Ironically, not that well known – even among technies!
You’ve seen it in cPanel and you’re wondering what this new folder is. “Well known you say – certainly isn’t to me!”. As already mentioned you’re far from alone.
But have I…?
No, you’ve not. The first question you want in answering is, ‘have I been hacked’. All security-conscious website owners these days ask the very same question when random files and folders appear on their hosting area – and if they’re not, they should be!
On the contrary, having this folder is a demonstration of the fact that you are security conscious and you care about your visitors!
The reason you have your not-so-well-known well-known folder is because you are using the Comodo AutoSSL feature – a nifty little tool for effortlessly managing your websites SSL certificate. Comodo AutoSSL places text files in here that are used to validate the domain.
Why is it doing this?
Comodo AutoSSL is doing this as it uses the text files to validate your domain name. Comodo must validate your domain name prior to issuing it with an SSL certificate.
What should I do with .well-known?
Absolutely nothing. Just leave it there, let Comodo sort out your SSL’s and keep the valid and live a happy and secure web life!
Quick update regarding the unfortunate whoopsie that Google did in marking one of our articles (incorrectly) as a phishing page.
Issue was brought up with Google, Google reviewed, Google decided they were talking rubbish ;-). So, as it’s now been cleared by Google, I (and of course any other webmasters out there who may want to) are now able to link the now infamous article.
We’ve also raised the Issue with McAfee and Norton to update their relevant web URL checkers and software. Norton are currently re-evaluating and McAfee we haven’t heard back from yet.
Safe to say, no that Google has deemed it safe, hopefully all the other service providers and link checkers will equally declare it safe once they poll security data from Google again.
Apologies for any inconvenience caused. We have asked for a full detail of the complaint, including the complainant but so far this has not been forthcoming. We’ve also worked with our hosting provider but they are equally unable to get hold of the information.
My suspicion is that this started from a malicious complaint and there’s possibly a bit of embarrassment on the part of Google/and the service company that lodged a complaint with our hosting provider.
Thankfully, these are rare occurrences – but they are however on the increase (against many reputable websites and companies) but rest assured that we do everything possible to maintain yours and our websites security and will swiftly deal with all complaints, malicious or otherwise.
Now normally in life, going for the cheap option doesn’t always work out well in the medium to long term – or if you’re really unlucky in the short term.
Although not free, we can definitely confirm that sometimes the best things in life are cheaper (OK, that’s not quite as catchy granted!).
SSL or Secure Socket Layer certificates are understandably (and rightly so) becoming more popular. For companies of all sizes with an online presence they are pretty much a given these days. And for most personal sites as well – even if its “just” protecting a members area, forum or blog.
SSL certificates can range from in the tens of pounds a year to the thousands of pounds a year
The Big SSL Myth
There’s a myth going round about SSL certificates, and its been going around for a while now. So I only feel its right to dispel it.
“More expensive SSL certificates usually offer 0% extra protection”
Shocked? Most are. Apologies if you’ve just spat out your cornflakes as you’ve spent loads on one recently.
Most of the time more expensive on an SSL certificate means no extra protection. The likely difference is the company providing it – i.e. there are well respected companies that have been around for a long time and have gained the trust of users – so they can be seen as more ‘valuable’ when it reality its the same as a genuine new start up that’s offering them much cheaper.
It’s the online equivalent of saying this site is protected by ‘Well Repsected and Established Company Ltd’ rather than ‘New Startup Ltd’. The fact is, if they both sold you the same security, but for vastly different prices, your security would still be the same – the only difference would be the price you pay.
Having Said That….
Sometimes you do get nice extras thrown in – maybe a financial warranty backing up the certificate in case something goes wrong – however the chances of a claimable situation arising aren’t very likely and the benefit to most people will likely be nil (or not a lot).
However, the core point remains – the strength of the security offered is likely to be the same!
Lets Compare A Typical Offering…
123-Reg are a popular domain name, web hosting and SSL certificate provider (among other things web related).
Lets take a quick look at the SSL certificates they are offering:
Now, as you can see, we’ve got everything ranging from just £9.99 a year to £249.99 a year. A big difference in price.
For some big businesses maybe the warranty or extra add ones might possibly be useful at some future point in time. Might. However, for all personal sites, 99.9% of contractors and the self employed as well as probably a great deal of small to medium sized businesses, the £9.99 a year 123-Reg SSL is probably going to be enough for your needs.
Need a little more convincing?
