Duplicate Canonical URLs in Joomla--Configuring sh404SEF

Many content management systems have multiple URLs that map to a single article–a serious problem from the perspective of search engine optimization. In my case, resolving a duplicate URL problem approximately doubled my site traffic in a little over a month. The markup for canonical URLs will resolve this problem if it is correctly implemented. Unfortunately, in Joomla 3.x, the canonical markup is used on each URL as described in The Problem With Joomla's Canonical URL Links, so that several URLs are identified as canonical; this wreaks havoc with Search Engine Optimization, as Google and other search engines look at these as duplicated content.

The basic steps for diagnosing and fixing this problem are cover in the following sections:

• Determining Whether or Not You Have a Duplicate URL Problem
• Evaluating Alternative Search Engine Friendly (SEF) URL Extensions
• Planning Will Avoid Misadventures
  • Decide on changes to menu structure for web site
  • Decide on whether or not to include .html as an extension on URLs
  • Decide on whether or not to implement .htaccess
  • Collect Historical URLs
• Configure sh404SEF
  • Turn off Search Engine Friendly (SEF) URLs in Base Joomla
  • Enable sh404SEF and Turn on .htaccess Rewriting
  • Remove .html from URL File Suffix
  • Set up 404 redirects for all URLs
  • Set up Name for Lists of Articles
• Final Results
• Conclusions

Determining Whether or Not You Have a Duplicate URL Problem

The first step in this process is to determine whether or not you have a problem in the first place–your Content Management System (CMS) may not have this problem, or your web site may already have been fixed. To tell if this is a problem on your web site, go to Google Webmaster Tools, and go to Search Appearance->HTML Improvements. If you use a unique description and title for each article, you should see few if any duplicates. When I first worked on this aspect of my web site, there about 11 articles with duplicate URLs as shown in Figure 1.

Evaluating Alternative Search Engine Friendly (SEF) URL Extensions

I started the process of fixing the duplicate URLs by doing research on add-ins that worked on the problem, and settled on a paid add-in, sh404sef from Weeblr. It was distributed by Anything Digital until very recently; the cause for this change are not clear. At this writing, sh404SEF shows options for the following extensions on the configuration page:

• Contacts
• Weblinks
• Virtuemart
• Community Builder
• Jomsocial
• Kunena
• MyBlog
• Mosets tree

It shows support for Social Networking, Twitter Cards, Google Authorship and Google Publisher tags. It has numerous other features that I plan to implement, but which were not part if this project. In evaluating extensions on Joomla, one of the key differentiating factors was whether or not an extension handles tags; if you do not use tags, you will have many more choices, and many more free choices.

Planning Will Avoid Misadventures

I installed the add-in; ultimately it eliminated my problem with duplicate URLs, and almost doubled my website traffic in six weeks. Unfortunately, I didn’t really plan my implementation and that led to a number of problems that I had to fix; Google indexed my site twice while I was figuring things out and ended up indexing even more URLs for each article. It would have been a much shorter period if I had spent more time reading the documentation at the beginning. The article that follows describes how to set this up and some of my misadventures in the process. Figure 2 shows the increase in duplicate URLS due to not planning my conversion. The planning section that follows describes the decisions that I should have made in advance of the cut-over and before robots had a chance to crawl my web site.

Setting up sh404SEF on a new system would be a straightforward simple process. Doing so on an existing system adds a number of complications. You should do this during a low-traffic time and take your site off-line or turn off robot access in robots.txt while you are making all of the changes. The basic planning steps are as follows:

• Decide on changes to menu structure for web site
• Decide on whether or not to include .html as an extension on URLs
• Decide on whether or not to implement .htaccess
• Collect Historical URLs

Decide on Changes to Menu Structure for Web Site

sh404SEF set up the canonical URL based upon the menu structure used to get to an article. If you plan any changes to your menu structure, now would be the time to do it so that you only have to set up your redirects once. During the the month after setting up sh404SEF, Google Analytics and other analytics tools will show multiple URLs for each article and will thus be difficult to interpret. If possible finish any web site redesigns before making the switch to sh404SEF.

Decide on Whether or Not to Implement .htaccess

The second major decision that you must make is whether or not you want your URLs to include ?index.php immediately after the domain. If you don’t want this, you will need to set up .htaccess as a redirect method. The help for sh404SEF does not have much information on this, but the .htaccess that is generated by Akeeba Admin Tools apparently has everything that is necessary. Changing my decision on this is one of the causes for my duplicate URL problem to balloon before I got everything configured correctly.

Decide on Whether or Not to Include .html as an Extension on URLs

The third decision in the set-up process is whether or not to use a .html extension default. If you try to make this change after Google has re-indexed the site–which will probably be on the first day–you will have to set up redirects for the pre-sh404SEF URLs and for the post-sh404SEF .html URLs. This is one of the mistakes that I made that caused the number of duplicate URLs to balloon.

Collect Historical URLs

The most important step in the planning process is to collect your historical URLs by making a copy of your sitemaps and a copy of all of the landing pages in Google Analytics or whatever analytics tool you use. You will use these lists to set up redirects from your old URLs to the new ones so that search engine users will be able to find your content while the search engines are in the process of indexing your new URLs.

