Welcome to Tech Tuesdays! Starting with this month, the first Tuesday of each month we’ll post an article about how we’re using technology to reach more people throughout Atlanta and across the internet. We may use terms that a more technical audience can relate to, but we’ll also explain what it means. For our first article, we’ll be talking about how we want better than bank-grade security as we store your password and why HTTPS is important – even if you’re just checking a playlist.
HTTPS stands for Hypertext Transfer Protocol Secure. It, and http://, prefix all web addresses. When visiting victory.radio, we want you to be assured that your connection to us secured.
So, how can you tell if you’re using HTTPS? Before victory.radio, and on every page on our site, you’ll see https:// and that green padlock signaling your encrypted connection. Generally, when you’re surfing the web, most banks and websites that collect personal information or card data will use HTTPS.
But why do you need it if you’re only checking a playlist, or if you’re generally browsing? Well, let’s say you’re at a coffee shop and we didn’t serve the page over HTTPS. Someone else on the network could see exactly where you’re going. That may not seem so bad, but they can also intercept the page and insert their own content! While we don’t show a place for you to donate on our playlist page, a bad actor could insert a fake donation form that sends your information to them instead of us. It’s not just people at coffee shops that can do bad things. For example, on an unsecured page, your internet provider could insert an ad into the page or keep track of your browsing habits for marketing purposes.
Starting this month, Google Chrome will show ‘not secure’ on any page you visit that isn’t loaded over HTTPS. As you browse the web, take note at what sites are securing your connection and the ones that aren’t. HTTPS has been the default for us for a few years now, but as of today, and as a part of our goal to ensure your privacy on the web, we’re now telling all browsers that they must only use a secure connection with us at all times.
This technology is called HSTS (HTTP Strict Transport Security). When you load our web page, or any site on the internet, there’s some content that you don’t normally see, called the Header. Headers typically tell your browser what kind of content it is, like HTML or JSON, and what cookies to set. If you view the headers for https://victory.radio, you’ll now see our HSTS header
strict-transport-security: max-age=31536000; includeSubDomains; preload. Since we’re showing this header, we’ve submitted to be included in a list that’s installed with major browsers. The list says what websites should, and can only, be displayed over a secure connection. So, that means as soon as you type victory.radio into your address bar, your browser will know it needs to use a secure connection.
We encourage you to check up on our security. Let us know what we can improve on. Check out https://ssllabs.com or https://htbridge.com and enter victory.radio and see what our score is (we’ll give you a hint: A+). We have this score because we only use modern and approved protocols and ciphers. While you’re there, test other sites you frequent. If you’re donating, you want to make sure they’re PCI-DSS Compliant. It’s important to understand and see how your card information is encrypted and protected from hackers.
A secure connection is just the beginning. Logging in to our website and the way your password is encrypted is just as important.
Victory will never, and has never, stored your password in plain-text.
We also do not store your credit/debit card details in our databases. That means if our database leaked, a hacker wouldn’t be able to read your password.
At the time of writing, we use bcrypt as the base hashing algorithm and are in the process of migrating to argon2 (we’ll make another post when we switch). So how does it work? When you enter your password, our server takes the plain-text and turns it into a hashed value using SHA512. SHA512 is a cryptographic hash function that results in a 128-digit hexadecimal number (a 512 bit value). Once we have this value we then use bcrypt, with a per-user salt, and a cost of 11. The cost means we intentionally take over 130ms longer to create your account or log you in (sorry for the wait). The longer time makes it more difficult, if not nearly impossible, to decode should it leak.
We hope that as you browse and donate to Victory, you not only feel technologically secure with us but feel secure in how your donation is used to reach people across the country and world. If you have any questions about your account security, or if you want to know more, feel free to reach out at firstname.lastname@example.org or leave a comment in the comments section below.