11 April 2014


Posts relating to the category tag "domains" are listed below.

25 October 2009

From Whiteboard to Web Application

Sometimes finding all the web applications in an organisation can be the difficult part in trying to assess what risks exist.

Transport for London don't just have web sites and, I suspect, an intranet. They have been gradually moving from whiteboards for live underground travel news at tube stations:

Photograph of a transport information board at Great Portland Street station where the information is provided on magnetic tiles and by hand written wipe-dry pens

And now have electronic versions:

Photograph of a transport information board at Farringdon station where the information is provided on an LCD or plasma display

I don't know what technology is being used here, but other information boards have been seen to display web browser error messages leaking network information:

Photograph of a transport information display showing an 'address not found' error message from Firefox

But, what about elsewhere? I saw this on the live electronic advertisement boards at Bond Street station this weekend:

Photograph of an advertisement display board at Bond Street station elevators showing the words 'System Name' followed by a code and what looks like an IP address, written vertically up the portrait-orientated unit

Sorry it's a bit blurred, but I was going up the escalator at the time. Several, but not all the displays had their system names shown rather than an advertisement. It certainly looks like an IP address, but is there a web application inside? I've previously highlighted other information systems and displays that seem to be IP-enabled.

An investigation of your network, examining what is listening on which ports, and correlating this with the actual network traffic, might reveal more web applications than you thought.

Posted on: 25 October 2009 at 18:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 October 2009

Don't Mix and Match Those Domains

Many organisations like to do land grab with domain names by purchasing the same name with different generic top-level domains (e.g. .com, .net, .info), country code top-level domains (e.g. .uk, .es, .fr), and multiple second-level domains (e.g. .co.uk, .org.uk). Then of course there are mis-spellings, similar sounding words, brand names and trademarks.

Well all that leads to complexity, and it's not uncommon for many domains to be aliased to the same site in a way that any of them can be used to access the complete web site.

But it can get especially messy when SSL is enabled on some or all of the site too. Inevitably there end up being certificate warnings. Some organisations should know better. So when I was searching for providers of online and business privacy "seals",

Partial screen capture showing search engine results including SSL links to pages on the www.truste.org domain including https://www.truste.org/pvr.php?page=complaint

I was very surprised to click on the link to an SSL page which was reported as using an invalid certificate.

Partial screen capture showing the browser's warning message about the page's SSL certificate that says 'www.truste.org uses an invalid security certificate' and 'The certificate is only valid for *.truste.com'

Actually the certificate was fine, it just wasn't valid for the .ORG domain. Perhaps they had hoped the wildcard SSL certificate *.trust.com would somehow cater for *.truste.* - no.

Partial screen capture showing the browser's information about the certificate which says 'You are about to override how Firefox identifies this site - Legitimate banks, stores and other public sites will not ask you to do this' and 'Certificate belongs to a different site, which could indicate an identity theft'

Identity theft? Privacy? But apart from these configuration issues, isn't it just very confusing to have many different domains appearing in search engine results? How does this duplicate content affect their search engine ranking? Does it undermine trust in the brand? Should the SSL part of the site be indexed at all? Perhaps. Who makes these decisions? Is it the developers, the person who configured the site or does the business have a viewpoint?

I overheard a (loud) mobile telephone conversation this week in which a marketing manager* was apologising for a problem but they "did not know any of the technicalities". Mmmm, who is accountable? Make it your business to know.

[* Security and technology managers should also understand their organisation's business objectives.]

Posted on: 02 October 2009 at 07:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 November 2008

A Cry for Help Which Made Me Want to Cry

E-consultancy.com has many excellent online marketing and e-commerce resources, and I read the blogs and forums regularly. The following posting appeared on the forum a couple of days ago:

Partial screen capture of posting to the e-consultancy.com forums asking 'Can anyone tell me if there is a way of finding out who hosts your website? We  need to find out who is hosting our website any help would be appreciated.'

This cry for help worried me. Although the forum replies were helpful, it did make me wonder how many other web site owners have no idea where their web site is hosted.

If this is really the case here, it probably means the owner doesn't have all the resources to rebuild the site elsewhere and possibly is without back-ups of the data. And what about the intellectual property ownership? It's something which all developers should be discussing with their customers. My first suggestion would have been to contact the development company. A cursory examination of the source code reveals:

Partial screen capture of page source code with a commented out hyperlink to the designers Osmodus

This company even showcases the site:

Partial screen capture showing the Gluttonous Gardener web site featured on the Osmodus portfolio pages

Now, we have no idea of the background and cannot guess if there is anything amiss. But the site is a card payment enabled e-commerce site, and surely the owner has had to comply with the Payment Card Industry (PCI) Security Standards Council's Data Security Standard (DSS)? Knowing where your web site is hosted would be one of the earlier things to discover.

