As a digital strategist, Ron is focused on creating campaigns and unique communications that drive engagement.
Every year since 2005, the Drupal community has flocked to DrupalCon to learn, explore and share. This year, the Sandstorm® team headed to Nashville, Tennessee–site of DrupalCon 2018–to get the latest updates on one of our favorite CMSs, find inspiration, and get our hot-chicken fix. Here are a few of the things we took away from this year’s conference.
1. “Clients buy solutions not code.”
Software wizard Vladimir Roudakov reminded us that no matter how impeccable and innovative our code looks, what’s most important to our clients is that our code solves the problems they’re facing. It was a great message to ground us throughout our time in Nashville.
2. By 2020, there will be more than 50 billion connected devices
3. Most traffic on the internet is non-human
Developer advocate Emily Rose made a pretty compelling case for why we’ll be developing for humanoids in the not-so-far future. With 61% of the internet made up of bot traffic and connected devices estimated to outnumber people 6:1 in two years, that’s a concept that’s hard to argue with.
4. Increasing page speed by one second can increase conversion by 27%
Google announced that by July 2018, pagespeed will be a ranking factor for mobile searches. For businesses to reach that coveted first position in the search engine, they’ll need to make sure their site loads lightning fast. And the reward—a big bump in conversion rate—will be worth it.
5. Drupal makes big dreams a reality
To celebrate the total solar eclipse, Miles McLean and Ken Fang used Drupal to create a once-in-a-lifetime viewing experience, integrating more than 20 video feeds and real-time tracker. Forty million people used the tool to see the solar eclipse.
If you’re looking to do big things with your website, drop us a line.
Whether it drizzles or pours, it’s good to be carrying an umbrella.
Back in 2014, Drupalgeddon rained cats and dogs.
Drupal released a critical security update on October 15, 2014 with express directions to address the vulnerability within seven hours of the release. Unfortunately, a large number of system administrators didn’t grab their umbrellas, and—to stretch this metaphor to its limit—they got soaked. It was a wake-up call, to say the least.
So four years later, when Drupal released a similarly critical security update that many people called Drupalgeddon 2.0, the admin community was prepared. At Sandstorm®, we started planning right after the announcement, and when the update was released, we secured more than 30 sites in a single afternoon.
But we’ve always understood the importance of taking security updates seriously, whether it’s 2014 or 2018. Because staying on top of these updates is just one easy way to keep your systems safe. And as recent hacks and data breaches like those from Saks and Lord & Taylor continue to show, your safety is under constant attack.
So what else can you do to keep your site as safe as possible?
1. Move your site to HTTPS
More than half of internet traffic is now encrypted, which is great news. Having your site use HTTPS (SSL/TLS) helps protect against session hijack attacks, because all traffic between your server and the client is encrypted.
This is such a boon to security that Google has been talking about penalizing sites that don't use HTTPS. Most notably, the Google Chrome browser will start indicating sites without HTTPS as insecure, starting in July 2018. Just one more reason to get a move on.
2. Take charge of your passwords and access
A major line of defense for any infrastructure is good management of credentials. As individuals and institutions, we now have a number of tools at our disposal, such as password managers, policies, etc.
But what is often forgotten is to consistently and comprehensively review who has access to your systems. As a result, old employees still have access to sites and accounts, creating vulnerabilities that are just waiting to happen.
3. Keep your server and applications up to date
When security updates are released, they represent known vulnerabilities. It’s imperative to apply the updates immediately, or risk leaving a door open for malicious activity.
Ensure that your server is applying updates on a regular basis and that your web applications are updating any relevant frameworks or libraries. An ounce of prevention is much more cost efficient than trying to recover from a compromised server or application.
4. Ensure you have frequent backups
If something ever does happen, you want to be able to roll back to a safe state. That’s why it’s so critical to make sure your servers and your application have automated backups.
Most hosts offer backup services for a small additional fee, and you’ll want to ensure that these are configured and working.
