Industry Buzz

Announcing mobile first indexing for the whole web

Google Webmaster Central Blog -

It's been a few years now that Google started working on mobile-first indexing - Google's crawling of the web using a smartphone Googlebot. From our analysis, most sites shown in search results are good to go for mobile-first indexing, and 70% of those shown in our search results have already shifted over. To simplify, we'll be switching to mobile-first indexing for all websites starting September 2020. In the meantime, we'll continue moving sites to mobile-first indexing when our systems recognize that they're ready. When we switch a domain to mobile-first indexing, it will see an increase in Googlebot's crawling, while we update our index to your site's mobile version. Depending on the domain, this change can take some time. Afterwards, we'll still occasionally crawl with the traditional desktop Googlebot, but most crawling for Search will be done with our mobile smartphone user-agent. The exact user-agent name used will match the Chromium version used for rendering.   In Search Console, there are multiple ways to check for mobile-first indexing. The status is shown on the settings page, as well as in the URL Inspection Tool, when checking a specific URL with regards to its most recent crawling. Our guidance on making all websites work well for mobile-first indexing continues to be relevant, for new and existing sites. In particular, we recommend making sure that the content shown is the same (including text, images, videos, links), and that meta data (titles and descriptions, robots meta tags) and all structured data is the same. It's good to double-check these when a website is launched or significantly redesigned. In the URL Testing Tools you can easily check both desktop and mobile versions directly. If you use other tools to analyze your website, such as crawlers or monitoring tools, use a mobile user-agent if you want to match what Google Search sees.  While we continue to support various ways of making mobile websites, we recommend responsive web design for new websites. We suggest not using separate mobile URLs (often called "m-dot") because of issues and confusion we've seen over the years, both from search engines and users.  Mobile-first indexing has come a long way. It's great to see how the web has evolved from desktop to mobile, and how webmasters have helped to allow crawling & indexing to match how users interact with the web! We appreciate all your work over the years, which has helped to make this transition fairly smooth. We’ll continue to monitor and evaluate these changes carefully. If you have any questions, please drop by our Webmaster forums or our public events.Posted by John Mueller, Developer Advocate, Google Zurich

National Grammar Day — How Not To Use a Thesaurus

InMotion Hosting Blog -

Your thesaurus can be your best friend, or at least a great writing tool. (Is the plural form of thesaurus “thesauruses” or “thesauri”? Both acceptable.) We all know the feeling. In the heat of composition, you reach for a word that seems to keep slipping through your fingers like a wet noodle. The amazing thesaurus can save you. However, most writing professors and opinionated types will tell you to chuck the thesaurus or, worse, burn it. Continue reading National Grammar Day — How Not To Use a Thesaurus at InMotion Hosting Blog.