Configure sh404SEF

Once you have made these decisions, it is time to install and configure sh404SEF. Make sure to do this during a low-traffic time and temporarily turn off robot access in robots.txt. The steps are generally:

• Turn off Search Engine Friendly (SEF) URLs in Base Joomla
• Enable sh404SEF and Turn on .htaccess Rewriting
• Remove .html from URL File Suffix
• Set up 404 redirects for all URLs
• Set up Name for Lists of Articles

Turn off Search Engine Friendly (SEF) URLs in Base Joomla

The first step in the configuration process is to turn off the SEF URLs and rewriting in base Joomla as shown in Figure 3.

Enable sh404SEF and Turn on .htaccess Rewriting

The next step after installing sh404SEF is to enable it and turn on rewriting (if you have chosen not to have ?index.php as part of each URL)in the component administration page as shown in Figure 4. To turn off ?index.html, on the first panel of Components->sh404SEF->Control Panel and set the rewriting mode to .htaccess.

Remove .html from URL File Suffix

If you have decided not to use a file suffix, null out the File Suffix section in the configuration pages. To remove the .html at the end of URLs, go to Components->sh404SEF->Configuration->General->Main and change the value in the File Extension box from .html so that it is empty as shown in Figure 5.

Set up 404 Redirects for All URLs

On the sitemap that you saved, select each of the URLs in the sitemap. This will cause a 404 not found error to be logged on your web site. If you forgot to save a sitemap, you can log in to Google Analytics and go to the Acquisition->Landing Page section and select each of the URLs listed. Next, log in to Google Webmaster Tools and go to the query section and do the same thing. This will generate a relatively complete list of all of the old URLs in the redirect module of sh404SEF.

After generating 404 errors for all of the old URLs, it is time to go back to sh404SEF and create redirects to the new URLs. To do this in the Joomla Admin section, go to Components->sh404SEF->404 Requests Manager as shown in Figure 6. For each of the URLs listed go select the “Redirect to an SEF URL” option and select the correct URL for the article. If the URL does not appear in the prompt list, you may need to use the “Enter a redirect URL” option. This will get most of the important URLs on your site redirected, but you will need to repeat this step every day for a couple of weeks to get all of the URLs redirected.

If you have a large number of old URLs to redirect, the URL manager in sh404SEF has an import capability that may help in this process.

Set up Name for Lists of Articles

The final major step in setting up sh404SEF is setting the name to be used in the URLs that show a list of the articles in each category. “Table” is used in the example shown in Figure 7.

Final Results

After installing sh404SEF and mis-configuring it, the number of duplicate URLS actually grew from 11 to 23 as shown in Figure 2, and then went higher. After correctly configuring sh404SEF and waiting several weeks for Google to reindex the site, the number shrank to 3 as shown in Figure 8, and will soon likely be one or two.

Conclusion

Fixing the duplicate URL problems on your web site will dramatically increase your site traffic due to better indexing within Google and other search engines. Thinking through some of the problems in advance will make this a less labor intensive process.

Details

Written by Bruce Moore

Published: 27 March 2015

Created: 26 March 2015

Last Updated: 10 February 2016

Hits: 7357

• Search Engine Optimization
• Web Hosting
• Joomla

Why and How to Set Up SSL/HTTPS on Your Web Site

This article was originally published in March of 2015. On November 15, 2016, it was updated with information on newer and easier ways to set up SSL.

Most large website operators are somewhere on the road to implementing Secure Sockets Layer (SSL)–also known as HTTPS–on their web sites, but many small web site operators see no need to go through the effort of converting to SSL. There are fundementally four reasons to make the switch:

• HTTPS can help end users to identify a spoofing attack.
• HTTPS can help prevent man-in-the middle attacks.
• HTTPS web sites will be favored in Google page ranks. This started in 2014
• Unencrypted sites will start to get visual penalties in Chrome beginning on January 10, 2017, and eventually in search results.

While many web site operators may not feel the need to defend users against spoofing and man in the middle attacks, they will almost certainly feel the need to improve their Google search rank. If this article is too intimidating, just ask your support person or hosting firm for “AutoSSL” and “Let’s Encrypt.” Many hosting firms have both AutoSSL and Let’s Encrypt but do not show this in CPanel; they will gladly charge you for paid domain validation certficates. If you specifically ask, they may install a Let’s Encrypt certificate free, but you have to specifically ask for AutoSSL and Let’s Encrypt certificates. The article is divided into the following sections:

• Spoofing Attacks and How SSL Can Help
• Man-in-the-middle Attacks and How SSL Can Help
• What is a Certificate?
• Certificate Types
• Certificate Vendors
• Deciding how to Convert to SSL (HTTPS)
• Setting up AutoSSL
• Obtaining and Installing A Certificate Using CPanel
• Configuring Joomla for SSL
• Set up .htaccess
• Let Google Know
• Setting up a Test Environment
• Lenovo Superfish
• Summary

Spoofing Attacks and How SSL Can Help

Spoofing occurs when an attacker imitates your web site and tries to get your customer to enter login credentials that the attacker can then use to log in to your site. The most common form of spoofing occurs in emails, but a less well known but more devastating attack is performed by compromising a domain name server (DNS). Your customer enters your URL in their browser and is directed to the attackers site by the compromised DNS server. A quick search of the Internet will unearth some major DNS compromises:

• After malware corrupted the DNS entries on millions of computers, the FBI took over the criminally operated DNS servers and ran them for several years.
• Google’s DNS servers in South America were compromised for a short period in August 2014.
• In August of 2014 many users concluded that Verizon’s DNS servers were compromised, although Verizon never publicly admitted this. I was one of the users who investigated my own DNS issues and reached the conclusion that Verizon’s servers were compromised.