5. Proactive threat management
Be proactive. Start a conversation with your host provider about threat management, and ask about automated systems that look for irregular traffic. Ask your web vendor about how code is managed on the server, and spend the time to find a solution that’s right for your organization.
Still not sure how you can stay protected? Sandstorm can help! Feel free to drop us a line, so we can help ensure your site is secure.
Recently I had the honor of speaking at .orgCommunity’s Solutions Day 2017. Usability testing is a big part of how Sandstorm eliminates subjectivity from the creative process, so I wanted to show attendees how usability testing can help drive significantly improved user experiences.
With as few as 5–6 users, usability testing can identify 80% of user issues on a website or mobile app. Our Sandstormers have learned many lessons while performing more than 3,000 usability studies. These are just a few of the findings that can help you.
1. Members want to see real images of their peers.
We performed usability testing for the American Planning Association as part of a redesign of their website. During testing, we learned that their members found the stock photography used on their existing site inauthentic and unengaging.
This simple finding led us to use professional photos of real APA members that improved engagement on key pages, including the homepage, Events page, and About Us page.
2. Don’t put too many events on the homepage.
The Association for Corporate Growth (ACG) holds 1,200 events for 58 chapters across the globe each year, and they were struggling to find a way to highlight events.
Before we tested, ACG was including 25 events on their homepage, which was harming the user experience.
We needed to make it easy for members to find the events that were of interest, in their location, etc. So we created a featured event section on the homepage that links to an events page allowing users to filter by keyword, chapter, date, and event type.
3. Navigation items that require user action need an active verb in the title.
We made a surprising discovery while testing wireframe designs for a large non-profit organization: users thought the navigation items were too unclear and passive.
By adding active verbs to these items—for example, changing “Theft & Fraud Awareness” to “Prevent Theft and Fraud”—we were able to make the navigation clearer to users and let them know what they would be able to accomplish when visiting the page.
4. People miss content when there’s no visual cue.
Weber was redesigning the website for their grills and accessories and wanted to test several UX changes on a development environment before going live.
One of the issues we uncovered was that users didn’t know that the navigation items in the main menu expanded.
To solve this, we added carets next to the menu titles to indicate action. After making this simple fix, users clearly understood that they would find additional pages in the menu.
5. Using a search icon without an input field confuses users.
While redesigning the website for NOW Foods, we found that users were confused by a small change: we removed the input field for the search bar.
By merely adding the field back to the search area, users could search the site with ease.
Usability testing is a quick, simple way to improve the user experience, whether you’re creating a new site or app or redesigning what you have now. Contact us to learn more about how to execute your own usability test today.
Should you use a hamburger menu for your mobile navigation?
That’s a matter of ongoing debate here at Sandstorm®. It’s a debate we carry out in email chains linking to the latest articles, with subject lines like, “Hamburger menus were (bad/good).”
So I’m here to finally end the debate and offer a definitive answer on whether you should use hamburger menus by saying, “It depends.”
Because that’s the truth: Hamburger menus aren’t uniformly bad or good. It all depends on your audience, your goals, and how best to structure your information so that it serves your users and your needs.
The Myth of the Hidden Menu
In his article Why and How to Avoid Hamburger Menus, Louie Abreu lays out a thoughtful argument against the pattern of using sidebar menus. For him, the biggest issues are:
- Low Discoverability—the menu is out of sight and, therefore, out of mind.
- Reduced Efficiency—it creates navigation friction for the user.
- Navigation Clashing—it clutters up and overloads the navigation bar.
- Lack of Glanceability—information about specific items is harder to surface.
But I don’t quite buy the rest of his argument.
Since 2014, when the article was published, hamburger menus have become a common pattern for some of the most highly trafficked sites on the web, including Google and Facebook. And in countless usability studies, we’ve seen that most people don’t mind the ‘hidden’ menu on mobile devices.