How to Customize a WordPress Theme for Your Brand

HostGator Blog -

The post How to Customize a WordPress Theme for Your Brand appeared first on HostGator Blog. WordPress is an incredibly popular CMS. It’s so popular that a third of the internet runs on WordPress. One big reason is due to its flexibility. The easy-to-customize CMS can be used to build virtually any kind of website, from large-scale news websites to simple one-person blogs. All you have to do is find a theme that speaks to you and aligns with your brand, then get busy customizing to create your unique website. Below you’ll learn the ins and outs customizing your WordPress theme to align perfectly with your brand. WordPress Themes: The Basics Before we get into customizing your WordPress theme we’ll dive deep into the WordPress basics, and how customizations are handled within the platform. With WordPress, you won’t be customizing the WordPress core. Instead, you’ll be making edits to what’s known as a WordPress theme. A theme is a collection of templates and CSS stylesheets which will create a unique design. Sometimes WordPress themes also have collections of templates. These are pre-built versions of the theme that already have certain customizations, theme settings, and changes in place. It all depends on the theme you’re using. For example, the theme GeneratePress has dozens of different templates you can install, which are configurations of the stock GeneratePress theme. Generally, the terms WordPress theme and WordPress template are used interchangeably. Choosing the Right WordPress Theme for You Even though this post is going to show you how to customize your WordPress theme, it’s important that you start with a WordPress theme that has a final design you enjoy. That way you won’t have to make any large scale structural changes, but instead style-based changes to bring your brand to life. With that being said, keep the following in mind when you select a WordPress theme: 1. Choose a Quality WordPress Theme A poorly coded theme can have a detrimental effect on your website’s performance, appearance, and even leave it vulnerable to hackers. Even if you love the design of the theme, it won’t matter if it never loads. Instead of looking through the codebase yourself–what would you even look for? Consider taking the following approach. First, look for theme providers that have been on the market for years. Low-quality themes tend to fade out of the marketplace. Second, spend some time reading through the reviews. If there’s a ton of positive reviews about the quality of the theme, you can generally assume that it’s high-quality. 2. Understand Your Needs The best theme for someone else might not be the best theme for you. Before you start browsing for the perfect theme take stock of your own needs and the type of features you’re looking for. A theme that’s built for an eCommerce store will have very different features than a theme that’s built to showcase a photography portfolio. With WordPress, you’ll be able to find themes built for specific niches like lawyers, accountants, boutique shops and more. On the other hand, you have all-in-one themes that can be customized to suit virtually any niche. 3. Look for Quality Support If you’re purchasing a premium theme, then there should always be a dedicated and responsive support team that comes with. If possible, make sure they offer a method of support that suits your needs best. The most common forms of support include phone, email, and live chat. If you’re going with a free theme, then you probably won’t receive the same level of support. But, you should still look through the WordPress.org support forums to see how frequently they respond to user requests. Beyond support, you’ll want to ensure the theme is updated on a consistent basis. WordPress is continually evolving and the theme will need to be updated, patched, and have bugs fixed to remain functional. Now that you have a foundational understanding of how customizations are made in WordPress and you have a solid theme, it’s time to start customizing. What You Need Before You Start Customizing Your WordPress Theme Before you start editing your WordPress theme you’ll want to have certain brand assets. With a solid website style guide in place, you’ll be able to design your site much faster and avoid things like mismatched colors. Here’s a handful of different design elements you’ll want to have in place: A finished logo. It can be helpful to have multiple versions and sizes, depending on what your theme requires.The list of colors you want to use across your site, including the HEX code, this will look something like #16336d.Any images and graphics you’re going to use across your site Finally, you’ll want to have a general idea of how you want your site to look. For example, do you want to have a full-page slider underneath your logo? Do you want the header to be left-aligned with a menu to the right? Do you want a parallax-style scrolling homepage? Spend some time looking at other competitor sites in your niche and pull out design trends and elements you like. This will help you choose a theme that’s in alignment with your design goals from the start, so you won’t have to make any huge changes to the layout of your theme. How to Customize a WordPress Template There are a multitude of different ways you can customize your WordPress site. Below we cover the most common approaches to editing your WordPress site. Every method we highlight below is 100% beginner-friendly, no design or coding skills required. 1. Use the WordPress Customizer WordPress has a built-in tool called Customizer, which lets you customize your site without having to make any changes to your site’s code. It’s not the most in-depth customization tool in the world, but it will help you make simple customizations, like changing your logo, layout, color scheme, and more.  You can access the tool by navigating to Appearance>Customize from within your WordPress dashboard.  Once you open up the Customizer you’ll have a menu on the left-hand side, which will show you what elements of your site you can edit.  