Lets take it line by line:
Activates Browser Padlock
Important feature – not from a security point of view but from a reassuring the user and giving them the signal that they are connected securely to your website.
Good job its included as standard with all of the SSL certificates. No expensive SSL certificate is going to provide you with a nice padlock! ;).
Activates Browser Green Bar
Yes, a browser green bar is a nice little touch. But are you really considering spending £249.99 on an SSL certificate? If not, then as you can see, there’s no difference between the first three (except £60 a year in price!).
Unless you’re a bank, your users aren’t going to bat an eyelid about it not being there. Pretty much the only organisations that have these are banks, the government and multi million pound corporations (and even some of them don’t bother with it).
Yes, it can sometimes give an extra warm fuzzy feeling of security to your user – but quite frankly, the vast majority of users don’t actually notice its there.
The extra security, you will probably not be surprised to find out, is not based on the browser bar being green rather than white (if only it was this easy….) but on the extra checks they have to go through to get the certificate – usually including some offline verification checks.
The green bar kind of validates that you are ‘speaking’ to who you think you are speaking to. However if you don’t know ‘who’ is behind the website that you’re about to enter you personal details on, maybe you shouldn’t be entering them on the site at all (green bar or otherwise)?
In short, for 98% of websites – this isn’t a deal breaker. Forget the green bar (and the extra setup pain that comes with it)!
This is the number of years you can buy the SSL certificate for in one go – i.e. how long you can choose to buy it before you have to renew it. When applied to domains for example, the ‘Validity Period’ of a .co.uk domain would be between 1-10 years.
The validity period has absolutely zero impact on the security provided by the SSL certificate.
Discounts are usually given for ordering multiple years in advance – although you can of course buy 1 year and renew yearly if you like – whichever is more convenient.
In this example, the most expensive SSL certificate is actually the most inconvenient! You can only order that one for up to 2 years in advance (most likely due to the rigorous – and largely irrelvant for most – security hoops that you have to jump through).
The first three are much of a much – all being able to be ordered for between 1 and 5 years.
Multi Year Savings
Savings – we all like savings! As mentioned above, ordering for multiple years in one go produces a saving.
The most expensive SSL certificate actually puts you at a disadvantage here as it can only be ordered for a maximum of two years in advance, whereas the others can all be ordered for up to 5 years (see above).
Prepare for the shocker!
Encryption level. Probably – no wait definitely – the most important feature of your SSL certificate. How strong is the encryption it provides.
As you can see above, paying more gets you 0% more security! That’s it, not extra protection for your extra £240 a year!
This is what I mean when I say that paying more for an SSL certificate doesn’t get you more security – it just gets you a bigger brand name to stick on your site. And if over a decade of web development has taught me anything its this:
99% of customers won’t care if your website is ‘Secured by’ VeriSign or ACME Ltd.
That statement is of course with the caveat that you pick a reputable company – not Card Fraud R Us Ltd etc.
Big names just mean big price tags – nothing else.
Secures WWW and non-WWW sites
Standard feature – as evidenced by the fact that its available on all SSL certificates from the cheapest to the most expensive.
Using DPS Computing’s website as an example this means that using any of these certificates we could secure pages starting both www.dpscomputing.com and dpscomputing.com – i.e. with or without the www prefix.
This is the biggie difference – without actually meaning a lot in reality.
Warranty – as described by 123-Reg is:
The more expensive GlobalSign certificates come with an insurance policy. If the certificate is issued or used incorrectly (i.e. they cock up or an act of fraud is commited against you).
I’m not sure on the number of claims that there are on these warranties by the people that have cover from them, but it is likely a very small percentage.
Don’t forget the amount specified isn’t the amount you’d get paid out in the rare situation that the certificate is issued or used incorrectly. It’s the maximum amount you would be entitled to.
The ‘value’ or a warranty – or lack there of – shouldn’t influence which SSL certificate you pick. Spend the money on something else – something that will help your website or business more than this is ever likely to – and don’t forget, its not just a one off cost – its a recurring, and for most people, unnecessary cost.
Again there’s one key thing to remember:
The value (or lack of) a warranty has 0% impact on your security
It doesn’t make your site any safer. And even if you were in a claimable situation (extremely unlikely!), its not just going to be a hand over of the maximum amount in a cheque to you – prepare for a drawn out process, potentially even a legal battle (at which point, is it worth it any way?).