The main issue we’ve seen in usability studies is some users don’t understand the three-horizontal-lines ‘hamburger’ icon. This is consistent with an A/B testing experiment conducted by Sites for Profit, which suggests that the three-horizontal-lines ‘hamburger’ icon is less effective than the ‘menu’ label. So there is definitely evidence that supports adding a menu label underneath the icon or simply using the word ‘menu’ instead of the icon.
What users really want is something that’s designed for them, whether it includes a hamburger menu or not—and I’d argue that most users don’t know that this is even a debate.
So how do you effectively use a hamburger menu without alienating users?
Considerations Before Using Hamburger Menus
1. If your navigation structure is small and simple, why not just show it?
Websites with a deep menu structure—like large enterprise software companies—can benefit from hamburger menus. But small websites, like those for a local business, have limited functionality and can display their full navigation. Or you could use one of these emerging patterns for mobile navigation.
2. Label your menu with the word menu.
Our own tests and others have shown that just adding the word ‘menu’ below the hamburger icon increases user engagement. Or ditch the icon and just use the ‘menu’ label.
3. If you have the screen width to display your menu, you should do it.
Avoid hiding your navigation on larger screens. If you don’t have to use a hamburger menu on tablet, then don’t.
4. Nesting can be a problem, if your menu structure is too deep, there’s probably something wrong with your architecture.
The hamburger/offscreen navigation pattern can get tricky if your menu structure is deep and wide. It’s probably not a good pattern to use if this is the case, but the first thing you should do is consider revising your site architecture so it’s less complex.
If you need help with your mobile navigation, Sandstorm can help. From usability testing to user experience design, we’ll help you find the solution that works best for your users.
Stronger member engagement. Increased traffic. Connecting with Millennials.
If I just listed everything on your association’s wish list, then gamification has a lot to offer you.
Gamification is all about motivation. It plays on people’s competitive nature and love of recognition to encourage them to accomplish goals. And gamification works wonders. Studies show that gamification can lead to a 150% boost in engagement, which is why more than 70% of the Global 2000 have at least one gamified app.
How can you start taking advantage of gamification’s benefits? We’ve created a quick walkthrough to help you power up member engagement.
1. Add a profile progress bar.
Users want goals and they want to feel like they’ve accomplished something. More than 75% responded to a survey saying that they want an indication of progress.
LinkedIn has mastered this technique to get members to build out their profiles: rewards for completing a profile, clues that offer direction, and tapping into users’ competitive nature to see who is looking at their profile.
2. Include provocative language in the profile form.
Asana challenged its users by asking them to describe themselves in seven words. When they made that switch, their response rate increased 98%. With just a simple form change, you can get your members to be more engaged right from the start.
3. Use points to incentivize members to come back.
Learning a new language can seem daunting, unless you use Duolingo. The popular language education app grew to 110 million users in just three years, and it keeps those members coming back by giving them experience points for each completed task.
4. Award badges for participation.
It can be difficult to get off the couch, but Fitbit encourages users to push harder by awarding badges for milestones. And the awards aren’t just for running a marathon, they start with tasks that the user can actually achieve and build from there.
At Sandstorm®, we can design new and exciting ways to engage your members through gamification.
Watch the video below for more ideas, or contact us to talk about what we can do for you.
If your website was a physical location, would you build it without access for people with disabilities?
Of course not. You’re not a heartless monster.
But a surprising number of websites forget about the needs of people with disabilities. Inclusive design seeks to change that.
The principle behind inclusive design is creating products and services that everyone can use. Not only does that provide accessibility to your website for people with disabilities, it creates a better experience for all of your users.
Color contrast is a big part of inclusive design and web accessibility. As one of the most important tools in our utility belt, color choice is a big part of a designer’s work. We use it for emotive and illustrative purposes. Red, for example, can be a great color to highlight importance and urgency. Contrasting it with white type can help draw the eye, and that color combination is great for getting users to address alerts.
So what happens when a user has difficulty seeing the color red?
Well, it turns out that white text on a red background is completely invisible to people with color blindness—something we discovered during one of our usability studies. In fact, there are a number of color combinations that cause problems for the visually impaired.