The site elements you can change will depend upon the theme you’re using. However, you’ll typically be able to change the following things: Logo and title. Here you’ll be able to upload a logo and change the size, change your site’s tagline, and more. General layout. Here you can make adjustments to your navigation menus, sidebars, headers and more. You can change the size and appearance of these layout elements. Color scheme. Here you can adjust the color scheme across your entire website, you can change body text color, header colors, link colors, background, and much more. Typography. In this section, you can change the typography across your site. Be careful not to get to font crazy and stick to two fonts across most of your site. Menus. Here you can add new menus to your site, choose where you want them to display, and even create new menus. Widgetized sections. The widget sections you’ll be able to customize will depend upon your theme. Here you can add new items to widgetized sections and customize these areas however you desire.  As you can see, the WordPress Customizer is pretty powerful and allows you to make a ton of changes to your site. Plus, the changes will appear in real-time, so you can see if you like the changes before you publish them live.  2. Use the Built-in WordPress Theme Customization Options This customization option will differ depending on what theme you have installed. Some themes will have built-in options that will let you customize virtually every aspect of your theme, while others will be bare bones. You’ll access these theme options from within your WordPress dashboard. You should have a section on the left-hand side that’s the same name as the theme you have installed. Click this and you’ll be able to see which customization options your theme has available. For example, here’s what the theme options panel looks like on the GeneratePress WordPress theme: As you can see, there aren’t a lot of modifications you can make within the theme settings panel. Most of the site changes you’ll make with this theme will use the WordPress Customizer or the Elementor plugin (we highlight this below). 3. Make Changes via CSS CSS is what controls the appearance of your site. Think of things like site colors, spacing, typography, and more. Your site’s CSS code controls more of the appearance of the site than your theme’s core files do. Before you move forward, make sure that you’re not changing the core CSS file. It’s easy to make mistakes and compromise the design of your site.  Instead, use the WordPress Customizer if you want to make changes to your site. You can access the Customizer by following the steps in the first section, then select ‘Additional CSS’ from the bottom. Here you can enter your CSS code to make changes to your site. These changes should show up automatically in your editor.  If you don’t want to use the Customizer, then you can make CSS changes to your site with a plugin like SiteOrigin CSS. This plugin has some super useful features that make it much easier to edit your CSS, even if you’re a total beginner. For example, it has a built-in inspector tool. This allows you to highlight certain portions of your site and see the exact CSS code you’ll need to make changes to. There’s also a visual editor too. So, you can make CSS changes and see how they reflect in real-time. The editor also has advanced features that’ll help you write clean code that doesn’t have any errors. Just install the plugin, and you’ll be able to start editing your CSS quickly and easily. 4. Use a WordPress Page Builder Plugin WordPress page builder plugins add drag-and-drop functionality to WordPress. This is a common feature on a lot of other website builders on the market today (including the Gator Website Builder). This makes it so beginners have complete control over the design of their site, without having to touch any code. As you add and rearrange certain website elements, the plugin will automatically create the underlying code.  WordPress has a ton of different page builder plugins you can use to add this functionality to your website.  Here are some of the most common: Elementor Page Builder Elementor is a drag and drop page builder that’s equipped with a live preview feature. It’s equipped with all kinds of features, from simple text widgets all the way up to unique sliders, testimonial sections, and more.  There are also pre-built templates you can add directly to your site and pages. Using these pre-built sections lets you customize your site in record time.  Beaver Builder Beaver Builder is a very fast and easy to use drag and drop page builder. Just drag different site elements to the editor, and change any element via the built-in options panel. It’s equipped with a ton of different site elements like content blocks, buttons, sliders, background options and more. It also has over 30 different templates that you can use to create website layouts super quickly. Divi Builder Divi is both a theme and a WordPress page builder. The page builder plugin used to only be available for use with the Divi theme, but today it exists as a standalone product. You can use the plugin with third-party themes, as well as any theme in the Elegant Themes collection. Once you install this plugin you’ll get access to the super-powerful editor. The Divi Builder plugin gives you a powerful drag-and-drop editor, real-time editing, and built-in responsive design. It’s also equipped with tons of different pre-built modules, and even entire websites you can quickly customize.  Once you install one of these plugins you’ll be able to edit your site’s pages and layout via a drag and drop builder. However, these plugins aren’t compatible with every theme out there. So, if you’re having issues using the plugin it might be a problem with your theme’s compatibility.  Here’s a quick look at how you can edit your theme using Elementor. The left-hand menu is full of different elements you can add to your site. Just click on an element and add it to a section. Or, you can drag and drop any element of your site. The changes will reflect in real-time and once you’re satisfied, just save the changes. Virtually every page builder plugin you use will have similar functionality. What’s the Best Approach for Customizing Your WordPress Theme Design? By now you should have a better understanding of how you can edit your WordPress theme to match your brand. As you can see there are a lot of different approaches you can take to make changes to your WordPress theme. The approach you take will differ depending on your existing skills and what you feel comfortable with. Some website owners will be fine just making a few changes via the Customizer and their sites will be complete! While others might prefer making a ton of changes via a WordPress page builder plugin. Feel free to try multiple approaches until you find one that works best for you. Remember, if you don’t want the world to see your website as you’re busy building it, then you can install a WordPress coming soon or maintenance mode plugin. Find the post on the HostGator Blog

