by Steve Galloway | Apr 23, 2015
It is good practice to change email passwords occasionally. Sometimes, ComStat may ask you to change passwords if we suspect that a third party has compromised your account. If users do not know passwords, we can force a password change, however you should take responsibility of your passwords and we ask users to log in to their email accounts and overwrite our forced password changes with passwords of their own. To manage your passwords:
1. Go to your Webmail control panel at http://webmail.example.com (replace example.com with your own domain name).
2. Login with your email address and the password if you know it, or the password we have given you. Click open the settings icon. The image below shows you where this icon is.
This is your Webmail account, and you can use this control panel to manage your email and your email settings, review mail statistics, and more.
3. In the next screen check that the control panel is opened to the “Account Settings” preferences, and the “User” tab, and then input your passwords and click save. A time of writing you will need a capital letter and a number in your password. Our policy may change from time to time. When you have entered your passwords, click “save”, which is located above the “User” tab.
You have now changed your password. Also, changing your password will mean you need to update settings on any devices that connect to Office 365, including desktops, laptops, tablets, or mobile phones. This process will allow you to manage one account at a time. To manage another account, log out of your Webmail account, and then log in to the next account with that user’s credentials, and repeat.
by Steve Galloway | Apr 23, 2015
Sometimes, SSL secured web pages return an error like:
“parts of the page you are viewing were not encrpypted or the encryption is not strong enough before being transmitted over the Internet.”
Although the certificate is valid, it is unable to encrypt some content. This is different from a certificate mismatch, or an invalid certificate which renders https services null. In this case, the certificate is valid, there is no mismatch, but the certificate cannot guarantee that all content is encrypted in transit. The problem usually has to do with external content. For instance If you link to resources at an external site using https://, and then the external site does its own HTTP redirect to non-SSL pages, that will break the SSL lock on your page. This results in an advisory that looks like this when you click on a padlock which has a warning sign included:
Firebug’s “Net” tab is a useful tool to isolate show this and other problems. Follow these steps to diagnose SSL problems:
- Install Firebug add-on (Chrome, Firefox) if you don’t already have it, and restart your browser when prompted.
- Open Firebug.
- In firebug, choose the “Net” tab. Hit “Enable” (text link) to turn it on.
- Refresh your problem page without using the cache by hitting Ctrl-Shift-R (or Command-shift-R in OSX). You will see the “Net” tab in firefox fill up with a list of each HTTP request made.
- Once the page is loaded, hover your mouse over the left colum of each HTTP request shown in the net tab. A tooltip will appear showing you the actual link used. Look for requests that are http:// instead of https://.
- If any of your links resulted in an HTTP redirect, you will see “301 Moved Permanently” in the HTTP status column, and another HTTP request will be just below for the new location. If the problem was due to an external redirect, that is where the evidence will be – the new location’s request will be HTTP.
- If your problem is due to redirections from an external site, you will see “301 Moved permanently” status codes for the requests that point them to their new location.
- Expand any of those 301 relocations with the plus sign at the left, and review the response headers to see what is going on. The “Location:” header will tell you the new location the external server is requesting browsers to use.
- Note the info in the redirect, then send a polite email to the external site in question and ask them to remove the https:// -> http:// redirects for you. Explain how it is breaking the SSL certification on your site, and ideally include a link to the page that is broken so that they can see the error.
Below is sample output from Firebug for the the external redirect issue. In this case a page calling https:// data feeds was getting the feeds rewritten by the external server to http://.
This sample site is called “mysite.example.com” and the external site to “external.example.com”, but otherwise left the headers intact. The request headers are shown at the bottom, below the response headers. Note that mysite.example.com is requesting an https:// link, but getting redirected to an http:// link, which is what was breaking the SSL lock:
by Steve Galloway | Apr 22, 2015
This article will assist you in setting up a free UK2 SSL certificate using your cPanel account.
**All pictures are for reference only. The actual layout of your interface may differ from the images below**
**You will need to change all references of yourdomain.co.uk to the domain that you for which you are creating the SSL.**
STEP 1: If you are running a live site and wish to install an SSL on to it the site must first be assigned a dedicated IP. This can be requested by submitting a ticket to technical support.