How will setting up SSL on your website help to protect your users from spoofing attacks? It is easy for a spoofer to download your entire website using wget without breaking in to your site at all. Spoofing SSL certificates for your sites is another matter entirely, and requires a significant and time-consuming attack on your site to get the private key used to create your certificates.

End users for your site should know to look for the lock icon when accessing your site; if the lock icon is missing, or the user is prompted to accept a root certificate, they will know that something is amiss. Of the major browsers, Mozilla Firefox, Google Chrome and Opera have the best user interface for noticing whether or not a site supports SSL. Figures 1 through 4 show how the Firefox browser presents the lock icon indicating an HTTPS connection. Figures 2 through 4 show the information on the certificate that is shown if the user clicks on the various buttons for more information. Figures 5 and 6 show how the Chrome and Opera browsers present the lock icon indicating an HTTPS connection. Figures 7 and 8 show the lock icon presentations in Microsoft Internet Explorer and Apple Safari respectively

All of the figures are shown for the Class 2 certificates that most small website operators will purchase. Some of the browsers handle Class three or Class 2 Extended Validation certificates differently in their user interaces. Since these types of certifications are quite expensive, it is unlikely that small website operators will purchase them; since this article is directed to small website operators, I won’t discuss how browser interfaces handle those types of certificates, but will discuss the various certificate types in a subsequent section.

Converting your site to HTTPS won’t prevent spoofing attacks from tricking your users, but it will give your observant users a way to identify that they have been subjected to a spoofing attack.

 

 

 

 

 

 

 

Man-in-the-middle Attacks and How SSL Can Help

Man-in-the-middle attacks are the other major type of attack where SSL and HTTPS can help. In this type of attack, the attacker listens in on an unencrypted connection and captures user ID and password information that can be used to log in to the site at a later date. This type of attack is commonly performed by setting up an open WiFi access point in a public place. Many Internet Service Providers (ISPs) sniff traffic for the web sites that users visit, and insert ads into the datastream based upon the sites that the user visits. A less common version of this attack requires compromising a router and redirecting traffic through a router/server that listens in on the conversation. This very organized attack is more common than most people realize:

• In November 2013, traffic to U.S. Department of Defense web sites was maliciously rerouted through servers in Iceland.
• In November 2013, traffic from Mexico to New York City was maliciously routed through servers in Belarus.
• In November 2014, traffic from Moscow to the nearby city of Yaroslavl was maliciously routed through China

A website operator cannot control routing of internet traffic. The ONLY defense against this type of attack is to encrypt traffic between the user’s browser and the web server using SSL and HTTPS. The next section describes the various types of certificates in general, with emphasis on the types of certificates of interest to small business website operators.

What is a Certificate?

SSL is based upon public key encryption and is based upon something called a certificate issued by a certificate authority (CA). Each CA has a root certificate that can only be created using their private key. You install the certificate issued by the CA CA’s on your web site.

When the CA creates the certificate that is installed on your website, it uses it’s private key and a certificate request containing your public key to create the certificate. The major browser manufacturers put the root certificates of well-known and audited CAs into their software. The browser can then verify that the certificate sent by your web server was issued by the CA. If all of the keys and information matches up correctly, the browser then shows the lock icon.

Certificates are also used for email authentication and encryption and for signing installation media for some programs, but this article will not cover those uses.

Certificate Types

If you look at the underlying architecture for certificates, you will find a myriad of options in how they are used and created. For the purposes of website owners, this can be broken down into a few different categories that differentiate certificates offered by the various certificate vendors:

• Is the certificate authority accepted for inclusion as a root certificate authority by Microsoft, Apple, Google, Mozilla (Firefox) and Opera–the major browser vendors?
• The level of identity verification for the individuals and organization requesting the certificate.
• How the certificate will be used. Is this to be used for server authentication and encryption, email signing and encryption, or code signing.
• What domains and sub domains will be included?
• What key lengths and encryption standards are supported and incorporated in the certificate?

Certificate Acceptance

Although you can encrypt a web site connection with a self-signed certificate, for the purposes of operating a public web site this is not a realistic alternative. For a public web site, you want to get a certificate from a vendor that has audited identity verification procedures and that is accepted as a Certificate Authority by the major browser vendors:

• Microsoft (Internet Explorer)
• Google (Chrome)
• Mozilla (Firefox)
• Apple (Safari)
• Opera (Opera)

There are some free browser organizations that will issue a certificate, but the root certificates are not included in the maintenance streams for the major browser vendors, and are thus not of much use to public website operators. Many of the certificate vendors offer a type of certificate that will meet the needs of most small business owners. There is no reason to get a certificate from an organization that is not accepted as a root certificate authority.

Note that as of October 24, 2016, Mozilla has indicated problems with StartCom that will result in removal of StartCom root certificates from upcoming browser releases. See the Mozilla Security Blog.