Pwned Passwords Padding (ft. Lava Lamps and Workers)

CloudFlare Blog -

The Pwned Passwords API (part of Troy Hunt’s Have I Been Pwned service) is used tens of millions of times each day, to alert users if their credentials are breached in a variety of online services, browser extensions and applications. Using Cloudflare, the API cached around 99% of requests, making it very efficient to run.From today, we are offering a new security advancement in the Pwned Passwords API - API clients can receive responses padded with random data. This exists to effectively protect from any potential attack vectors which seek to use passive analysis of the size of API responses to identify which anonymised bucket a user is querying. I am hugely grateful to security researcher Matt Weir who I met at PasswordsCon in Stockholm and has explored proof-of-concept analysis of unpadded API responses in Pwned Passwords and has driven some of the work to consider the addition of padded responses.Now, by passing a header of “Add-Padding” with a value of “true”, Pwned Passwords API users are able to request padded API responses (to a minimum of 800 entries with additional padding of a further 0-200 entries). The padding consists of randomly generated hash suffixes with the usage count field set to “0”.Clients using this approach should seek to exclude 0-usage hash suffixes from breach validation. Given most implementations of PwnedPasswords simply do string matching on the suffix of a hash, there is no real performance implication of searching through the padding data. The false positive risk if a hash suffix matches a randomly generated response is very low, 619/(235*4) ≈ 4.44 x 10-40. This means you’d need to do about 1040 queries (roughly a query for every two atoms in the universe) to have a 44.4% probability of a collision.In the future, non-padded responses will be deprecated outright (and all responses will be padded) once clients have had a chance to update.You can see an example padded request by running the following curl request:curl -H Add-Padding:true https://api.pwnedpasswords.com/range/FFFFF API StructureThe high level structure of the Pwned Passwords API is discussed in my original blog post “Validating Leaked Passwords with k-Anonymity”. In essence, a client queries the API for the first 5 hexadecimal characters of a SHA-1 hashed password (amounting to 20 bits), a list of responses is returned with the remaining 35 hexadecimal characters of the hash (140 bits) of every breached password in the dataset. Each hash suffix is appended with a colon (“:”) and the number of times that given hash is found in the breached data.An example query for FFFFF can be seen below, with the structure represented:Without padding, the message length varies given the amount of hash suffixes in the bucket that is queried. It is known that it is possible to fingerprint TLS traffic based on the encrypted message length - fortunately this padding can be inserted in the API responses themselves (in the HTTP content). We can see the difference in download size between two unpadded buckets by running:$ curl -so /dev/null https://api.pwnedpasswords.com/range/E0812 -w '%{size_download} bytes\n' 17022 bytes $ curl -so /dev/null https://api.pwnedpasswords.com/range/834EF -w '%{size_download} bytes\n' 25118 bytes The randomised padded entries can be found with with the “:0” suffix (indicating usage count); for example, below the top three entries are real entries whilst the last 3 represent padding data:FF1A63ACC70BEA924C5DBABEE4B9B18C82D:10 FF8A0382AA9C8D9536EFBA77F261815334D:12 FFEE791CBAC0F6305CAF0CEE06BBE131160:2 2F811DCB8FF6098B838DDED4D478B0E4032:0 A1BABA501C55ACB6BDDC6D150CF585F20BE:0 9F31397459FF46B347A376F58506E420A58:0 Compression and RandomisationCloudflare supports both GZip and Brotli for compression. Compression benefits the PwnedPasswords API as responses are hexadecimal represented in ASCII. That said, compression is somewhat limited given the Avalanche Effect in hashing algorithms (that a small change in an input results in a completely different hash output) - each range searched has dramatically different input passwords and the remaining 35 characters of the SHA-1 hash are similarly different and have no expected similarity between them.Accordingly, if one were to simply pad messages with null messages (say “000...”), the compression could mean that values padded to the same could be differentiated after compression. Similarly, even without compression, padding messages with the same data could still yield credible attacks.Accordingly, padding is instead generated with randomly generated entries. In order to not break clients, such padding is generated to effectively look like legitimate hash suffixes. It is possible, however, to identify such messages as randomised padding. As the PwnedPasswords API contains a count field (distinguished by a colon after the remainder of the hex followed by a numerical count), randomised entries can be distinguished with a 0 usage.Lava Lamps and WorkersI’ve written before about how cache optimisation of Pwned Passwords (including using Cloudflare Workers). Cloudflare Workers has an additional benefit that Workers run before elements are pulled from cache.This allows for randomised entries to be generated dynamically on a request-to-request basis instead of being cached. This means the resulting randomised padding can differ from request-to-request (thus the amount of entries in a given response and the size of the response).Cloudflare Workers supports the Web Crypto API, providing for exposure of a cryptographically sound random number generator. This random number generator is used to decide the variable amount of padding added to each response. Whilst a cryptographically secure random number generator is used for determining the amount of padding, as the random hexadecimal padding does not need to be indistinguishable from the real hashes, for computational performance we use the non-cryptographically secure Math.random() to generate the actual content of the padding.Famously, one of the sources of entropy used in Cloudflare servers is sourced from Lava Lamps. By filming a wall of lava lamps in our San Francisco office (with individual photoreceptors picking up on random noise beyond the movement of the lava), we are able to generate random seed data used in servers (complimented by other sources of entropy along the way). This lava lamp entropy is used alongside the randomness sources on individual servers. This entropy is used to seed cryptographically secure pseudorandom number generators (CSPRNG) algorithms when generating random numbers. Cloudflare Workers runtime uses the v8 engine for JavaScript, with randomness sourced from /dev/urandom on the server itself.Each response is padded to a minimum of 800 hash suffixes and a randomly generated amount of additional padding (from 200 entries).This can be seen in two ways, firstly we can see that repeating the same responses to the same endpoint (with the underlying response being cached), yields a randomised amount of lines between 800 and 1000:$ for run in {1..10}; do curl -s -H Add-Padding:true https://api.pwnedpasswords.com/range/FFFFF | wc -l; done 831 956 870 980 932 868 856 961 912 827 Secondly, we can see a randomised download size in each response:$ for run in {1..10}; do curl -so /dev/null -H Add-Padding:true https://api.pwnedpasswords.com/range/FFFFF -w '%{size_download} bytes\n'; done 35572 bytes 37358 bytes 38194 bytes 33596 bytes 32304 bytes 37168 bytes 32532 bytes 37928 bytes 35154 bytes 33178 bytes Future Work and ConclusionThere has been a considerable amount of research that has complemented the anonymity approach in Pwned Passwords. For example; Google and Stanford have written a paper about their approach implemented in Google Password Checkup, “Protecting accounts from credential stuffing with password breach alerting” [Usenix].We have done a significant amount of work exploring more advanced protocols for Pwned Passwords, some of this work can be found in a paper we worked on with academics at Cornell University, “Protocols for Checking Compromised Credentials” [ACM or arXiv preprint]. This research offers two new protocols (FSB, frequency smoothing bucketization, and IDB, identifier-based bucketization) to further reduce information leakage in the APIs.Further work is needed before these protocols gain the production worthiness that we’d like before they are shipped - but, as always, we’ll keep you updated here on our blog.