Luckily, there are organizations like World Wide Web Consortium (W3C) to create standards for accessibility issues like color contrast. In fact, W3C went so far as to establish extensive Web Content Accessibility Guidelines, and the web community responded by developing tools that help designers create more inclusive sites.
Some of those tools, like WebAIM and Colorable, focus specifically on color contrast. To meet WCAG, normal, non-bolded text should have a contrast ratio of at least 4.5:1; for large text it should be at least 3:1.
What else can you do to start making sure your website is more accessible and inclusive?
1. Add Alternative Text to Images
“Alt text” is essential to web accessibility. Assistive technology, such as screen readers, relies on alt text to turn images into braille or speech for the impaired.
Most content management systems, like Drupal or Kentico, include an alt tag field for images. Start with your company logo, then add descriptive alt text for each image on your site.
2. Use the Right Heading Structure
Correctly ordering the HTML headings on each page makes it much easier for screen readers and the visually impaired to navigate your site. While design considerations might require this order to shift, try to follow it where you can. At the very least, make your page title and h1 consistent—it’ll help the people using screen readers to make sense of the content.
3. Stop Using “Click Here”
For many reasons, please stop using “click here” as link text. Not only does it make content seem outdated, “click here” is a vague and confusing link description for people who use screen readers. Instead, use strong verbs that tell users what you want them to do and what they get in return:
- Register for the event
- Request more information
- Download this report
4. Utilize Free Web Evaluation Tools
In addition to color contrast tools, enterprising developers have created lots of free tools that evaluate your website’s accessibility.
WAVE, for example, provides a breakdown of errors, alerts, and features in a list form and a visual overlay so you can identify opportunities to improve your site.
Web accessibility isn’t a cut-and-dried, check-it-off-the-list process. But when you design with all of your users in mind, you make your website a more inclusive place to be. And who doesn’t want to be a part of that?
Personalization is the best way to engage your users in a conversation, and it’s increasingly something that they expect from your website. Almost 75% of users prefer to do business with organizations that use personalization to make their experience more relevant; the same percentage of users get frustrated with websites when content has nothing to do with their interests.
I recently partnered with .orgCommunity to help associations better understand how to leverage website personalization. In the webinar Spectrum of Personalization, you’ll see 5 examples of personalization in action, from simple to complex, and take away some tips to help you get started today.
Get inspired! Watch our webinar below.
It’s hard to create remarkable brand experiences without an inspiring insight into the user. I’ve always considered user insights to be the single most important component of a creative brief, and it’s no surprise that it’s also the most challenging component to develop.
The process of uncovering a meaningful insight starts with understanding the user. You need to know your audience well beyond the demographics. How does he think? What does she feel? Not just about your product or service, but about the category?
It’s critical to understand the difference between an observation (a demonstrable fact about your product/service and your user—the “what”) and an insight (recognizing what motivates them—the “why”). It takes time and effort to sort through the more obvious observations to reveal the insight.
But it’s time and effort well spent. Properly developed and crafted, an insight serves as the inspirational launch pad for creative development, providing the illuminating Aha! that makes the message resonant and meaningful.
The best insights address the solution, not the product/service. As the old saying goes, people don’t want eighth-inch drill bits; they want eighth-inch holes.
What are other elements of a great user insight?
- It illuminates the user more than the product or service
- It applies to the category more than the brand
- It’s single-minded and can be simply stated
- It’s about the universal and eternal, rather than the trendy
Let’s look at a handful of acclaimed campaigns and the insights that spawned them.
Dove: “Real Beauty”
The insight: Women—who come in all shapes and sizes—had become increasingly exasperated with the narrow portrayal of female beauty in the media.
The research that revealed this insight led to the creation of a breakthrough marketing strategy: “To make women feel comfortable in the skin they are in, to create a world where beauty is a source of confidence and not anxiety.” The campaign built on this strategy looked like nothing the industry had seen before. The launch of the campaign received substantial media coverage from mainstream news broadcasts and publications, as well as talk shows and women’s magazines. Parent company Unilever has estimated the media coverage to be worth more than 30 times the purchased media.