Identity Verification

There are essentially three levels of identity verification that the various certificate vendors will use. Although the terminology of “class” is somewhat outdated, it is still commonly used:

• Class 1 is a certificate with a low level of identity verification. This is sometimes referred to as “domain validation.” The certificate vendor will verify that they are communicating with a person who controls a web site and can place a file in the root directory of the website or respond to email sent to “webmaster”, but will not check government issued identity papers. Certificates with this level of verification are commonly available free of charge from some certificate vendors, and are now available through the free Let’s Encrypt service. For most small web sites, this type of certificate is sufficient.
• Class 2 is a certificate with a higher level of identity verification. This is sometimes referred to as “organization validation.” The certificate vendor will check drivers licence and other government issued identity documents to verify an individual’s identity, and will require government issued incorporation documents and tax ID information. Certificates with this type of verification typically cost about $250-$500. This type of certificate typically comes with free S/MIME email certificates and code signing certificates.
• Class 2 Extended Verification or Class 3 is a certificate where there is significantly more identify verification, and will require proof of a physical business address. This type of certificate typically costs more than $500, but comes with a greatly enhanced display in all of the major browsers.

Certificate Uses

Certificate vendors generally issue three types of certificates, with different costs associated with each feature:

• Email–digitally signing and encrypting email. These are generally issued for Class 1 and Class 2 identity verification levels. Using them requires setting up your email client to do this as discussed in Email Security Part 1: Verifying an Email Sender's Identity Using S/MIME and Email Security Part 2: Digitally Signing Your Email.
• Website/browser encryption. This is the subject of this article.
• Code signing. When you install software and Windows or OS X identifies the name of the company that wrote the software in the box prompting for administrator access, that indicates that the software was signed with a code signing certificate. If you do not develop software, this is a feature that you won’t want to pay more to get. It is frequently bundled in with Class 2 or Class 2 EV certificates.

Certificate Domains

Most certificate vendors differentiate their offerings based upon whether or not the certificate will support named or wildcard subdomains. For example www.mooresoftwareservices.com and imap.mooresoftwareservices.com would require seperate individual certificates, a single multi-domain certificate that enumerates the www and imap subdomains, or a wild-card certificate that work for any domain ending in mooresoftwareservices.com. Multi-domain and wildcard certificates are more expensive than single-domain certificates.

Encryption Key Length

The length of the encryption key and the type of encryption supported by the certificate are also a differentiator for certificates. Free certificates typically have shorter key lengths, but typically support at least one of the encryption algorithms in all of the browsers that are actively supported by the browser vendors. At this writing 2048 is the common key length. Some free certificates are issued with a 1024 key length. The key length that you need is really a function of the value of the data. If you have website conversation that would still be valuable five or ten years from now, 2048 and 4096 are the only options, as increases in computing power will make 1024 byte keys easier to crack if an attacker is willing to store the data for a few years to wait for more powerful computers to be manufactured.

Summary of Certificate Types

Table 1 below provides a summary of the groups of certificate features commonly bundled together by the major certificate vendors. In all cases, remember that you are paying for the identity validation, and not the certificate. If you documentation is not in order, you will be charged, but you won’t get a certificate.

Table 1: Types of validation and common features for SSL certificates issued by Certificate Authorities.

Validation		Single Domain	Multiple Domain	Multiple Domain Wildcard	Unified Communications
		Only valid for one domain name, i.e. www.domain.com. If used to secure both website and email as handled in a typical web hosting package, will have to point email to "www.domain.com" instead of "mail.email.com" and set up appropriate aliases in configuration.	Would allow same certificate for www.domain.com and mail.domain.com. All domains must be known and listed at time of issuance.	Would allow same certificate for www.domain.com and mail.domain.com. Could add a domain after issuance of certificate. Will not support multiple levels like mail.division.domain.com.	Would allow same certificate for www.domain.com, mail.domain.com, and in addition multiple levels like mail.division.domain.com.
Domain Validation (Old Class 1)	Low cost or free. Verification limited to determining if applicant is the webmaster for the domain. Appropriate for small business and organization web sites that don't do transactions. Gives lock icon shown in Figure 2.	Commonly offered. Inexpensive choice for organizations that don't do transactions. StartSSL offers free one year certificate.	Varies by vendor. StartSSL offers up to ten on free certificates.	Technically possible, but not commonly offered.	Technically possible, but not commonly offered.
Organizational Validation (Old Class 2)	Moderate cost, significant documentation required. Appropriate for small businesses that do transactions, but lower value and volume. Gives lock icon shown in Figure 2.	Commonly issued.	Commonly issued. May be a free feature with some certificate authorities.	Commonly issued. Usually an additional cost.	Not commonly offered.
Extended Validation (more rigorous than Old Class 2)	High cost. Extensive documentation required. Appropriate for businesses that do transactions of high value or high volume. Gives lock and green bar icon shown in Figure 3.	Commonly a free feature of Extended Validation certificate.	Commonly a free feature of Extended Validation certificate.	Sometimes a free feature of Extended Validation certificate.	Usually used by enterprises that are using Microsoft Exchange for email.

Certificate Vendors

There are a number of certificate vendors. To get a complete list, go to your browser’s advanced settings and look for the root certificate authorities. In Firefox, use Options->Advanced->Certificates->View Certificates->Authorities. You want to get a certificate from one of the vendors listed. Generally, your web hosting company will have a relationship with a certificate vendor; this will almost certainly be the easiest option, but it probably is not the least expensive option.

