What is blockchain and what can it be used for?

Blockchain is a database that stores transactions, these transactions or the data stored can not be modified after the fact.

Linked computer systems verify blocks and each block contains a hash. It also contains the hash of the previous block to maintain integrity. A hash is a form of a coded message in which the data is encoded using numbers and letters. If any data within the block is altered the hash immediately changes and the nodes become aware that the data is not authentic. A change of a single letter in a word would trigger a hash change. Hashes have the same length, regardless of the amount of data. Changed hash breaks the chain and the computing power to keep the chain together with this fake hash would be too high.

Reuters: Blockchain explained

Blockchain was derived from Bitcoin and has gained many institutional supporters. Banks have a unique interest in the technology in that they believe it has value in being integrated into the banking system.

Torgeir Storstrand, Tech Writer AIOIS

How secure are the major search engines and which is the best?

There are few quality search engines on the web due to consolidation and the startup costs involved in indexing the expansive amount of data online. There are only two key players in standard web search, Google and Bing. In the voice search domain, Alexa leads Google. So how secure are they really? There is no way to say for sure but we will attempt to rank and analyze the engines as well as study their public statements to present to you an accurate overview of how each functions and which engine might be best for you.

The safety record

There have been very few reported main stream search engine breaches, in which IP addresses and corresponding search activity were leaked online. This creates questions in and of itself about the transparency of such companies. When do they really decide to disclose that there has been a breach?

The most significant breach was of AOL in August 2006, in which detailed search logs were released and are now available online for anyone to view. 650,000 users over a 3-month period had their complete search activity leaked mistakenly online. The data was intended for research purposes.

Every search engine saves your search queries to improve the search engine for the next user. Search engine rankings:

Google

The letters of "Google" are each purely colored (from left to right) in blue, red, yellow, blue, green, and red.

Google has been online since the late 1990’s. Originally developed as a student project at Stanford, the idea progressed into a behemoth of a company that now spans 100’s of products and apps. The idea behind Google is that web pages or websites with the most back links rank higher (people who believe a website is informative decide to link to it via their own website or social media).

Some might consider Google to be a Monopoly, and many governments are trying to penalize them for anti-competitive actions. Google was most recently targeted by the EU for manipulating its search engine results for shopping websites, in which the EU claims Google gives favor to its own products in search results. Google was fined over 2 billion dollars, and yet they remain defiant and continue to refuse to promote competitors.

Google being such a big company, it is often unfriendly to developers and difficult to reach. They offer almost no customer support to non-paying users. Many find this a questionable practice since Google is profiting from user provided data although users are not actually paying to use many of their services.

Google has a very polished and fast search engine that provides the best results for short tail searches. For the very long tail and niche terms, some might question its usefulness. Google integrates their search functionality into their apps. Google also now uses AI to analyze search results and present the most relevant, moving away from strictly focusing on on page keywords and backlinks.

Google, as well as social media companies have recently become the target of privacy conscious web users who are concerned about how it uses the data it collects from its users. Google cooperates with government investigations and complies with gag orders, making its products subject to surveillance. Therefore if you are being surveiled it might be that you never even find out, making the use of their products by certain minority groups quite dangerous. There have been cases where journalists were being monitored because of the type of search queries they were making. Full government cooperation lowers Google’s grade significantly.

All your search terms are recorded as well as your associated IP. Google uses persistent tracking cookies to create a filter bubble, altering the results you see based on your previous queries. Google likely feels the majority of the public does not care about privacy so they do not feel obligated to tell them the truth about what is really going on. Their involvement in dangerous AI programs creates even more questions.

Google’s SSL Grade: A

  • Final grade: C-

Bing

Bing logo (2016).svg

Bing’s SSL Grade: A

Bing is Microsoft’s attempt to enter the search market. Most of their effort was in the early 2010’s and they have decreased their marketing activity, an admission that they cannot defeat Google. Some might question as to why Microsoft even continues to run Bing, considering so few people use it. The most likely reason Microsoft has not shut down Bing is because they are probably benefiting from heavy automation and are able to cut their costs significantly. Bing might remind many of Windows Phone, a noble effort but not good enough to get people to switch from their existing providers.

Like Google, Bing participates in government surveillance programs and actively monitors search activity. All your search terms are recorded as well as your IP. Tracking cookies are used.

Final grade: C

Yahoo

Yahoo! logo.svg

Yahoo is based in the U.S. and is no longer an authentic search engine. It has a partnership with Bing, so the results you see in Yahoo are provided by Bing and do not offer much in the way of being original. Yahoo has recently made a strong effort in improving the design and the way data is presented to users so it might still provide some value to users. Yahoo, like Google, participates in government investigations. Yahoo recently was caught up in a scandal that involved it giving away users entire email inbox to government agencies.

Yahoo is not a very fast search engine, relative to Google. All your search terms are recorded as well as your corresponding IP. Tracking cookies are placed in your browser.

Yahoo’s SSL Grade: A+

  • Final grade: C

Startpage

StartPage

Startpage has been around since the late 1990’s and is a very secure search engine. They obtain their results from Google and present them to you anonymously, without linking your search terms to your IP. Startpage does not use cookies and does not show the search requests in the search URLs making anyone who views your browsing activity unable to tell what searches you were making.

