Sometimes one may not think your site has nothing worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature. Our site, since it may be seen to hold credit card data may be breached for those reasons. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software.
With that in mind we do the following things to stay ahead of the game:
- Keep our server software up to date
- Monitor for SQL injections
- Monitor for Cross Site Scripting
- Limit error message information
- Maintain browser and server side validation
- Difficult and long passwords
- Disallow any uploads
- Use current TLS / SSL
- Use 3rd party penetration testing
What does this mean to the consumer, you? Well, if your browser is not keeping up with the times then you will start to see problems on OUR websites. For instance, when you get to our checkout page we are using an Extended Validation SSL certificate from GeoTrust. GeoTrust is the Certificate Authority that we chose because we trust their years of experience and are industry leaders in their field. Our Certificate uses a sha256RSA algorithm with 2048 public key. We use this same certificate for all of our websites that include www.mrcider.com, www.mrrootbeer.com, us.diybeer.com, www.mrbeer.com as well as mrbeer.com.
We mentioned our Extended Validation SSL. What does this mean? Extended Validation is a process that the Certificate Authority takes to do a more extensive search on your company. We personally spoke with the people from the security department at GeoTrust and as a result this higher level of accreditation we were issued this validation. You, as the customer, will see a green bar, green text, or green button in the address bar depending on the browser that you choose to use because of this. This is your browser telling you that our site is secure.
As mentioned above, various browsers will show the security validation differently. If you are running an older browser, you may not have access to the latest security, and therefore you may not see this security validation. One of the most recent changes we're making is moving our sites to TLS 1.2 (and 1.3 as it is released). During the month of September 2015, we made this change as a test run and we started to see customers showing errors on their browsers telling them that the secure pages on our site were not secure. Despite the browsers warnings, in fact, it was the users browser that was not secure, and because we only accepted the highest level of security we could not establish a secure connection with their browser. This was not limited to computer browsers either, as many mobile browsers also were not updated to receive the most current security standards.
Server support is another item plays intricately into a successful and secure site. As part of managing our servers we must dictate which security protocols to use and not use. Once again, if a customer is experiencing security issues with our site, this may be because they do not have their browser updated to the latest version. Our site is PCI compliant and as standards change, we change with them.
That said we do not suppose to be the end all in website security. We make beer after all. We rely on professionals to do these things for us which can mean that we may not have all the answers when you are having problems with the site. When we receive a call from a customer that is having trouble with our site, we take it very seriously. Details are gathered and passed on to our developers, programmers, and administrators who can take it from there.
For more information on web security take a look at Wikipedia or do a search with your favorite browser for things relating to TLS/SSL.
Happy and Secure Brewing!
~The Mr. Beer Team~