How to Use Instagram Stories for Market Research: 5 Ideas for Marketers

Social Media Examiner -

Looking for new ways to conduct market research? Wondering how to get feedback from your highly engaged Instagram followers? In this article, you’ll learn how to use five Instagram Stories features to gather valuable feedback. Why Gather Consumer Feedback via Instagram Stories? Businesses know that making customers happy is a proven way to increase revenue. […] The post How to Use Instagram Stories for Market Research: 5 Ideas for Marketers appeared first on Social Media Marketing | Social Media Examiner.

Why I’m Excited to Join Cloudflare as its First CIO

CloudFlare Blog -

I am delighted to share that I have joined Cloudflare as its first Chief Information Officer to help scale the company in this new phase of its business. It’s an incredibly exciting time to be joining Cloudflare, and I am grateful for the opportunity to do my part to help build a better Internet.At one of my previous companies, I made a bet on Cloudflare to equip us with security and performance solutions across a very decentralized global set of products and services. This is something that would have been very difficult without a cloud solution like Cloudflare’s. Since then I’ve been watching Cloudflare grow, and have always been very impressed by the speed of innovation and transparency, but also how Cloudflare operates: doing the right thing, with integrity, and above all building trust with customers and partners. The “do the right thing, even if it’s hard” mentality that I saw from Cloudflare since I started doing business with them as a customer, was key for me. When I heard that Cloudflare was looking for its first CIO I was excited to have a discussion to see if I could help.During the interview process I got a sense of how the values that are so important to me from a culture point of view were coming across consistently from everybody that I met with. Every person I spoke with was extremely committed to helping build a better Internet; it wasn’t just a tagline. The true mission and ability to impact so many people globally was something that was super motivational for me. Also, growing the company, but doing it the right way with empathy and bringing people along. I couldn't have worked for a company where building that trust through values and integrity wasn't something that was front and center. Building a diverse team was another focus. I kept hearing this over and over again, which is something that I am very passionate about and committed to as well.It is a very exciting time to join the team. Cloudflare just went public, and the requirements of a public company are significantly higher from a compliance point of view. Cloudflare’s culture is engineering and product driven, and all about speed of innovation and delivering value to our customers; being able to maintain that culture and output, while at the same time keeping up with new legal requirements as a public company drives significant needs in terms of systems, end-to-end processes, integration, and efficiency in general. This, in a company like Cloudflare that is growing the way it is, was a significant challenge that drew me in. At the same time, the ability to be a part of an organization working hand-in-hand with product engineering made this even more appealing, as my background is in software leading teams in both the engineering and IT departments.I am incredibly excited for this opportunity to embark on this journey with everyone on the team and to help build a better Internet. Helping to solve incredibly interesting and complex problems that Cloudflare navigates on the intersection of technology, security, privacy, legal frameworks, and on (the landscape will always be developing) is an incredible opportunity. Solving problems globally—it’s just amazing to be able to be a part of something like that!