California Milk Processor Board: “Got Milk?”
The insight: People wait until they’re out of milk to realize that they should buy more.
During a consumer focus group on milk held 25 years ago, someone said, “The only time I even think about milk is when I run out of it." The insight revealed by that remark became the foundation for a campaign that entertainingly presented what might happen if you allowed yourself to run out of milk. The “Got Milk?” campaign achieved over 90 percent awareness in the U.S., and the tagline has been licensed to dairy boards across the nation.
Old Spice: “The Man Your Man Could Smell Like”
The insight: Wives and girlfriends are more likely to buy men’s body wash than men are.
Consumer research revealed that for years Old Spice had aimed messaging for its body wash and hair care products at the wrong audience. The first commercial, featuring actor Isaiah Mustafa, was an overnight sensation and became a cultural phenomenon. Sales surpassed expectations and today Old Spice is the number one selling brand of body wash for men in the U.S.
At Sandstorm, our thoughtful, scientific approach to user research reveals illuminating insights on which effective brand strategies are built. For example:
Ensono: “Operate for Today. Optimize for Tomorrow”
The insight: Chief information officers are looking for resources to help them not just keep the data center running, but deliver strategic innovations that drive revenue.
Extensive primary and secondary research revealed how the role of our user, the CIO, was evolving. CIOs were increasingly being expected to make strategic contributions in the boardroom, moving from a traditional “build-and-feed” model to a construct that could be described as “dream and direct.” We developed a brand campaign for our client Ensono (which provides IT infrastructure management outsourcing) that positioned Ensono as “the company that dreams,” helping CIOs address their current needs and deliver on tomorrow’s objectives.
We developed the new name and brand identity for Ensono, designed and developed its new website and created an expansive portfolio of marketing materials. In one year, the site saw a 703 percent increase in total page views, an 859 percent hike in unique visitors and a 955 percent increase in lead form submissions!
We’d be delighted to help you find the unexpected user insights that deliver an enhanced brand experience. Contact us today to get started.
Over the years, Sandstorm® has built websites on content management systems (CMS) using a variety of programming languages: Python, .NET, and PHP to name just a few. These programming languages support CMSs like Django, Kentico, and Joomla, respectively. Two of the most popular CMSs are Drupal and WordPress, built on PHP.
A common question we hear from clients is whether they should use Drupal or WordPress. While there’s no right answer, there is an answer that’s right for you. Each one has its place, so we've laid out where you can gain the most benefit from each CMS.
The Benefits of Drupal
Speed and Performance
When it comes to a scalable CMS that can support high-volume traffic and vast libraries of content, Drupal beats out WordPress. Not only does Drupal offer better performance out of the box—including default cache features that help pages load faster—it’s more robust for handling complex projects with lots of functionality.
Drupal is favored by many top companies and government agencies, including whitehouse.gov, for its enterprise-level security. Drupal has a very active security team with a stringent review process for plugins and a robust permissions layer that provides nuanced limitations for user access.
WordPress, on the other hand, is a popular target for hackers whose malicious attacks often succeed due to fully coded plugins compromising security. Additionally, WordPress doesn’t provide the flexibility in tailored permissions that Drupal does.
When it comes to getting leads through web contact forms, WordPress requires third-party tools like Gravity Forms or JotForm, which will cost you extra.
With Drupal, web form functionalities are already built into the platform, so you don’t need external tools. Drupal can also enable rules and set up triggers so that when someone fills out a form on your website they receive an SMS message from your company, which helps with lead nurturing efforts and potential conversions.
The Benefits of WordPress
Ease of Use for Small Businesses
Since WordPress started primarily for less tech-savvy bloggers, small businesses with a junior development team benefit the most from the platform. Additionally, most writers and content managers have some experience with WordPress, so there's little need to train them on the platform.