Startpage is based in Europe. There are two main issues with Startpage, slow page load times and some clearly untrue statements in the privacy FAQs. Within these FAQs they state that your search is not recorded, which is a play on words to make you think that your search terms are not being saved. Your search terms are being sent to Google (without your IP) so they could possibly tie your search activity to you if you include PII in your search activity. This is a dangerous play on words in our book, so it would be best that Startpage update it FAQs and be honest. Startpage is still an excellent company and they might be stretching the truth to comfort new users. Another question might be how many IPs and servers are they using to retrieve their results, because if Google can identify all of these IPs they can conduct mass surveillance on all search terms entered into Startpage.

Startpage’s SSL Grade: A+

  • Final grade: A-

DuckDuckGo

DuckDuckGo logo and wordmark (2014-present).svg

DuckDuckGo has a policy of not recording your IP address when you search the web. They also offer a clear interface for searching the web. DuckDuckGo does not offer Google results directly on their website, therefore it would be difficult to give them an A. They are very transparent and have affiliations with privacy groups, so there is no reason not to trust them. They also offer browser tools to help maintain your privacy online.

All your search activity is recorded, although it is not tied to your IP address. A negative would be lack of clarity as to where your search queries are being sent.

DuckDuckGo’s SSL Grade: A+

  • Final grade: B+

That is it for our search engine rankings. We will be sure to update as time goes on.

Hilmar Ingolfsson, Senior Editor AIOIS

What is a DNS leak and how to test or detect and remedy

Your Internet provider needs to resolve domain names, taking the servers numerical IP address and resolving it into a simple URL (222.222.222.222 and turning that into a domain name).

If you allow your ISP to do this, which is standard – they can view all websites you are connecting to – not the specific URLs but the domain names you are accessing because obviously they have to resolve them for you.

Often people will find this out and take corrective action, which might include using a VPN service or proxy. What they might not realize is that their online activity could be still leaking via DNS resolution by their ISP. DNS leaks typically affect Microsoft products more than Apple, but any device is vulnerable if there is a configuration issue.

How To Test

Check your IP and DNS at the following DNS Leak Test website.

How To Resolve

Use a VPN provider that provides DNS leak protection. We recommend NordVPN.

Yuzuki Hashimoto, Tech Writer AIOIS

How to test your website’s TLS or SSL Security

Strong website security has never been more important. There are many ways to secure your server from external threats.

There is one easy way to protect your visitors and help them stay securely connected to your server. Using an encrypted end-to-end tunnel using PFS and TLS provides your users with the best security. TLS, formerly known as SSL, comes in two main specifications – TLSv1.2 and TLSv1.3. Anything below TLSv1.2 is not considered secure. You connect to AIOIS with either TLSv1.2 or TLSv1.3 (depending on your browser), as well as PFS. PFS stands for perfect forward secrecy, creating an uncrackable and variable code.

Testing Your Server

SSL Labs logo

Network administrators often use TLS, but often do not check the strength of their ciphers and vulnerabilities to common exploits. The best resource to test your server is Qualys SSL Server Test from their SSL Labs divison. (AIOIS Test Results)

Your website’s TLS security can vary based on many factors. Qualys displays this in a clear way, explaining how different browsers  will experience your website as well as any potential vulnerabilities. Here is a sample protocol analysis:

DROWN No, server keys and hostname not seen elsewhere with SSLv2

(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN website here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete

 

Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Mitigated server-side (more info)
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 No
Heartbeat (extension) No
Heartbleed (vulnerability) No (more info)
Ticketbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107)
No (more info)
ROBOT (vulnerability) No (more info)
Forward Secrecy Yes (with most browsers)   ROBUST (more info)
ALPN Yes   h2 http/1.1
NPN Yes   h2 http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling Yes
Strict Transport Security (HSTS) Yes
max-age=31536000; includeSubDomains; preload
HSTS Preloading Chrome  Edge  Firefox  IE   
Public Key Pinning (HPKP) No (more info)
Public Key Pinning Report-Only No
Public Key Pinning (Static) No (more info)
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No, DHE suites not supported
DH public server param (Ys) reuse No, DHE suites not supported
ECDH public server param reuse No
Supported Named Groups x25519, secp256r1, secp384r1, secp224r1, secp521r1 (server preferred order)
SSL 2 handshake compatibility No

 

SSL or TLS is only a part of securing your website. Having strong TLS creates a strong and secure connection for your users. The results of this test should not be viewed as the complete security of your website. A server administrator still needs to implement IPSs and IDSs, intrusion prevention systems and intrusion detection systems – another way of saying firewalls.

After The Test

You will need to adjust your ciphers in your server settings. Check with your network administrator or find a list of strong cipher suites. You may also need to reissue or increase the encryption level of your certs. Use a strong cipher suite that includes perfect forward secrecy. You will also need to disallow or remove deprecated standards including TLSv1.1. View this guide on TLS cipher hardening.

Alfred Medved, Sr. Tech Editor AIOIS