WordPress 5.4 Release Candidate

WordPress.org News -

The first release candidate for WordPress 5.4 is now available! This is an important milestone as we progress toward the WordPress 5.4 release date. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.4 is currently scheduled to be released on March 31, 2020, but we need your help to get there—if you haven’t tried 5.4 yet, now is the time! There are two ways to test the WordPress 5.4 release candidate: Try the WordPress Beta Tester plugin (choose the “bleeding edge nightlies” option)Or download the release candidate here (zip). What’s in WordPress 5.4? WordPress 5.4 has lots of refinements to polish the developer experience. To keep up, subscribe to the Make WordPress Core blog and pay special attention to the developer notes tag for updates on those and other changes that could affect your products. Plugin and Theme Developers Please test your plugins and themes against WordPress 5.4 and update the Tested up to version in the readme file to 5.4. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release. The WordPress 5.4 Field Guide will be published within the next 24 hours with a more detailed dive into the major changes. How to Help Do you speak a language other than English? Help us translate WordPress into more than 100 languages! This release also marks the hard string freeze point of the 5.4 release schedule. If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

7 WordPress UX Plugins to Improve Your Website

HostGator Blog -

The post 7 WordPress UX Plugins to Improve Your Website appeared first on HostGator Blog. Small businesses rely on their websites to attract and retain customers. Websites make it possible for visitors to discover and shop with your brand.  However, a website with a poor user experience can disconnect you from future customers. If the pages load slowly or broken links appear, your visitors may decide to leave your website—increasing your site’s bounce rates. Don’t let this happen to your small business. Use a WordPress UX plugin to improve your user experience.  1. WPtouch Research shows that up to 70% of web traffic comes from a mobile phone. Consumers are interacting with your website on small screens. So, your team must make it easy for them to engage without having to squint their eyes or constantly resize your pages with their fingers.  WPtouch, a mobile plugin for WordPress, offers a solution by automatically adding a simple and elegant mobile theme to your website. You’ll get a mobile-friendly site that prevents your SEO rankings from dropping. The plugin allows you to customize your site’s appearance for your mobile visitors without writing a single line of code. Don’t worry about the desktop version of your site because it will continue to show for your non-mobile visitors. 2. Smush No one likes waiting, including online visitors. Your goal is to get visitors to your content as quickly as possible. The faster you can make your WordPress site, the faster visitors can learn more about your brand and products.  Smush optimizes your images to improve your page load speed. This WordPress plugin compresses images by stripping hidden bulky information to reduce the file size without affecting the appearance of the image. Also, you can bulk compress up to 50 images with one click.  This tool comes with a wrong size image finder, too. Once activated, Smush offers smart tips for scaling your images. Therefore, you can quickly locate the images slowing down your page speed.  3. Broken Link Checker Broken links on your site disrupt the user experience. When visitors land on a 404 page, they don’t get to engage with the intended content. As a result, visitors may leave your site altogether. Adam Heitzman, co-founder and managing partner at HigherVisibility, agrees. “The big issue with this is that broken links hinder the user experience for anyone browsing your website. In fact, too many broken links can even hinder the linking site’s SEO.” There’s a plugin to help you monitor your WordPress website for broken links. The Broken Link Checker scans your site, notifies you of broken links, and makes suggestions for fixing those links. You can even fix broken links within the tool using the filterable link list. You’ll save time maintaining your site. 4. Provide Support Live Chat Customers want quality service when shopping for products. Your customers also want answers to their most pressing questions so that they can make better purchasing decisions.  For your online business, live chat offers an opportunity for your team to talk directly to customers. You can answer their questions in real-time and direct them to the best product options. It also serves as a tool to build customer relationships. You can easily add live chat to your website with the Provide Support Live Chat plugin. This tool provides your customers with instant assistance via live chat. You’ll also receive customer messages when your team is offline. Choose from the embedded chat window or classic popup chat window based on your visitors’ preferences.  5. Everest Forms Collecting leads for your business is essential to communicating with interested buyers. To gather pertinent information from leads, you will need an online form. Ellen Gregory, a contributor to CloudApp, explains: “Just like your favorite site, a UX form should be easy to use, deliver the information a visitor needs, help them to make an informed decision, and provide a solution for a specific challenge or concern. If not-so user-friendly forms are resulting in high bounce rates, then it’s time to go back to the drawing board.” With Everest Forms, you can create any kind of form, from lead generation forms to contact forms. The drag-and-drop feature makes it easy to control and sort your desired fields. Also, the WordPress plugin supports single and multiple-column forms. 6. Apex Notification Bar As your small business attracts more traffic, you’ll probably want to experiment with different ways to communicate with your visitors. Maybe you want to announce a new promotion or inform people about the upcoming launch of your new ebook.  You can grab the attention of your visitors by adding a notification bar to your website. With the Apex Notification Bar, you can quickly notify visitors of your message and encourage them to take action. For example, you can add a countdown notification bar for a product sale.  This premium plugin comes with 15 pre-made templates to customize with your site. You can add a custom icon, email subscription form, contact popup, Twitter feed, or search form. It also integrates with Constant Contact. 7. Smart Product Viewer A better website experience can earn your small business more revenue. By showcasing your products in a unique way, your brand can influence customers to purchase. The Smart Product Viewer is an animation tool for highlighting your products. The plugin allows a customer to see your product with a full 360° spin view. It’s customizable with 64 navigation styles and color combinations. Boost Your User Experience with WordPress UX Plugins Your website is a powerful tool to capture the attention of your visitors. Keep people engaged by offering a superb user experience. With these WordPress plugins, you’ll be one step closer to improving your site. Find the post on the HostGator Blog

