When Tim Berners-Lee made famous the “World Wide Web” by introducing the HTTP protocol, he set the standard that all web sites would start with “www” as a host name prefix. It was supposed to indicate it’s a web site, for everyone who hadn’t seen this new way of using the Internet.
That was the early 90’s.
Now, 20+ years later, the World Wide Web is as ubiquitous as e-mail or postal code addresses. Everyone knows what to do when they open a browser. Even better, when someone receives an email with a web link (URL) in it, even though it’s not safe to click on any random links via email if source of information is not checked.
So why do web developers and content managers still tag on the prefix www into their host names? Perhaps, out of habit because that’s how they learned to use the Internet from 20 years ago. Maybe the fault is with e-mail servers, like Microsoft Exchange, creating automatic hyperlinks whenever “www.” is in the text, which makes it easier for mailing list managers to create content without deliberately hyperlinking URLs.
Whatever is the reason, people need to stop adding the prefix www when entering a web address. It’s a pain to setup on the server and network sides because DNS have to contain both entries (as alias or A records), web servers need to accept both host names, and SSL certificates have to be requested with www as a common name.
Besides, without the www prefix, it’s easier to tell someone (written or verbal) of the website’s shorter address. Nowadays, the prefix is superfluous and unnecessary.
The sensational headline news this week was “Heartbleed” security flaw, which was covered by most mainstream and tech sites. It was an old bug that was accidentally introduced, and just discovered recently. The report got IT professionals scrambling to fix their systems.
At first glance, the bug is benign enough, with chances of hacking the passwords or SSL keys rather slim. However, like any other hacking issues, if someone is determined (and clever) enough to exploit this bug, they may just get a bunch of useful data. Whether or not they can use the hacked data to steal client information, or use it for a phishing site, it’s unclear. Just the thought of the potential leak scares the daylights out of everyone! It’s also proof that the marketing behind this bug was very effective.
Regardless, the actions need to be taken are as follows:
- Check with Qualys SSL Analyzer to determine if your site is vulnerable.
- If vulnerable, upgrade OpenSSL to version 1.0.1g, or alternatively recompile OpenSSL without the “heartbeat” option (-DOPENSSL_NO_HEARTBEATS).
- Recompile or restart the web server to reload the latest OpenSSL libraries.
- Test the site(s) with the Qualys SSL Analyzer again. Also check if site is functional.
- With the new OpenSSL, generate a new SSL key, and re-key a new certificate. Install the new key/certificate in the web server(s).
- Urge the users to change their passwords – which they occasionally have to do, anyway. This step is tricky considering the PR scare that it’s going to generate when admitting the site is vulnerable. However, the notification is the responsible thing to do.
When the dust settles, we can look back and use this as an important reminder how fragile the Internet is. Customers are expected to be cautious of their data being transmitted over the Internet, no matter how secure a company claim they’re being kept.
W3CSchools has stats for IE6 usage at about 15%, as of May 2009. IE6 in Enterprise environment is still being used,
It’s steadily dropping because of the wide acceptance of Firefox, and Corporations are proactively upgrading to IE7 or IE8. This number will change dramatically when Enterprise favors Windows 7 as the new standard for productivity machines.
Some websites have already taken steps to prevent IE6 from loading their site. I can only applaud their efforts.
IE6 Denial Image