Changes between Version 18 and Version 19 of WebInfoPamphlet


Ignore:
Timestamp:
Jun 30, 2008, 2:56:09 PM (17 years ago)
Author:
Daniel Kahn Gillmor
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • WebInfoPamphlet

    v18 v19  
    1717Every progressive understands the importance of security but, on the Internet, the concept takes on a whole other meaning with very different details. This is because the Internet functions on a public communications system and when something is public the potential for abuse, theft of data and disruption of communications is enhanced. Our movement can't take chances with that kind of abuse.
    1818
    19 ''Are you able to use encrypted connections?''
     19=== Are you able to use encrypted connections? ===
    2020
    2121Even if your use of the Internet is mainly for very public communications, there is always some information that should remain private: a password, members list, payment info, content of a sensitive email. If someone gets access to this information, they can steal your data, wreck your website and even wreck other sites on your server. The security of your connection is a political issue and one that affects everyone else sharing a server with you.
     
    2525For uploading files to your website use sftp (Secure ftp). Regular ftp (File Transfer Protocol), is insecure because it transmits your data (including your password) in plain text over the Internet, allowing anyone with the right network access to read your data in transmission. Take note because most commercial providers still use ftp and don't even offer sftp as an option.
    2626
    27 For sensitive interactions on your website (like pages requesting information, such as password logins), always use a secure connection. With a web browser like Firefox, you can tell a connection is secure because a small padlock is displayed in the bottom right corner. Typically, web addresses that start with https:// instead of http:// operate over a secure connection. Secure connections require a digitally signed certificate and probably some cooperation from your provider but everything we just said about ftp is a thousand times more true with http (hypter-text transfer protocol).
     27For sensitive interactions on your website (like pages requesting information, such as password logins), always use a secure connection. With a web browser like Firefox, you can tell a connection is secure because a small padlock is displayed in the bottom right corner. Typically, web addresses that start with `https://` instead of `http://` operate over a secure connection. Secure connections require a digitally signed certificate and probably some cooperation from your provider but everything we just said about ftp is a thousand times more true with http (hyper-text transfer protocol).
    2828
    2929To be clear, regular http is wonderful; it's the lifeline of the web. It's also designed for transparent communications between visitor and site. Transparent means anybody can see it; if there is something you don't want everyone to see, you need secure http.
     
    3131The same is true for web mail. Since web mail has become so popular, most providers offer it as a service and for many people it has become the primary client for email. If you check email on the web and you don't have a secure connection, anybody can see your email with the proper network access. All web mail should use https.
    3232
    33 ''For email itself, does your provider use starttls so all email data is encrypted from point-to-point with other email providers using starttls?''
     33=== For email itself, does your provider use starttls so all email data is encrypted from point-to-point with other email providers using starttls? ===
    3434
    3535Starttls is not common among commercial providers and it's possible that the provider's representative  you're talking to won't even know what you're talking about. But consciousness of this security feature is as important as anything we've talked about here. Normally your email is sent from your provider's mail server to the recipient provider's mail server in plain text, usually traveling through a half dozen routers controlled by the largest telecommunications providers on the planet, all of whom have the technical capacity to read the message (and, of course, turn it over to any government authority who wants it). On the other hand, if both providers use starttls, your communication will be encrypted from end-to-end.
     
    5151You should have full control of your content and complete access to it.
    5252
    53 ''Cease and Desist''
     53==== Cease and Desist ====
    5454
    5555One area of content attack is the cease and desist letter. At some point, you or an organization you work with is going to get a cease and desist letter from a company, an individual, another organization or the government. These letters are designed to stop you from doing something you're doing on line. Often they have to do with copyright infringements but we've seen such letters provoked by expressions of opinion or information about some company or government agency.
     
    5959In reality, cease and desist letters are usually bogus and if the complaint is legitimate, a court can decide or you can negotiate with the letter-writer. Providers have no right to act unilaterally or threateningly towards you. If something is so offensive that it shouldn't be on a provider's servers, they should discuss that with you and take action on their own. Otherwise, if it's not too offensive to be on-line, it deserves to be on-line.
    6060
    61 ''Shell access''
     61==== Shell access ====
    6262
    6363Another prominent issue around access is shell access. You may not know about it or even use it but there's a layer of functioning beneath your website display and beneath protocols like sftp. It's call "shell access" and it means that you can use a command line program to get into your directories and files and interact directly with the files and operating system.
     
    6565Most of us won't use this but, if we need to (or we have a techie working on some aspect of our website), it should be available. In principle it represents real control over your website and your data.
    6666
    67 ''Domain name control''
     67==== Domain name control ====
    6868
    6969Domain name control is quite possibly the most torturous lesson many experienced activists learn on the Internet. We see this all the time.
     
    8080On the other hand, if these two servers are split between two different organizations, then your hosting provider has no control over your DNS, leaving you free to move to whichever hosting provider you choose.
    8181
    82 ''Control over what you send and receive''
     82==== Control over what you send and receive ====
    8383
    8484The most egregious attack on this obvious right is spam control.
    8585
    86 All spam should be passed on to the user who should be able to make the choices about what to do with it. This is a perfectly effective approach although it requires a bit of work on the user's part. There are several good server programs that can guess what is and is not spam with a remarkably high degree of accuracy. Then they flag suspect email and the user decides whether to set up email so he/she can review the spam flagged email individually or filter it into some spam box automatically.
     86All mail should be passed on to the user who should be able to make the choices about what to do with it. This is a perfectly effective approach although it requires a bit of work on the user's part. There are several good server programs that can guess what is and is not spam with a remarkably high degree of accuracy. Then they flag suspect email and the user decides whether to set up email so he/she can review the spam flagged email individually or filter it into some spam box automatically.
    8787
    88 What you don't want is a provider making those choices for you: filtering spam and destroying it, blocking it, or what's worse, rejecting and blocking the server that sent it (called blacklisting ... aptly). Your provider has no right to determine the content you should receive; no company should even be allowed to make those choices for you.
     88What you don't want is a provider making those choices for you: filtering mail and destroying it, blocking it, or what's worse, rejecting and blocking the server that sent it (called blacklisting ... aptly). Your provider has no right to determine the content you should receive; no company should even be allowed to make those choices for you.
    8989
    9090That's all the more important because of the definition many providers have of spam: mass email or email to a list of people the sender doesn't know. Here's the critical issue we must all understand: if the mailer can reasonably expect that you'll be interested in the material you're receiving, that is protected speech and not spam. That's the law and it's a law our movement has fought for over a century to create, enforce and protect. It's fundamental to our ability to communicate and organize. If we can't send email to people we don't know, we're not going to reach people we need to inform.