Wednesday, January 18, 2017

AQ: Now featuring security! =)

Okay, the title is a misnomer.... AQ has always had some degree of security. The first line of defense is to just not have anything that a hacker would even want. No credit card numbers to be compromised. No social security numbers, bank accounts, etc. There's not really much of anything on AQ that a hacker or identify thief would want to steal, except perhaps passwords which people tend to reuse across multiple websites (a bad thing to do, but we all know it happens!)

So early on, I bought an SSL certificate to people could log into their accounts securely. Most pages were still on the old, insecure http:// connections, though. Theoretically, someone on the Internet could see what you were doing, or eavesdrop on your AQ mail, or see where you were running letterbox searches. Or they could see the cookies your browser is using and hijack your session. Nobody has ever done that (so far as I know), but the possibility exists.

Until now! Yesterday, I updated the website to use https:// everywhere, all the time. Whether you're reading AQ mail or recording a find, no random people on the Internet can spy on what you're doing anymore.

I've actually wanted to do this for awhile but have held off because I knew it would likely cause some minor technical issues, and it has. It broke the maps for a bit. Apps that used AQ stopped working. All known issues have been fixed, but there could still be some unknown issues that I haven't found or have been brought to my attention. If you see something, let me know.

You also might get occasional security warnings depending on the content of the page. Some pages might point to a photo from another website (for instance) and the image isn't a secure link, and you'll get a warning that not everything on the page is secure. An image isn't really important in terms of security (unless it's an image of your bank account statement or something!), but the warnings can sometimes look scary. I fixed a few pages I found with that problem, but there could be others I've overlooked. Let me know if you see others and I'll see if I can fix it.

If you do include other content in your clues, or point a custom CSS to your own website, you could get warnings or outright errors unless it points to a secure resource. Ideally, if you can point to https://, do it! If you can't.... I wouldn't lose sleep over it, but the warnings might be annoying.

If you have a bookmark to Atlas Quest that appears not to be working, edit the link to https:// instead of http:// and it should work fine again. In theory, AQ should redirect it automatically, but there was a bug in some of the redirect code that handled URLs with lots of parameters. If you linked to a favorite search, for instance, that link might not appear to work anymore. I'm "permanently" redirecting links and if your browser has recorded the new (incorrect) URL, the only way to fix it is to edit the bookmark to point directly to https:// and not depend on the redirect. Most of you shouldn't have to edit any of your links since AQ will redirect automatically, but just in case you're one of those who have a problem, that's how to fix it.

For those of you with lots of watches on boxes, you might have gotten a lot of reports of "changed clues" last night. I automatically updated all clues that linked to AQ resources to use https:// -- so don't spend a lot of time trying to figure out how the clue was changed. It's just the link that was changed, and only to point to the secure version of the link.

 Hmm.... I think that's it! Sorry for any troubles this might cause, but it will be a better, more-secure website in the long run!

This message will self-destruct in 30 seconds....

.

.

.

Just kidding! =)

1 comment:

Grumpy Grinch said...

Huh. So when Wassa said he needed my username, password, SSN, and grandma's maiden name, it was probably just clowning around?