Your security and privacy

[Tweet]

I’ve made a few changes to my sites to be more in line with my own thoughts on privacy and security. When I’m using the internet, I use ad blockers, a VPN, and secure DNS on all of my devices, yet I’ve still been running websites that collect unnecessary data for Google and which don’t provide standard encryption. That’s changed, and more changes are coming.

Long Live Encryption

It took me too long, but I finally have both BrettTerpstra.com and Marked2App.com switched over to SSL, and both now force https:// access. I definitely considered it a priority on Marked’s site because that one initiates commercial transactions.

I’ll admit that the final incentive to switch both sites over was the recent push among web browsers to call out insecure sites in the url bar, which is embarrassing enough to prompt real action. Good on you, browsers. While all credit card transactions on Marked2App.com have always taken place through Paddle’s secure server, it still promotes significantly more confidence to have the origin not show Not Secure in the url bar.

Even after the advent of Let’s Encrypt, which offers free SSL certificates for everyone, I had issues implementing SSL with my current MAMP setup on a macOS system. I ended up switching both sites over to a shared host that had Let’s Encrypt built in and made it a much easier process to add the certificates. Then a simple .htaccess rule forces every request to switch to https. Most of the headache at that point was just revising all of my deploy setups; setting up private key SSH, git and git hooks, and various back end scripts that needed fixing.

Side note, I’ve also added TOS and Privacy statements to Marked2App.com. Thanks to George Browning from Zengobi for assistance with that.

I’ve dealt with most of the issues for users caused by the changes in the server environment and the URL itself. Nothing major, but if you notice anything broken here or on marked2app.com, please let me know.

I’d love to get Marky switched over to SSL soon, but I have to figure out how to do it and maintain the delicate combination of python, ruby, node, and PHP scripts that it relies on, which makes switching to a shared server environment a pain. The only reason I’ve been able to run it thus far is that I have full control over the server and can deal with security issues myself. I’ll get it there, and it’ll be nice to avoid all of the insecure request issues that pop up when using the Marky API and bookmarklets on secure pages. (For those interested, I think I may end up rewriting the whole thing in Node and running a Passenger instance.)

Death to Big Data

I’ve mentioned the switch in my analytics before, but I’ll include it in this post as well: I’ve ditched Google Analytics on BrettTerpstra.com and switched entirely to Fathom. I’m no longer collecting demographic information (not even location), user behavior, and other privacy-invading statistics, and I’m not helping Google collect info on my readers. I haven’t made the same switch on Marked2App.com because the information provided by Google Analytics is vital enough in a commercial sense that I need to find a more capable but less invasive replacement for Google there. If you have any great recommendations that can handle custom tracking events, A/B testing, and provide extensive reporting while not tracking or reporting to Big Data, please share!

I’ve never included buttons from Facebook or Twitter and never plan to. The only data collection left on this site is an audience tracker from Carbon, the small ad that displays in the sidebar. Ad blockers have made that ad pay less and less, so whether I continue allowing that is debatable at this point. If you want to help me make that decision, support me directly by pitching in a bit.

A Small Step

I’m fully aware that my changes here make almost no difference in the grand scheme of things, but now my sites are operated closer to the way I’d prefer every site operated. For the rest of the web, I recommend a VPN (currently quite happy with NordVPN), secure DNS (I use CloudFlare, OpenDNS, and EasyDNS), and a good blocker for trackers and ads like Ghostery or a secure browser like Brave.

We’ll talk about Facebook once I’ve finally deleted my account and can speak without hypocrisy. In the meantime, if you have any more suggestions for things I could be doing better in the areas of security and privacy, please feel free to let me know, either via Twitter or contact me directly. Thanks for being a reader!