Typical Issuance Speed
Again, on the issue of speed from purchase to being live and available for use on your site, cheaper is better.
Due to the, for many, unnecessary extra security checks you have to wait nearly an entire working work compared to just 10 minutes for the lower paid options.
Vetting – here’s some of the extras that you get – kind of.
As the name implies, the increased levels of vetting available with more expensive SSL certificates basically mean that you’ve had more background checks done to ensure your website (and with the more expensive ones, your business) is who it says it is.
It does not, I repeat does not impact on the level of security offered by your SSL certificate.
Con men and fraudsters can successfully complete these checks on occasions just as they can with other systems designed to protect authenticity.
Reputable businesses usually have many ways for their customers to check their history, trading status, previous customer experiences etc through sites like Companies House, TrustPilot etc.
Coupled with the fact that most con and fraud websites are discovered relatively quickly and the people behind them stay in ‘business’ by setting up and closing down in a matter of weeks (or at most months), one of the biggest free security checks that can be done by anybody with an Internet connection is check the age of company.
Now, not all new companies are scammers, obviously. But most scammers are, or appear to be, new companies, with little trading history and probably not a big online footprint. This alone, evidently, doesn’t confirm devious intentions but it should raise a healthy level of suspicion – after all, if you were fully confident in their identity in the first place you wouldn’t be investigating who they are ;).
Also, things like checking addresses exist, ringing the office phone number, consulting previous customers can also yield important information.
All in all, despite the extra checks offered with the more expensive SSL certificates, there are probably more cost effective and beneficial ways to do these checks. Unless you’re a big business, probably not much point in having any more checks than the basic 123-Reg SSL certificate offers.
Simple Set Up With AutoCSR
Again, on this one, it doesn’t matter how expensive you go, you get the same auto set up service which helps you install the SSL certificate on your website.
Easy to set up service if you are hosting elsewhere, even easier to set up service (it’s done for you) if you have 123-Reg hosting.
Secure Unlimited Sub Domains (Wildcard SSL)
Wildcard SSL – again something you are only likely to require if you’re a big business. Only available as standard in the most expensive certificate.
Wildcard SSL lets not not only secure your main domain.com but also any subdomain.domain.com.
So without wildcard SSL you could have securely via https (using DPS Computing as an example):
What you couldn’t have would be:
With wildcard SSL you can have subdomain.domain.com as well as domain.com/subdomain.
The cheapest ‘optional’ extra wildcard SSL is on the 123-Reg variety – but that still increases the price from £9.99 to £79.99.
Again, if you’re not a big business, its not really likely to be of any use. In fact would it really matter to a big business if it was domain.com/subdomain rather than subdomain.domain.com? Possibly – there are some evidence that using subdomains can help with SEO but for individuals and small to medium sized businesses, there are probably many more (cheaper) things that you can do to improve your SEO.
Strong Security In Older Browsers With SGC
Strong security in older browsers – always a good thing as some of us don’t update (for free) our web browsers ;).
However, we can relax as its offered as standard on all the SSL certificates on offer.
Unlimited things are nice, but largely unnecessary.
Most website run by individuals, small to medium sized companies will be hosted on one server. Even if there not it will usually involve ‘only’ a main server, a backup server and a mirror server which would cater for a fairly busy website.
Even with 3 servers, the cheapest SSL certificate will still cater fully for your needs. If you’re using 4+, then maybe consider the next one up (£49.99/year) – which is unlimited. If you’re getting to the stage of needing 4 servers, you’re likely not to be as bothered about the extra £40/year. But just remember, there’s no point spending it if you don’t need it. 3 servers or less – plump for the cheapest option.
Browser support – important for both the reasons given above regarding web users not always being the best at updating their browsers on a regular basis but also the fact that there are many different browsers being used by a significant proportion of web users now, examples being Internet Explorer, Firefox and Google Chrome, to mention a few.
Again, all the SSL certificates from the cheapest right up to the most expensive cover you in exactly the same way.
Mobile Device Support
With the ever increasing popularity of mobile devices, including smart phones and tablets and also the rise in m-commerce (mobile commerce) we need to consider security not just among desktops and laptops but also on mobile devices.
As you can see from the above, the cheapest SSL certificate covers you across mobile devices.
Use With Intranet
Building an Intranet? No, then you don’t need it.
Again, even if you are building an Intranet, you’re only going to likely need this kind of security if you’re a big business – individuals and SMEs probably aren’t going to have extensive intranets – and even if you do have (and require security) you can always use some self signed certificates (issued by yourself but still just as secure).