Let's hope it's sorted soon.

Posted on: 13 November 2008 at 14:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 October 2008

Flyposting on Your Shop Window

You might not have revenue-earning banner adverts on your web site. But here are some more ways other organisations find to advertise on your property.

In my post a month ago Someone Could Be Advertising on Your Web Site I mentioned the need to check all domains - not just the one being used by your corporate web site. Whilst doing some research on companies regulated by the Financial Services Authority, I came across some more examples for you.

This advertisement appears when a domain, used by a company only for its email, is requested in a web browser:

Advert for a hosting company on a domain used only for electronic mail

And, this one is apparently for a web site which has been removed, yet the domain is also currently being used for email:

BT's announcement on a web domain used for email, advertising their services

But it's not always non-standard domains that can have problems. I was very surprised to see these links appearing at the top of one firm's home page and the pop-up advert window:

Details of the host companby and their services appear as a header on the website

I wonder if anyone has checked their site recently? Try to keep a schedule of all domain names owned and used by your organisation. Record the registrars, contacts, renewal dates and any associated certificates. Periodically test all the domains to check they are only being used for your own approved purposes, and are not providing advertising space for others, or leaking details about your organisation or systems.

Posted on: 21 October 2008 at 07:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 September 2008

Moving Web Hosting Offshore

Changing a web site domain name can be search engine suicide, but there are many other considerations raised by moving hosting to the United States - the Data Protection Act 1998 in particular.

In mid-August, E-consultancy.com's Chief Executive announced on their forums their web site will be transferred to a new domain and move from UK hosting, to the United States (US). He had posted the message to gain feedback and suggestions of the effect to their search engine listings. The new host name will be www.econsultancy.com rather than the current www.e-consultancy.com (with a hyphen).

Apart from the search engine optimisation issues, and my previous post about domain due diligence, the discussion in the forum has touched on data protection issues. It appears that additional thought needed to be put into this matter before moving the site hosting and current data abroad.

One contributor even suggested "go for second-best practice and get the job done quicker and more cheaply". But E-consultancy Limited are more professional than that. They seem to have put significant effort into consideration of their privacy previously. They are a current registered data controller. They are also signed up with TRUSTe's privacy program for the web site, although such programs have debateable value.

Web site users are bound by a user agreement (the terms and conditions for using the E-consultancy.com web site) referencing the privacy policy which states:

TRUSTe operates as a third-party "watch dog" by auditing privacy practices to make sure that they are in compliance with TRUSTe's privacy standards. In as far as this represents best practice on the web, e-consultancy.com is committed to complying with these standards so that members can feel secure in the knowledge that their personal data is properly managed.

The privacy policy says the data are hosted in the UK:

Your Personal Information is stored in our databases, which are located in the UK. Please note that the information you enter may at some time be transferred outside the European Economic Area for the purposes of processing by E-consultancy.com or any of its affiliates. By submitting your information, you consent to this transfer.

This text has been on this page since the site was launched in 2001 - see the December 2001 copy of the page in the Way Back Machine Internet Archive.

I believe storing the databases outside Europe is different to transferring it outside for processing - and I think users and members would maintain that too. I hope E-consultancy Limited consider the effects and get some good legal advice sooner, rather than later. Perhaps "opt in" to the change rather than "opt out" will be necessary?

I'm also a little worried about their registration as a data controller - only having one data use purpose of "consultancy and advisory services" appears to be a bit simplistic - you'd assume there would be at least some "staff administration", "advertising, marketing and public relations" and "accounts and records" going on.

Frank Jennings has written some timely advice for organisations planning to move data offshore in his September SC Magazine blog post "Legal matters: In the age of consent". This includes a discussion on the principle of "safe harbor" - harmonisation of data privacy practices in the less strict US. See also the guidance at Out-Law.com on "Overseas transfers of personal data".

Posted on: 16 September 2008 at 10:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 August 2008

Which Type of SSL Certificate Should You Purchase?

Extended Validation (EV) SSL certificates have been available for 18 months, but despite the hard sales push, many web sites are continuing to use non-EV certificates. EV certificates cost significantly more but I don't think the case for their use is yet proven.