For free Class 1 certificates, Let’s Encrypt is rapidly becoming the easiest choice as it is free and there is a CPanel AutoSSL plugin that makes the installation easy. For most small website operators, this is by far the best choice.

For free Class 1 certificates, StartCom and Comodo offer one year and 90 day certificates respectively (at this writing). Other vendors are beginning to offer free Class 1 certificates through hosting firms, so check with your web hosting firm to see if this is available.

Deciding how to Convert to SSL (HTTPS)

As of November, 2016, the easiest way to convert to SSL depends greatly on software levels and services at your hosting company. This section will hopefully give you information on how to proceed. CPanel 58 introduced AutoSSL, which makes managing certificates easy, but requires a dedicated IP address because CPanel 58 does not allow a different certificate for each email domain. CPanel 60 removed the requirement for a dedicated IP address for using a different certificate for each email domain on a server. Although your hosting service may be at CPanel 58 or 60, they may not have installed the AutoSSL plugin for Let’s Encrypt.

Does your Hosting Firm Support Let’s Encrypt

If your hosting firm supports Let’s Encrypt, your life is easy. You may have to upgrade to a dedicated IP, but first check to see when your hosting firm plans to go to CPanel 60, as this removes this requirment.

Does you Hosting Firm Support AutoSSL

If your hosting firm supports AutoSSL, this is the easiest way to go. In some cases they will use a free certificate service from Comodo or another vendor, but they may charge for certificates, and may charge for adding smtp, mail, imap, and ftp subdomains to a certificate.

Are you on a Super Tight Budget and Technically Confident

If your budget is really tight (you are volunteering for a non-profit) and you are technically confident, you can use CPanel to install your own certificate from StartSSL or another vendor. For instructions on this, proceed to the next section.

Setting up AutoSSL

If you do not need organizational verification–many small businesses and non-profits do not–AutoSSL is a great choice for managing SSL. If you have Web Hosting Manager on a VPS or managed server, see the instructions for installing the Let’s Encrypt! plugin for WHM. Most hosting firms do not install it by default, as they want your certificate money. It is as simple as running a command as root:

/scripts/install_lets_encrypt_autossl_provider

Once AutoSSL installed you can configure it using the Let’s Encrypt Certificate Authority.

Obtaining and Installing A Certificate Using CPanel

If you obtain your certificate through your web hosting firm, they may install it for you, depending upon the type of support plan that you have. If they do not get your certificate through the hosting firm, or they will not install it for you, you will need to do it yourself using CPanel or some other method. The instructions that follow cover the process for obtaining and installing a certificate using CPanel and Web Hosting Manager. If you do not have access to these tools, the installation process requires shell access and commands; the command procedures are outside the scope of this article.

The process falls into four major parts:

• Get individual and organizational verification from your certificate vendor. This will vary from vendor to vendor.
• Creating a private key and a certificate request.
• Sending the certificate request to the vendor and obtaining the certificate from the vendor.
• Installing the certificate on your website.

Creating a private key and a certificate request

To create a private key and certificate request, log in to CPanel as shown in Figure 9, and select the SSL/TLS Manager as shown in Figure 10. Next, choose the first option to create a private key. It may ask you to move your cursor around to generate random data to be used in the private key.

Once you have created a private key, go to Certificate Signing Requests and Generate a New Certificate Signing Request as shown in Figure 11. Enter the necessary information about your organization using the exact names that are listed on the incorporation and tax documents that you used for identity validation as shown in Figure 12. When you are done, your Certificate Request should show up in CPanel as shown in Figure 13.

Send the Certificate Request file to your certificate vendor via email, or copy it from the window in CPanel and paste it into the certificate request window on the certificate vendor’s web site.

The approach to dealing with each vendor will be different, but for an idea on how things work with StartCom for a free Class 1 certificate, read Securing Your Email Part 2: Digitally Signing Your Email. This article talks about the process for obtaining email certificates from StartCom; the process for web site certificates is very similar.

When you get the certificate from your vendor, go in the CPanel SSL/TLS Manager and select the Certificate section as shown in Figure 15.

Scroll down to the New Certificate section and paste your certificate into the window or upload the certificate file as appropriate for how the certificate was provided to you by your vendor, as shown in Figure 16.

If you have a physical server or a virtual private server (VPS) account, you can use Web Hosting Manager to install the certificate. See the next section for instructions on how to use WHM to install certificates.

Using Web Hosting Manager to Install a Certificate

Installing the certificate in Web Hosting Manager (WHM) is slightly different than the procedure in CPanel. First, go to the SSL/TLS section as shown in Figure 17 and then follow the same steps for creating a private key, creating a certificate request as given for CPanel, but make sure that you select the correct web host. When you get the certificate back from the vendor, install it on the correct host as shown in Figure 18. If you have only one domain on the server, you can assign the certificate for use by the email and FTP servers. WHM does not currently support using seperate certificates for email domains in the same way that it does for web hosting.

Finally, you will need to configure Joomla to SSL as described in the next section.