**When applying this dedicated IP, the DNS records may take up to 24 hours to fully point to the new IP, your site will be down during that time, so please let us know what time will be best for this IP to applied.**
STEP 2: Log into your cPanel interface. You can log in at yourdomain.co.uk:2082 replacing the example with your domain name.
**If you need help logging in, our technical support department would be happy to help. Just submit a ticket requesting your login credentials and be sure to include the domain name you need access to.**
Step 3: Once logged into the Cpanel, click on SSL/TLS Manager in the Security section.
STEP 4: On the page that loads you will go to the link under Private Keys
STEP 5: At the top of the page there is a section to Generate a New Key select your domain from the drop down menu. You must use 2,048 bits key.
On the page that loads click on the Return to SSL Manager.
Step 6: You will now click on the link under the Certificate Signing Requests (CSR)
Step 7: You will now fill out the form for the domain that you wish to create the SSL on.
Key: (Select the key that you generated in STEP 5)
Domains: yourdomain.co.uk (Or your preferred hostname, e.g. secure.yourdomain.co.uk or shop.yourdomain.co.uk. **Please note that www.yourdomain.co.uk is automatically included if you enter yourdomain.co.uk)
City: (Your city)
State: (Your state or province)
Country: (Your country)
Company: (The name of your company)
Company Division: (What your company does, e.g. if you run an ecommerce shop you can put E-commerce.)
Email: (An email on your domain, most commonly admin@yourdomain.co.uk)
Pass Phrase: (A secure combination of numbers and letters)
Description: (A way for you to recognise the certificate in the future)
Once you’ve filled-in each of the fields, click “Generate.”
STEP 8: Once the page has loaded with the new CSR information you will want to copy the content of the box that starts with “—–BEGIN CERTIFICATE REQUEST—–“ as this information will need to be used later.
STEP 9: You will now need to visit the following link: https://ssl.uk2.net/cgi-bin/certificate-apply.pl
Step 10: Fill in the “Hostname.” This needs to be the same that you entered into the earlier forms. (e.g. yourdomain.co.uk.) Click “Submit.”
Step 11: Select the email address you wish to receive the confirmation email to.
Click Submit.
Step 12: Fill out the form with the information requested. You will want to match the previous forms that you have filled. You will need to select Apache/ModSSL as the server software. You will also paste the CSR that you copied earlier.
Step 13: You will receive an email to the email you selected in Step 13 with the day, click the link in the email and paste the confirmation code that has been provided in the same message.
STEP 14: Then 1-2 days after providing the confirmation code your SSL should be ready, retrieve your SSL package, download and extract the archive.
This extracted folder will have four files in it. You will need to use the one that shows: yourdomain_co_uk in future steps.
Step 15: With the yourdomain_co_uk file handy log back into the Cpanel, click on SSL/TLS Manager in the Security section. (See Step 2 and 3 if you do not remember how)
You will now click on the link under the Certificates (CRT)
Step 16: On the new page scroll down to “Choose a certificate file (*.crt).” and click “Choose File.”
Locate the yourdomain_co_uk.crt file on your computer and click “Open.”
Enter a description and then click “Upload Certificate”
STEP 17: Now go back to the SSL/TLS Manager and click on the link under Install and Manage SSL for your site (HTTPS).
Step 18: You will select the domain that you are using and then click Browse Certificate and select your certificate. Also, be sure to click “autofill by domain” to load the certificate keys.
Then at the bottom of the page you will click Install Certificate
If you encounter any errors or problems with this process, please contact our technical support department. They will be happy to help resolve any issues you experience.
by Steve Galloway | Apr 20, 2015
From 21st April Google searches will prioritize web sites that are optimised for mobile browsing. The effect will be to weight results against web site owners whose sites do not deliver “mobile friendly” content.
A mobile friendly web site, like the one below from our design studios, is one which renders its layout “on the fly” according to the dimensions of the device asking for content. This may include resizing images, changing column widths, and re-arranging layout so that information can be optimally displayed on tablets or mobile phones.
Until recently, web sites have been developed primarily for desktop and laptop display. This poses problems for users who want to view web sites with small screens and Google thinks this matters. For instance, users might have trouble using page links that are designed for mouse clicks rather than index fingers. Also, without changing column widths to suit small screens users may have to scroll across a screen several times on a tablet or mobile phone to read one line of text before scrolling back to return the left margin for the next line.