Secured By Site Seal
A deal breaker of course – not!
It doesn’t matter whether it you have a site seal that says secured by MI5 or the Secret Service – its no more or less safe than the Secured By 123-Reg SSL seal!
We’re talking about being security here, not an fancy image ;).
Many of you will be aware of hacking to some degree or another. It is (usually) where an unidentified individual gains access to a resource that they are not authorised to access – so in terms of website, someone else logging into your websites accounts (control panel, ftp, e-mail etc) without your permission. Traditionally, it has been very easy to detect your website being hacked – the hacker in the past has usually defaced your website quite publicly – usually with links to malware, spam, placing advertising on your website or other undesirable material.
However, as with most things in computing, hackers are evolving strategies – and some of these, while still remaining detectable, are significantly harder to detect than the typical ‘defacing’ hack.
The issue that we are going to look at in this article is the hijacking of your websites search engine results. For the technical people out there, we are discussing hacking of the .htaccess file. Don’t worry if you don’t know what that means, we’re going to go through it carefully step by step.
Now for those of your that run your own website, whether it is personal or business, think about how you would normally access that website? Chance are, more often than not, you type the website address directly into your browsers address bar, such as:
Hijacking your websites search engine results takes advantage of this. When your search engine results are hijacked there is no visible indication of the hack unless you go through a search engine. If you type the address directly into the address bar (as in the picture above) everything works as normal. Hackers are using this to their advantage to escape detection.
So what’s the problem if there’s no visible signs of the hack? Well, there are visible signs, but only when you go through a search engine! The thing to consider is everyone else who is looking for your website or a website with content similar to yours is 99.9% likely to use a search engine to find it. And with this search engine results hijack (.htaccess hijack) any user clicking from a search engine results page to your website will be redirected to another site, usually undesirable and usually hosting malware or other similar unpopular things! One things for sure, although they appear to have come to your website (as far as they are concerned through the search listings) they have actually come to your site, ‘hit’ your page and then been redirected to the hackers website (or a website of their choice) by inserting content into or creating a .htaccess file in your websites home directory.
So, why do they do this?
Well there can be many reasons.
Firstly it can be to gain a good ranking with search engines. If a hacker started a new site it would start off like every other website (usually) does, at the bottom of the pile. What’s a way of increasing your ranking? Quality back links. Google (and other search engines) will see your ‘redirect’ from your own site to the attackers website as a sort of endorsement. If the hacker does this to hundreds of websites, maybe even thousands or more, the hacker is starting to get a popular website.
Secondly, it can be to make money. The hackers website is likely to be full of advertisements – and due to the traffic from all the compromised websites – its likely to be making a fair wad of cash.
Thirdly, it can be to spread malware. It’s very effective to have legitimate websites (probably with a good reputation and history) redirect to attackers website to infect the visitors computers with malware/adware/spyware or whatever they feel like.
Fourthly, sometimes it can be to highlight a cause. Although less likely, sometimes hackers do this to redirect to a website protesting about a government action, law enforcement case or a war.
So, why should you be bothered?
Well, there’s also many reasons for this as well.
Firstly, you’re losing visitors (and / or customers). All of the search engine traffic that should be going to your website isn’t. It’s going to the attackers website.
Secondly, your likely to be losing your reputation. From a users point of view they click on a link from a search engine to your website and then get ads/malware/spyware etc displayed on their browser / on their computer. Although this is actually come from the attackers website – most users aren’t going to distinguish this (its not obvious at all). So you will be associated with the hackers website bad reputation and their action will be attributed to you.
Thirdly, your websites rankings and ‘online reputation’. Google (and other search engines) regularly check out websites to see if their legitimate and whether they contain any ‘nasties’ such as malware, agressive advertising etc. By redirecting your website to their website, for reputation purposes you basically get ‘merged’ with the hackers website. So as far as search engines are concerned, if the hackers website is hosting malware (for example), you are hosting malware. Why does it matter what the search engines think? Well, because that’s how most people find you and they decide your ranking. Websites containing (or redirecting) to bad things such as malware will get penalised in search engine rankings, if not removed altogether from them. Ever seen the ‘This site may harm your computer’ tag in Google? Your website, if hacked in this way, could end up with that tag or worse! There are other websites (as well as security software) which watch out for these kinds of things and to warn users about ‘potentially unsafe websites’. One of the most popular is Norton SafeWeb. All any Internet user has to do is type in a web address and it gets a quick report about how safe or unsafe, good or bad a website is. As mentioned earlier in this paragraph, once the .htaccess hijack has taken place, for the purposes of online reputation and website rankings your website and the hackers website become the same website!