Configuring Joomla for SSL

Configuring Joomla for SSL is the easy part in this process. In the Admin Console, go to Global Configuration->Server and change the “Force SSL” option from the value of “none” shown in Figure 19 to “all”. Next, if you have Akeeba Admin Tools, you may consider forcing all external links to HTTPS as shown in Figure 20. This can break some things, but is an important safeguard against man-in-the-middle attacks if you retrieve fonts, JavaScript or other items from other sites. If you do not use this option, make sure to inspect all links for HTTPS use wherever possible.

If you use Akeeba Admin Tools to generate your .htaccess file, go to the bottom of the generator page and enable HTTP Strict Transport Security (HSTS) in headers.

Set up .htaccess Without Akeeba .htaccess Generator

If you use Akeeba Admin tools to generate your .htaccess file, it will take the setting from the Joomla Configuration and add the necessary code to your .htaccess file. If you do not use Akeeba Admin Tools to generate your .htaccess file, you will need to manually set up your .htaaccess file to redirect all HTTP traffic to HTTPS. Before making any changes to .htaccess make sure that you have shell access or can otherwise manually edit the file, as a mistake can leave you unable to get to the site via the web admin interface.

RewriteCond %{HTTP_HOST} ^yourdomain.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yourdomain.com$ [NC]
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]


Let Google Know

The final step in the process is to register the HTTPS version of your web site with Google Webmaster tools and with Google Analytics.

Check the Encryption Protocols on Your Web Site

Once you have everything set up and working, you should check to see that your server is configured to accept only encryption protocols that cannot be cracked and other encryption configuration errors. The Qualsys SSL Labs web site provides an easy to use web service that emulates a number of browsers and tests your SSL certificates and configuration.

Make sure to check the browser support list; if you are dependent upon traffic from a very old, compromised browser, you will have to enable some very old, compromised encryption protocols with the associated risks.

If you want to read more on the subject SSL and TLS Deployment Best Practices is a good article on how to set up SSL in the most secure way.

Setting up a Test Environment

To verify that all of your add-ins work with SSL, you can generate a self-signed certificate on your test server. If you want to practice the key generation and certificate request process, you can become your own private certificate authority by using an application like XCA or another certificate management application.

Lenovo Superfish

At this writing in the winter of 2015, there has been much discussion of “Superfish” software that Lenovo installed on a number of laptop computers that it shipped in the fall of 2014. The Superfish software was used to insert ads into browser sessions. In a very abbreviated description, Superfish intercepted certificates, decrypted the stream and pass on its own valid certificate to the end browser so that the end user was largely unaware that a man-in-the-middle attack was occuring in an encrypted session. I have not fully researched an implemented the issue, but Certificate Pinning appears to be the current approach to protect against Superfish-type malware. Enabling HSTS may provide some protection against this type of attack, but I’m not sure at this point.

Summary

There are a number of security and search engine optimization (SEO) reasons that small business and organization web site owners should configure SSL encryption on their web sites. Free or low-cost certificates are increasingly available, so this is no longer the financial burden that it once was.

The slides for my March 9, 2015 presentation to the Dallas/Ft. Worth Joomla user group are here.

Details

Written by Bruce Moore

Published: 15 March 2015

Created: 15 March 2015

Last Updated: 26 December 2016

Hits: 5380

• Speech
• Security
• Search Engine Optimization
• Web Hosting

Writing for Search Engine Optimization

I’m not a professional writer, but I have three articles that Google ranks highly on my web site and my wife’s site has one that ranks highly on her site. The article that follows describes why I think these articles have done well from a search engine optimization (SEO) perspective, and why others have not. First, it makes sense to show you the four articles:

• Social-buttons.com Referrer Spam is a very short article about a referrer spam attack. On the second day, this generated 150% more traffic than my site normally gets. On the third day, it generated five times my normal traffic. It generates more second article reads than any other article on my site.
• Effective Interest (Yield) Loan Fee Amortization is an article about a very dry and arcane accounting topic. It does not get a lot of hits, but for appropriate search terms–level yield amortization–Google frequently presents it as the first link.
• Sales and Lead Management with SuiteCRM is an article about configuring a Customer Releationship Managment package. Google is progressively ranking it higher in searches.
• Pages from the Gay Family Bible ranks poorly in Google for the query “gay family bible” but ranks about 6th on Bing and Yahoo. Google clearly interprets “gay” as an adjective in this query while Bing clearly interprets it as a surname.

The article is divided into the following sections:

• Write a Succinct Description
• Hit it Where they Ain’t–Write Something Useful that No One has Written
• Strike While the Iron is Hot–Be the First on a Topic
• Select Vocabulary for the Audience
• Maintain Your Site on All Search Engines

Write a Succinct Description

If the article description is the right length, Google will use it directly for the synopsis of text below the link, rather than algorithmically figuring out what to say. The descriptions for these articles respectively are:

This article describes referrer spam from social-buttons.com which is registered through Moniker Online Services and/or Moniker Privacy Services.

This page describes the procedure for calculating the fee amortization and effective yield for loans that involve up-front fees. This is also sometimes called level yield.

This article describes the selection of a customer relationship management (CRM) system for small businesses and configuration of SuiteCRM.

Images from an old family Bible with births, deaths and marriages for the Gay family

The SEO module on my web site suggests a length of less than 160 characters.