RPKI and the RTR protocol

CloudFlare Blog -

Today’s Internet requires stronger protection within its core routing system and as we have already said: it's high time to stop BGP route leaks and hijacks by deploying operationally-excellent RPKI!Luckily, over the last year plus a lot of good work has happened in this arena. If you’ve been following the growth of RPKI’s validation data, then you’ll know that more and more networks are signing their routes and creating ROA’s or Route Origin Authorizations. These are cryptographically-signed assertions of the validity of an announced IP block and contribute to the further securing of the global routing table that makes for a safer Internet.The protocol that we have not written much about is RTR. The Resource Public Key Infrastructure (RPKI) to Router Protocol - or RTR Protocol for short. Today we’re fixing that.RPKI rewindWe have written a few times about RPKI (here and here). We have written about how Cloudflare both signs its announced routes and filters its routing inbound from other networks (both transits and peers) using RPKI data. We also added our efforts in the open-source software space with the release of the Cloudflare RPKI Toolkit.The primary part of the RPKI (Resource Public Key Infrastructure) system is a cryptographically-signed database which is read and processed by a RPKI validator. The validator works with the published ROAs to build a list of validated routes. A ROA consists of an IP address block plus an ASN (Autonomous System Number) that together define who can announce which IP block.After that step, it is then the job of that validator (or some associated software module) to communicate its list of valid routes to an Internet router. That’s where the RTR protocol (the RPKI to Router Protocol) comes in. Its job is to communicate between the validator and device in charge of allowing or rejecting routes in its table.RTRThe IETF defines the RTR protocol in RFC 8210. This blog post focuses on version 1 and ignores previous versions.In order to verifiably validate the origin Autonomous Systems and Autonomous System Paths of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data and router keys from a trusted cache. This document describes a protocol to deliver them.This document describes version 1 of the RPKI-Router protocol.The Internet’s routers are, to put it bluntly, not the best place to run a routing table’s cryptographic processing. The RTR protocol allows the heavy lifting to be done outside of the valuable processing modules that routers have. RTR is a very lightweight protocol with a low memory footprint. The router simply decides yay-or-nay when a route is received (called “announce” in BGP speak) and hence the router never needs to touch the complex cryptographic validation algorithms. In many cases, it also provides some isolation between the outside world, where certificates need to be fetched from across the globe and then stored, checked, processed, and databased locally. In many cases the control plane (where RTR communication happens) exists on private or protected networks. Separation is a good thing.Cloudflare’s open-source software for RPKI validation also includes GoRTR, an implementation of the RTR protocol. As mentioned, in Cloudflare’s operational model, we separate the validation (done with OctoRPKI) from the RTR process.RTR protocol implementations are also provided in other RPKI validation software packages. In fact, RPKI is unable to filter routes without the final step of running RTR (or something similar - should it exist). Here’s a current list of RPKI software packages that either validate or validate and run RTR.Cloudflare RPKI Validator Tools and Libraries (OctoRPKI & GoRTR).Dragon Research Labs RPKI Toolkit.NIC Mexico and LACNIC FORT project including the FORT validator.NLnet Labs Routinator 3000.RIPE NCC RPKI Validator version 2 (deprecated).RIPE NCC RPKI Validator version 3.rpki-client by OpenBSDEach of these open source software packages has its own specific database model and operational methods. Because GoRTR reads a somewhat common JSON file format, you can mix and match between different validators and GoRTR’s code.The RTR protocolThe protocol's core is all about synchronizing a database between a validator and a router. This is done using serial-numbers and session-ids.It’s kicked off with a router setting up a TCP connection towards a backend RTR server followed by a series of serial-number exchanges and data records exchanges such that a cache on the validator (or RTR server) can be synced fully with a cache on the router. As mentioned, the lightweight protocol is void of all the cryptographic data that RPKI is built upon and simply deals with the validated routing list, which consists of CIDRs, ASNs and maybe a MaxLength parameter.Here’s a simple Cisco configuration for enabling RTR on a router:router bgp 65001 rpki server 192.168.1.100 transport tcp port 8282 ! ! The configuration can take additional