Where It's a Toss Up
Drupal and WordPress users have created diverse global communities that offer international conferences like DrupalCon and WordCamp; local training events and Meetups; and active forums where users can ask questions and learn more about the platform. While the WordPress community is larger than Drupal’s, it’s uncommon that you would run into an issue with either platform that someone hasn’t encountered, and solved, before.
Search Engine Optimization
It doesn’t matter to Google which platform you use, and both platforms offer excellent plugins and modules to help you with your SEO, including Yoast for WordPress and Content Optimizer for Drupal.
At Sandstorm®, our experts have extensive experience developing, designing, and writing in Drupal, WordPress, and many other content management systems. We’d love to find the one that’s right for you.
Now more than ever, digital security is something that needs a thoughtful approach.
From Yahoo! to the DNC, large, high-profile security breaches are filling the news and making security a hot topic for everyday conversation. There are so many hacks that even data visualizers are struggling to make sense of them all. Which is why 2017 will be the year that companies finally realize the value and necessity of security for their digital properties.
Whether cause or effect, our increasing reliance on technology correlates with the spike in frequency, size, and severity of security breaches. At Sandstorm®, we're big fans of Steve Gibson and his podcast Security Now, where he talks about the race to keep up with new security threats. With each new security improvement developers release, hackers are ready to uncover weaknesses. Over the years, this has brought us to a place where both the threats—and the necessary defenses against those threats—have reached a level of complexity that can seem daunting.
From Convenience to Security
The complexity and automated nature of modern attacks has changed the industry’s view on the lengths hackers are willing to go to. Now, we have to assume that there is always someone looking to exploit opportunities and weaknesses.
While these are just a few examples of the risks and remediations that companies need to consider, they illustrate the many different attack vectors that developers need to address. The trick is to do the following:
- Define the requirements
- Identify the risks and determine the solutions
- Design a highly functional application that still puts the user first
Trend #1: Rise of the Botnets
Botnets are a major reason for the increase in security issues. As an industry, we’ve known for some time about the danger of improperly patched or unsecure computers and servers that get infected with malware. But in the last few years, risk has increased exponentially due to the prominence of the Internet of Things (IOT). We have an explosion of internet-connected devices (light bulbs, refrigerators, dishwashers, teddy bears) with many of them rushed to market without regard for security.
Night of the Living Malware
Malware programs target these vulnerable systems to create zombie armies of infected computers that work together to feed on sites. The most recent and well known is the Murai botnet, the code of which was released as open source and has since spawned a plethora of derivations. That's right; you heard me. They’re multiplying, evolving, and getting smarter like a creature out of a bad horror movie.
How bad is it? Projections as of 2016 suggested that 35% of all internet traffic consisted of malicious bots. That's a lot of zombies wandering around looking for your server's brains.
GhostBot in the Machine
Another recent example is GiftGhostBot. This attack came to light in March 2017. Bots are brute forcing the pages that allow customers to check the balance on their gift cards. These bots keep guessing gift card numbers (at an estimated rate of four billion requests per hour) until they get one that has a remaining balance. They can then use that gift code to steal from the gift card holder.
What makes this GiftGhostBot particularly sinister is its sophistication. First, the attack is distributed across multiple compromised devices, servers, and computers—which means there’s no way to track and block these requests by IP. Second, the bots have been set up to use over 740 different user agent profiles, meaning they masquerade as different browsers and operating systems to confuse attempts to filter out their traffic. Vendors might add CAPTCHAs or completely remove these pages to remediate the issue. This is just another example of the exponential scale and complexity of attacks that have shifted the conversation towards security.
What You Can Do
- Your best defense is keeping your systems up-to-date. Apply security updates to all technology in your ecosystem in a timely manner (including websites, servers, computers, employee mobile devices, etc.).
- Be sure to spend the time to review all new features and components of your digital products with an eye for potential vulnerabilities. Always overestimate the lengths someone would go.
- When in doubt, engage a knowledgeable specialist to help review your security configuration.