Hit it Where they Ain’t–Write Something Useful that No One has Written

All of the successful articles listed are unusual on the web; there were no articles about the social-buttons.com referrer spam web site at the time that I wrote the article. There are many articles on level yield amortization but they primarily address rules on when accountants must use the procedure–not how to calculate it. There are are many articles about SugarCRM and SuiteCRM, but there are not very many articles on how to set it up. Finally, the article describing the images from the Gay family bible is completely unique on the web.

Strike While the Iron is Hot–Be the First on a Topic

I wrote the referrer spam article at about 11:00 in the morning after I had analyzed the attack on my web site. Google clearly rewards regular updates to a web site, so I am in the habbit of placing an article on any administrative activity that makes sense. Clearly, many web masters were attacked at the same time, and all were searching for information on the social-buttons.com site that suddenly appeared in their Google Analytics reports.

Similarly, the hits on the level yield amortization article spike at the end of each a quarter when accountants are preparing quarterly reports and need to figure out how to do this calculation. Make sure that your article is out for indexing before the season when people will start looking for it.

Select Vocabulary for the Audience

Each profession and audience has its own vocabulary–make sure to use one that is appropriate for your audience, as this is the vocabulary that they will use for searching. In the referrer spam article, the word “darodar” appears. This is not something that rolls of the tongue of the average person walking down the street, but it is very familiar to web masters who were reading Google Analytics reports in November and December of 2014, as there was a sustained referrer spam attack going on directed at web masters. Similarly, the amortization article uses vocabulary that accountants would use to describe the calculation.

After discovering that most of the traffic on the referrer spam article came from outside the United States, I changed the original “BBB” reference to “Better Business Bureau (BBB)” as “BBB” is an acronym that probably isn’t well known outside the U.S.

Maintain Your Site on All Search Engines

Finally, make sure that maintain your site’s presence in both Google Webmaster Tools and Bing Webmaster Tools, as some engines do a better job of indexing for specific genres. The “Gay family bible” query shows that for genealogy, Bing may well be better than Google.

Details

Written by Bruce Moore

Published: 22 March 2015

Created: 22 March 2015

Last Updated: 27 March 2015

Hits: 2939

• Search Engine Optimization
• Web Hosting

Laptop Security–Encrypting Disk Drives

Laptops are routinely carried to and used in airports, libraries, coffee shops and other places where they can easily be stolen. The cost of a stolen laptop is many times the value of the computer itself–if the laptop contained sensitive data personally identifiable data, the cost can get into millions of dollars in potential costs. The first step should be making sure that laptops do not contain sensitive data in the first place, but that cannot be the only step, as email logs invariably contain a tremendous amount of sensitive data.

Small businesses don’t have a large IT staff to help with this the process of securing a laptop; this article is intended to help small businesses secure laptops to minimize the data security problems of a lost laptop by discussing alternatives for encrypting the data on the laptop. The article is divided into the following sections:

• Laptop Disk Drive Encryption Alternatives
• Encrypting Your Laptop Disk Drive
• Conclusions

Laptop Disk Drive Encryption Alternatives

There are a number of alternatives for encrypting data on a laptop, including both file or directory level encryption or whole-disk encryption tools. If your systems are all Apple, or all Microsoft, the built-in tools available on Apple (OS X and higher) or Microsoft Windows (8.0 and higher) are probably the most convenient approaches to take. If your systems include any combination of OS X, Windows and Linux, or you are on Windows 7 Professional, the choices aren’t as simple, as you will want a solution that can read external drives on any machine, assuming the file format is readable on the machine.

Table 1 below provides a listing of a few encryption software packages. This is by no means a complete list.

Table 1. Summary of Information for a Selection of Disk Encryption Packages. Information checked on February 21, 2015; operating system support may have changed.

Product	Windows	OS X	Linux	Comments
BitLocker	Yes	No	No	Closed source. Built-in to Windows 8.0 and 8.1 and Ultimate and Enterprise versions of Vista and 7. This is an obvious choice for a Windows-only network.
OS X File Vault 2	No	Yes	No	Closed source. File Vault 2 is built in to OS X Lion (10.7) and newer. Lion went out of support in the fall of 2014, so at this point all currently supported versions of OS X offer full disk encryption.
Symantec Endpoint Encryption	Yes	Yes	No	Closed source. Offers key management (requires Windows server) and other features that are attractive for managing multiple laptops.
Trend Endpoint Encryption	Yes	Yes	No	Closed source. Offers key management (requires Windows server) and other features that are attractive for managing multiple laptops.
McAfee Endpoint Protection Essential for SMB	Yes	Yes	No	Closed source. This is a total solution that is designed for “Small and Medium Businesses” of up to 250 employees. It probably isn't manageable until you get to 10 or 20 workstations.
McAfee All Access File Lock	Yes	No	No	Closed source. This is a part of McAfee All Access, a virus/firewall/general security package. It encrypts at the directory level only; if you store a sensitive file outside the File Lock directory, it will not be encrypted.
Linux Unified Key Setup	No	No	Yes	Open source. This is the standard encryption tool in most Linux distributions, and is generally available during the installation process.
DiskCryptor	Yes	No	No	Open source. Encrypts all partitions.
CipherShed	Future	Future	Future	Open source. A fork of TrueCrypt. As of February 17, 2015, CipherShed is available only in a beta version.
BoxCryptor	Yes	Yes	Yes	Closed source. Primarily for encryption of data stored on cloud applications; this may be a useful solution in combination with another full-disk or partition encryption solution. Available for iOS, Android, Windows Phone, Windows RT (tablet) and Blackberry. Available in a limited feature free version or paid personal and business versions with more features.
AxCrypt	Yes	No	No	Open source. File level encryption, not folder or partition level encryption.
VeraCrypt	Yes	Yes	Yes	Open source. A fork of TrueCrypt. Hibernation power-saving function on laptops may not work properly.