During 2006, the SSL Certificate Authorities (CAs) and browser vendors approved standard practices for certificate validation and display called the Extended Validation Standard. This was in reaction to the widespread sale of low-cost SSL certificates which did very little, if any, checking of the purchaser's details. The validation process is meant to establish the legal identity as well as the operational and physical presence of website owner, the identity of the individual making the request and that they have full control over the address/URL being used. In Internet Explorer (IE) 7 web browser, the address bar turns green when a trusted and display the organisation's name, current EV SSL certificate is in use (may require an update from Microsoft depending upon your operating system):

Partial screen capture of a web browser showing the green address bar that appears in IE7 when a valid Extended validation SSL certificate is in use

Users of Firefox 3 (and Firefox 2 with an extension) see something similar. But despite steady worldwide growth many UK web sites are continuing to use non-EV certificates:

Partial screen capture of a web browser showing the address bar when a conventional SSL certificate is in use

For an excellent insight into what EV SSL certificates offer, read Ivan Ristic's ModSecurity Blog post "Extended Validation Certificates: A Change for the Better (But Not Enough)".

If your competitors are using EV certificates, it might be worth buying one too, but they are costed at a premium and I don't think consumers are avoiding web sites with conventional certificates. Since some UK online banks aren't using them, I suspect the time to join the bandwagon hasn't yet arrived:

Partial screen capture of a web browser showing the address bar when a conventional SSL certificate is in use by an online bank

Perhaps when the cost differential reduces, more site owners will begin to buy them. This isn't yet something you need to be ahead of the wave on.

Posted on: 22 August 2008 at 08:50 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

15 August 2008

Is Your Web Site on Virtual Contaminated Land?

When we set up a web site, how much thought should we give to the previous use of the Internet Protocol (IP) address and domain name? Any previous use could spell disaster for a new web site.

When you buy a house your conveyancing solicitor will undertake local searches and review the Home Information Pack. For commercial transactions, organisations will usually undertake some form of due diligence checks including enquiring about previous uses of the site and adjoining properties using old maps and information from the local authority. No-one wants to inherit the liability for contaminated land, for example from a previous gas works, tanning plant or dye manufacturer that occupied the site.

Instead of chemical threats, web sites need some virtual due diligence, when setting up a new site or moving to a new hosting company or domain. It may also be an issue if your hosting company is changing their IP address ranges and this affects your servers. The threats are to your organisation's reputation if it becomes associated with something contrary to its beliefs, objectives or might upset its customers, clients or users. It could also lead to a lack of availability if the address is blocked by spam or web filtering gateways.

The Domain Name Service (DNS) is responsible for translating between human-friendly domain names (e.g. www.clerkendweller.com) and and machine-friendly IP addresses (e.g. If a hosting company loses a client, they are very likely to re-allocate their web site's IP address to a new customer.

For a new IP address on your existing domain (e.g. a server move), my recommendation is to obtain details of:

  • How long the IP address has been allocated to the hosting company
  • All domains assigned to the IP address previously
  • Details of the organisations who own those domains
  • Check what is hosted on 'nearby' IP addresses i.e. in the same address block
  • Check what else is listed on the same domain name servers and the company who operates them

For a new web domain, check:

  • Ownership history
  • Current and prior internet usage (web, email, ftp, etc)
  • Check the IP addresses for both of these (as above)

Then, evaluate whether there is anything you might not want to be associated with or has been excluded by web/email filtering/firewall systems due to what it has been used for or the content it contained. Check other server IP addresses as well (e.g. your mail server) if this is changing as well. Also check what else is hosted on 'nearby' IP addresses in the same range.

For a new web domain, use tools like Netcraft, Site Advisor, The Way Back Machine and Google searches to investigate prior use. Check with suppliers of web filtering gateways and providers of reputational services whether the domains are blacklisted.

For mail, the Spam and Open Relay Blocking System (SORBS) and Spamhaus list potentially problematic spam sources and open mail relays. There are many more similar searchable spam lists listed at dr.moensted. You may also want to check whether Hotmail, GMail and AOL treat the IP or domain as a source of spam.

If you are purchasing an existing domain name, as opposed to registering one from scratch, check its previous and current use. Some companies serve advert pages for domains they own but are not allocated to a web site - be very wary of these.

If your hosting company won't help with this enquiry, go elsewhere.

Posted on: 15 August 2008 at 10:15 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

Domains : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Thursday, 24 April 2014 at 12:00 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com