A mobile friendly, or mobile-responsive site, is capable of re-ordering textual and graphical content to deliver a web page in the best format for the device that is calling for the content whether the device is a mobile phone, tablet, laptop, desktop, or even a large television screen.
Business decision makers still tend to rely on a desktop layout when deciding on a new web site. However, Google’s attitude is that “desktop” searches are rapidly losing pace to searches from other devices. Google’s findings are based on their own statistics. The proliferation of devices available to consumers means that modern web sites need to deliver alternate layouts to deliver a good experience to users. The web site below, again from our design studios, shows that a fully mobile responsive web site is capable of re-positioning headers, navigation bars, and image sizes. In this case, the web site’s “sidebar” has been also been replaced in the mobile phone layout so that a user scrolling down the page would find the sidebar positioned at the end of the page.
In this way, the choice of desktop layout that the decision maker opted for when choosing a web site is irrelevant to other devices. According to market analyst Comcast, the number of mobile devices using the Internet exceeded conventional desktop machines in 2014, and with smart-phone ownership in countries like the UK and USA already in the hands of 60% of the general public, search engines are responding to user trends which indicate an increasing reliance on portable and mobile devices.
As Google responds to increasing search requests from portable devices, it is weighting its output to take account of the format of available information its searches output.
Regardless of the techniques businesses use to improve their “relevance” to search engines, Google’s announcement means that web sites which are not optimized for mobile devices are being discounted.
Google makes changes to its algorithms twice a month on average. The search engine emphasizes search results that connect users with relevant content in an easily interpreted formats. Google’s new attitude recognizes for the first time that web sites designed on the basis of desktop appearance alone no longer meet the needs of a market that is predominantly “mobile” based. Web site owners may argue that end users still rely on desktop machines for their web sites. Google says that this is just not the case any more and their move to prioritize mobile friendly sites suggests that reliance on desktop layouts only is a moot point if consumers have found other competing content that has been positioned by Google for formatted delivery specific to devices that searched for results in the first place.
Read Google’s announcement here.
by Steve Galloway | Apr 10, 2015
Office 365 has upgraded OneDrive for Business to enable security tools for business owners and network admistrators to manage access to data stored on OneDrive for Business from mobile devices. In the event of loss or theft of mobile devices subscribed to users’ Office 365 services, data can now be protected from unauthorised access using PIN lock numbers, jailbreak detection, and even “selective wipe” utilities.
OneDrive for Business (ODB) provides 1TB of storage per business license. The service, included as standard in Office 365 business licensing, enables users to access stored content with connected devices in addition to their conventionally secured office workstations. Users who have Internet access at home, for instance, can access files on ODB that previously they might have had to copy to a memory stick at work or even to return to their office for.
Cloud services like ODB obviate the need for file duplication from office equipment, which increases the risk of sensitive data being compromised by loss or theft of memory sticks or other devices.
ODB is attractive to business users who face increasing needs for more storage backup, together with the risk and cost of maintaining data. By housing data on OneDrive for Business (ODB), business owners need less “on-premise” hardware. However, providing remote access to business files by tablets, mobile phones, home computers and other devices poses security risks to the integrity of business information which may include customers’ private information.
Mobile Device Management (MDM) for Office 365 was launched on March 1st. MDM is already used to manage access to Office 365’s Exchange email services on mobile devices.
MDM allows business owners and network administrators to manage ODB data across a diverse range of phones and tablets, including Apple’s iOS, Android, Windows, and Windows Phone devices, according to Microsoft’s Omar Shahine.
“You can set up security policies to ensure that only mobile devices managed by your company can access OneDrive for Business files,” Omar said. “You can also set and manage security policies such as device-level PIN lock and jailbreak detection to help prevent unauthorized users from accessing ODB files on a device when it is lost or stolen. Finally, you can easily remove ODB company data from an employee’s device with selective wipe capabilities.”
Device-level PIN locks are established in Office 365 admin and require the end user to input a PIN number to access Office 365 data, including email services running under an Office 365 license.
Selective Wipe is a utility available in Office 365 admin to allow for either restriction or deletion of email and/or ODB data distributed under an Office 365 license from an end user’s device.
Jailbreak Detection is a utility available in Office 365 to prevent distribution of data to mobile devices that have been modified by “jailbreak”, or unauthorised modifications to device operating systems.
For help with security policies for your users’ devices, please call us or drop us a line using our contact form.