Windows-only Encryption Solutions

For users of Windows 8.0 and later, the built-in encryption is almost certainly the best alternative. For Windows 7 users (which comprises the vast majority of the visitors to this web site at this writing) the choices become more difficult and expensive. If file- or directory-level encryption is sufficient, the anti-virus solution that you use will probably have an encryption capability as part of the software. This generally won’t be helpful for email files. There are a number of alternatives, but the three identified for this article are DiskCryptor, CipherShed (alpha a this writing) and VeraCrypt. The latter is the one that I ended up choosing, and is the one discussed further in this article.

OS X-only Encryption Solutions

The built-in disk encryption capabilities of OS X have been around for a while and are such that there aren’t many OS X-only encryption solutions. Unless you need compatibility of external drives with Windows machines–and have NTFS or JFS+ drivers that allow sharing external drives–the OS X built-in encryption is almost certainly the best choice.

Multi-platform Encryption Solutions

Several anti-virus vendors offer enterprise encryption solutions; if you use their enterprise products these are likely the most convenient solutions to choose for a multi-platform environment. If you are a really small shop and don’t use an enterprise solution, one of the open source multi-platform solutions could be a good choice. Most of the multi-platform solutions are forks of the well-known but discontinued TrueCrypt tool. VeraCrypt is probably the best-known at this point, but for project organization reasons, CipherShed may become the preferred solution once it comes out with a production reasons.

Encrypting Your Laptop Disk Drive

The basic steps for encrypting your laptop drive are as follows:

• Backing up a Laptop Disk Drive before Encrypting the Drive
• Choose a Password
• Install VeraCrypt (or Other Encryption Software)
• Encrypting a Laptop Disk Drive Using Veracrypt
• Modify Backup Procedures to Accomodate Encryption

Back Up the Unencrypted Laptop Disk Drive before Encrypting the Drive

The first step in encrypting your laptop is to make an unencrypted backup from which to recover should something go wrong during the installation. It is impossible to emphasize this step strongly enough. You will also need to make sure that your backup procedures allow you to recover from a disk failure. Clonezilla is a widely used open source tool for disk-level backups and is a good tool to use for backups on a regular basis. I’ve used it many times backup disk drives, and recover the information on a larger drive that I replaced in a laptop.

Choose a Password

Before installing any of the encryption tools, you will need to choose a strong password–preferrably 20 characters or more. You must remember it and enter it each time you boot the machine. Do not forget it, because you will not be able to read any of your data without it. You can record it, but not on anything that will be available to a laptop thief.

Above all, do not forget it, and do not put it in a place where someone will find it.

Install VeraCrypt (or Other Encryption Software)

When you download VeraCrypt or other software, make sure to check the MD5 signature for the download to verify that no one has tampered with it. On Windows, you can install Cygwin and use the md5sum filename.msi command to check the MD5 signature. On OS X, you can install MacPorts and use the md5sum filename.dmg to check the MD5 signature.

If the binary is signed–in Windows, the yellow caution window for making changes to your disk drive will have a company or individual name rather than “unknown”–you know that no one tampered with the file and don't need to check an MD5 signature.

Installing VeraCrypt is just like installing other programs from this point onward.

Encrypting a Laptop Disk Drive Using Veracrypt

The instructions for VeraCrypt are really pretty straight-forward; I won’t repeat them here. Before you begin, make sure that you have a backup, and that you know the password that you are using to encrypt the drive. You will also need at least one writable CD (not DVD) to store the encryption keys necessary for a recovery of the disk. Store these in a safe place. A 250G drive on a 2012 Windows 7 laptop with an i5 processor took about four hours with nothing else going on. You should start the encryption process after virus and other disk scans have finished.

Once you encrypt the drive, the boot time will increase noticeably, but the overall performance of the machine will be largely unchanged. Hibernation may not work, so you will need to disable this mode in your power settings.

Modify Backup Procedures to Accommodate Encryption

Once you have encrypted the laptop disk drive, you will need to modify your backup and recovery approaches appropriately to accommodate the encryption. In some cases there will be no changes, but other cases you will need to make changes. Your key backup CDs and password should be stored in a safe place, which will in most cases be with your backups. If you backup with disk-level tools, recognize that your backup will now be encrypted and will require the password to access.

Conclusions

The first defense for preventing data theft from a laptop is not to store sensitive data on the laptop. When this is not possible, disk encryption can safeguard the sensitive data–usually email. There are a number of alternatives for encryption of laptop disk drives that are manageable for a non-technical user to install. With encryption, your backup strategy is increasingly important; if you forget the password, you will not be able to get to the data on the laptop and will need to access a backup of the data.

Details

Written by Bruce Moore

Published: 22 February 2015

Created: 21 February 2015

Last Updated: 21 February 2015

Hits: 5302

• Open Source
• Security
• OS X
• Linux
• Windows