individual systems so they have a practical one for Thunderbird, they have a really practical one for they practical once for some of the file encryption, these are simply their blog post they have been doing tutorial us to walk you true. Eric Mann from Tozny was nice enough to review my slides and make sure I didn’t make any mistakes here. Bruce Shiner is a gentleman that talks about this quite a bit Hewlett Packard enterprise has a good blog on this the electronic frontier foundation which is an organisation dedicated primarily to privacy the digital age has a number of great resources. Wired magazine has threat level, and then there’s Krebs on security, Brian Krebs when he talks about encryption. That’s how we get started. Now for the important part, on a talk like this which is questions.
MARK WILKINSON: Round of applause I think. (applause) some really good information there, are you going to share your slides with everybody? You are going to share your slides online? Brill there you go if you want to look at slides online you can do. We have got time for some questions, we have got two mic runners if you want to raise your hand a just put the mic close to your mouth me have some sound issues this morning. Any questions do raise your hands we’ll get you involved. Anyone. Got one down at the front here.
FROM THE FLOOR: Yeah if you were encrypting something in your database like a table in your table, symmetrically where would you put the key in WordPress.
NEW SPEAKER: If you were trying to encrypt within the database itself.
NEW SPEAKER: No if you were trying to encrypt one table.
NEW SPEAKER: What would happen in those case when you are dealing with personal information you would store it outside of the main WordPress database, the idea being that the main WordPress database is designed to be public information so it becomes private, it can be very difficult to encrypt that single table. There are methods, they tend to be fairly unreliable, they tend to be fairly difficult to implement, so your best bet is to send that data to a second database and encrypt it that way.
Probably not, not the easiest, but the biggest thing is to separate your public and private data.
THE CHAIR: Any other questions.
FROM THE FLOOR: Yeah, any tips on key management, so storage, on paper, on your computer, I mean the private key?
CHRIS WIEGMAN: Are there tips for storing your private key the biggest thing I tend to do, I keep them on a CD, a good old-fashioned CD, kept in a safe, when you generate the keys you can get pre-t fancy with them, in order to say it’s invalid you can generate an invoke certificate, I stored that on a CD off the computer, now I can go back and if I ever need it the only way this thing can be really modified, I need my CD, that’s the safest way of doing it, on a more practical way, you can keep it in last password, it’s a very easy way to store it, or Veracrypt or any kind of encrypted drive the key there is making sure you have an extra copy of it off your computer so you can revoke it if need be.
MARK WILKINSON: Any others, yes.
FROM THE FLOOR: Hi there, thank you for that talk it was really informative, this is going to be, sound like a paranoid mess here, I’m trying to move a lot of my personal data away from the cloud, so I’ve kind of got very comfortable with using Google Mail with my personal domain and things like that, that’s obviously Google they are a marketing company they have access to all that data. You mentioned ProtonMail is that a feasible alternative to someone you is used to using Google Mail, can you mention any specific products that might take the place of Google Mail?
CHRIS WIEGMAN: I actually use Gmail myself, every time I try to switch to something better, the usability, there is a fine line between usability and security and it’s too easy to cross it, especially with email encrypting, ProtonMail I think by far is the easiest right now if you want to go around it, if you are comfortable with your client, the fact that you have to access it through their proprietary email client is a no go for some people, if you want to you can host your own email, if you are not a security expert there than can come with other issues. Gmail does a fairly good job of protecting what they say they will protect, adding PGP security really takes it to the next level, any individual messages, like if you and I were messaging each other back and forth, the conversation would be completely obscured, even if that account was compromised it wouldn’t get that email message, that’s a one on one, it depends on whom you are communicating with though, you have to watch that line as to what is going to work best for you, it’s not the most clear answer, but it really does depend on what your own comfort level and own workflow wants to look like.
MARK WILKINSON: Anybody else got any questions, one that front.
FROM THE FLOOR: Hi, yeah, I was just wondering you start using tor browser or public key encryption do you draw attention to yourself as up to no good?
CHRIS WIEGMAN: Those who talk about it, typically do. You know, even Facebook now has good access through Tor, a lot of the companies are really getting on to this and encouraging it in many cases, encouraging the use of tor browser when you stand up in a foreign country and start teaching people how to use it that’s typically when you are going to draw attention to yourself quite honestly, for daily use, I don’t know of any cases where that’s become an issue.
MARK WILKINSON: Yep, okay.
MARK WILKINSON: One here.
FROM THE FLOOR: Is there a way of tracking anybody that turns it off, with analytics there is no way of tracking it.
CHRIS WIEGMAN: There are ways of tracking, you can use an image.
FROM THE FLOOR: Okay.
MARK WILKINSON: A question on the right here.
FROM THE FLOOR: So, you talk about a lot of software and applications, what, in our day-to-day life we use Slack, so how secure is that and what is the extra layer of security to Slack.
CHRIS WIEGMAN: Slack is an odd one, we have a strong policy to keep things out of slack, [Inaudible] one time password, it’s based on Ruby or Python, you send a password, it’s read one and then disappears, it’s removed from the server we use that in conjunction with slack [Inaudible] it’s unfortunately only the way to do it well now.
MARK WILKINSON: Time for couple more if anyone else has a question, now is the time to grill the experts.
FROM THE FLOOR: Hi, is there one password, where you stick all your passwords and access keys in there, if that one is compromised your entire life is pretty much up for grabs, how do you protect against that?
CHRIS WIEGMAN: The truth is you don’t, if your computer is compromised, pretty much everything is in your computer, if your phone is compromised — if I was to lose my phone, everything is in my phone. I actually use two factor now within one password, if my phone is stolen, one password has its own two factor, instead of the Google authentication, it comes back to usability versus security, in an ideal world, somebody gets my computer, it’s not a big deal, right, in a practical world if somebody gets my computer and gets into from my browsing history to my cookies I’m already logged in to, to other items, it’s compromised, the ability to have different passwords on those sites on a practical point is going to keep it much safer than not, so you are going back to the one password and strong pass words individual passwords are still better with that one point of failure than trying to use the same password you can remember on every site that you login to. That’s one of the, another one of the imperfect, passwords themselves are imperfect it’s one of the biggest weaknesses, one password and last pass, are simply the best ways we have today of dealing with that.
MARK WILKINSON: Time for one more.
FROM THE FLOOR: Hi, my name is Yanis, l on a, it’s not really a question, it’s just I want your opinion, couple of years ago on a data protection seminar somebody said that really the weakest link is the human being. Social engineering can get much more — if you are being targeted specifically, it’s much, much easier to try and target you from a social point of view, what we call social engineering try and hack your…
MARK WILKINSON: Thanks, we’ll wrap it up there, so a round of applause for Chris. [Applause]. So, we’ve got a short break now, if you want to grab refreshments, grab a drink, downstairs I think is probably the closest part, there is also a Happiness Bar in the graduate building, if you have any questions on WordPress or want advice I’m sure there is someone there who can help you out. Next is Mik Scarlet who will tell you how to apply self-accessibility to your clients in about 20 minutes.