So, how do they do this?
Well, they have to gain access to your website account(s) somehow. Usually they exploit a weakness in some software running on the website to ‘bypass’ security and authentication measure or they crack the password to your account – which if they are successful, usually means that the password used was insecure or not strong enough.
No matter how they do it, what they then do (for this hack) follows the same path.
If you’ve already got a .htaccess file, they ‘append’ some more commands to it. If not, they create one and add the commands to it. .htaccess files can ‘live’ in any folder on a website and most websites usually have one in the main folder on the website (usually something like ‘public_html’, ‘www’ or ‘htdocs’) – this is the one that they target.
And, what do they do?
Well, as mentioned in the previous section, they add more code to your .htaccess file – something very similar to this:
Don’t worry if this means nothing to you!! The web developers reading will immediately have alarm bells ringing in their heads now!
Basically what this code does is redirect any user coming to your website from a number of search engines (Google, Ask, Yahoo, Excite, AltaVista, MSN, Netscape, AOL, HotBot, Goto, InfoSeek, Mamma, AllTheWeb, Lycos, Search, Metacrawler, Bing and Dogpile – to be specific!) to another website – in this case ‘ahmetekremkaya.com’. In addition, any time a user encounters a website error (400,401,403,404 or 500 status code – basically all the ones your visitors are likely to encounter) it redirects them to the attackers website.
And how do I fix it?
Simply, remove the code added to .htaccess that the hacker has inserted. You can do this quickly by deleting or (preferably) renaming the file – to anything really, but something along the lines of ‘.htaccess-removed’ or ‘.htacess-infected’ can be used. Don’t worry – after you have changed the name of the file, the code can no longer harm your website and everything will go back to normal.
If you had legitimate code in the .htaccess file you can reinstate this in a new .htaccess file.
Obviously, some people reading this may be non-technical users – if this is the case, you can always find a reputable company to come in and remove the infection and hijack completely from your website.
DPS Computing Limited can do this for you – feel free to take a look at our website maintenance packages. If we find that the hack / hijack isn’t very extensive, we may be able to offer you a discounted price – feel free to contact us for a FREE diagnosis and a value for money, no obligation quote.
The result is, as described above, any of your results in search engines suddenly become their results. You lose traffic, visitors and in the case of businesses, customers. You also lose the reputation and credibility that you have likely spent a long time building up.
Usually, if you see another website (that you don’t recognise) in any .htaccess file on your website, you’ve likely suffered from this type of hack, a .htaccess hijack. As .htaccess files are ‘dot’ files (and therefore hidden automatically in different applications / control panels by default) this can also make it harder to even find the file that has been hijacked – let alone repair it.
The DJ David website was previously hacked in this way, as you can see below (don’t worry – it was all fixed a while ago!):
This is from the Google search engine results page searching for ‘DJ David’ in early 2011 (when the hack occurred). As you can see, the DJ David website is displayed in the search engine results. However, when you hover over the link (to get a preview of what you are going to visit) you can see it relates to ‘ahmetekremkaya.com’ – obviously not the correct website. Although the website ‘ahmetekremkaya.com’ looks quite tame in this photo, this was after it was taken down. Originally the site will have usually been infected with malware and displaying lots and lots of ads and also engage in other not-so-nice activity. You can also see in the picture above that the link that the preview relates to is shown as ‘djdavid.co.uk/news.htm’. However, from the preview you can clearly see this is not the page we are going to be taken to. This is your classic sign that your website has suffered a .htaccess hijack.
If you think you could have suffered this type of hack, or any other security breach, don’t forget you can contact us for a no obligation quote and FREE diagnosis of the problem.
After this type of hack has occurred it is vital that you change all of your accounts passwords (to strong passwords!) and ensure that adequate security measure are in place! Another important thing to do is regularly search for yourself (your website) in the search engines. No this isn’t vain and is no way the same as looking at yourself and admiring yourself in the mirror! ;). It’s not only important as it can detect this sometimes difficult-to-detect hack but also to see how you are doing in search rankings – which terms you are ranking for and how highly you are ranking. Is your entire website being indexed? If not, why? So, searching for your own website in the search engines kills two birds with one stone! :).