Trend #2: Are You a Robot? – Identifying Friend From Foe
If you’re thinking this is all about the rise of the machines, you might (or might not) be happy to hear that humans still play an important role in threatening your business’s security. While botnets have increased the quantity of attacks, the level of sophistication for attacks has also dramatically increased. In some areas, malicious entrepreneurs have even turned to crowdsourcing to enhance automated attacks. Take CAPTCHA as an example. When those annoying pictures were too much for some bots to circumvent, unscrupulous companies paid real people to fill them out. Bots passed the CAPTCHAs back to humans whose answers were fed back to the bots so they could proceed with their attack.
This resulted in concerns with the CAPTCHA as a solution for determining bot from human. While still used, it was understood that this solution is not 100% effective. Recently, however, Google updated their reCAPTCHA service with their new Invisible reCAPTCHA. Maybe you’ve seen this: It’s a simple checkbox that says “I am not a robot.” Because so much information on your behavior has been compiled by Google, it can compare your digital fingerprints and activity against its vast repository of analytics to determine if you’re a real person. Or that’s the theory anyway; the new service has just rolled out and we're excited to see how it matures.
Mollom is another service we recommend, specifically for Drupal projects. It takes form submissions on your site and checks the content to see if it looks like bot-generated content. If it does, the content is flagged. This technique analyzes content to protect against spam, relying on the consolidation of massive amounts of examples to understand how to proceed.
What You Can Do
- You can do is realize that identifying bots is not as straight-forward as it seems. They have gotten very good at pretending to look like real users performing real actions on your site.
- Shift your thinking to a place where you assume that hackers and spammers are probably smarter (or at least more persistent) than you. Look at each element of your digital products as a place where a bot might pretend to be a human and consider what they might be able to do.
- Layer different preventative techniques. Don't assume that one fix is enough and have a contingency plan for is a bot does get past your defenses.
Trend #3: Moving to SSL
Another major trend for 2017 will be the push for secure socket layer (SSL or HTTPS) traffic for everything. This has been an important shift for security in the last few years. Previously, SSL was only considered important for highly sensitive data, but a few things have pushed us into a world where regular HTTP traffic is considered unsecure.
Man in the Middle
First, a number of tools have come out that make watching the traffic of someone else on your network very easy to do. This allows a person to see the sites you are visiting and even steal your username and password. This is generally referred to as a man-in-the-middle attack resulting in session hijacking. Traffic over HTTPS helps to protect against that because your browser and the server are essentially communicating via a secret language that only they can understand.
Man on the Side
Second, browsers pulling in content over regular HTTP can't 100% confirm where the content they’re displaying came from. There have been a few complicated attacks over the past few years where malware was sent to site visitors instead of the assets they were expecting. This is generally referred to as a man-on-the-side attack. The attempted attack on GitHub in 2015 is an example of this. Moving towards HTTPS traffic gives the browser certainty that the content it received is the one it was expecting.
Pushing the Transition
If you’re thinking all of that sounds scary, you're not alone. Google agrees and has started to roll out changes to the Chrome browser—you've probably noticed that grayed out "not secure" message near the URL. Additionally, if you log in to a site over regular HTTP, you may also notice a red "not secure" message. This is meant to push websites towards SSL, and it’s only the start. Google has announced additional plans to clearly mark all traffic as not secure going forward.
What You Can Do
- Work with your hosting provider or website developer to purchase an SSL certificate from a reputable vendor.
- Have those same partners review your SSL configuration to confirm that you’re using strong protocols and ciphers that have not been deemed to be compromised.
- You may also need to review your site to confirm that you don't have any mixed content errors, which is when HTTPS pages are referencing insecure HTTP resources.
- While you're at it, complete a full review of your server configuration.
- A full penetration test or security scan may also be a good investment.
How Sandstorm Can Help
This is just the start of the conversation and we've only covered a few topics. Whether you’re moving your current website to SSL or want to ensure your new website is developed with the latest security in mind, we utilize the technology and techniques that make sure you’re protected.