parameters in order to enable SSH or similar transport options. Other platforms (such as Juniper, Arista, Bird 2.0, etc) have their own specific configuration language.The RTR protocol supports IPv4 and IPv6 routing information (as you would expect).Being specified as a lightweight protocol, RTR allows the data to be transferred quickly. With a session-id created by the RTR cache server plus serial-numbers exchanged between cache servers and routers, there’s the solid ability for route authentication data on the router to be kept fresh with a minimum amount of actual data being transferred. Remember, as we said above, the router has much better things to do with its control plane processor like running the BGP convergence algorithm, or SRv6, or ISIS, or any of the protocols needed to manage routing tables.Is RTR a weak link in the RPKI story?All aspects of RPKI data processing are built around solid cryptographic principles. The five RIRs each hold a root key called a Trust Anchor (TA). Each publishes data fully signed up/down so that every piece of information can be proven to be correct and without tampering. A validators job is to do that processing and spit out (or store) a list of valid ROAs (Route Origin Authorizations) that are assertions traceable back to a known source. If you want to study this protocol, you can start with RFC6480 and work forward through all the other relevant RFCs (Hint: It’s at least thirty more RFCs from RFC6483 thru RFC8210 and counting).However, RTR does not carry that trust through to the Internet router. All that complexity (and hence assertions) are stripped away before a router sees anything. It is 100% up to the network operator to build a reliable and secure path between validator or RTR cache and router so that this lightweight transfer is still trusted.RTR helps somewhat in this space. It provides more than one way to communicate between cache server and router. The RFC defines various methods to communicate.A plain TCP connection (which is clearly insecure). In this case the RFC states: “the cache and routers MUST be on the same trusted and controlled network.”.A TCP connection with TCP-AO transport.A Secure Shell version 2 (SSHv2) transport.A TCP connection with TCP MD5 transport (which is already obsoleted by TCP-AO).A TCP connection over IPsec transport.Transport Layer Security (TLS) transport.This plethora of options is all well and good; however, there’s no useful implementation of TCP-AO out in the production world and hence (ironically) a lot of early implementations are living with plain-text communications. SSH and TLS are much better options; however, this comes with classic operational problems to solve. For example, in SSH’s case, the RFC states:It is assumed that the router and cache have exchanged keys out of band by some reasonably secured means.For a TLS connection, there’s also some worthwhile security setup mentioned in the RFC. It starts off as follows:Client routers using TLS transport MUST present client-side certificates to authenticate themselves to the cache in order to allow the cache to manage the load by rejecting connections from unauthorized routers.Then the RFC continues with enough information to secure the connection fully. If implemented correctly, then security is correctly provided between RTR cache and router such that no MITM attack can take place.Assuming that these operational issues are handled fully then the RTR protocol is a perfect protocol for operationally implementing RPKI’s final linkage into the routers.Testing the RTR protocol and open-source rpki-rtr-clientA modern router software stack can be configured to run RTR against a cache. If you have a test lab (as most modern networks do); then you have all you need to see RPKI route filtering (and the dropping of invalid routes).However, if you are without a router and want to see RTR in action, Cloudflare has just placed rpki-rtr-client on GitHub. This software, written in Python, performs the router portion of the RTR protocol and comes with enough debug output that it can also be used to help write new RTR caches, or test existing code bases. The code was written directly from the RFC and then tested against a public RTR cache that Cloudflare operates.$ pip3 install netaddr ... $ git clone https://github.com/cloudflare/rpki-rtr-client.git ... $ cd rpki-rtr-client $ Operating the client is easy (and doubly-so if you use the Cloudflare provided cache).$ ./rtr_client.py -h rtr.rpki.cloudflare.com -p 8282 ... ^C $ As there is no router (and hence no dropping of invalids) this code simply creates data files for later review. See the README file for more information.$ ls -lt data/2020-02 total 21592 -rw-r--r-- 1 martin martin 5520676 Feb 16 18:22 2020-02-17-022209.routes.00000365.json -rw-r--r-- 1 martin martin 5520676 Feb 16 18:42 2020-02-17-024242.routes.00000838.json -rw-r--r-- 1 martin martin 412 Feb 16 19:56 2020-02-17-035645.routes.00000841.json -rw-r--r-- 1 martin martin 272 Feb 16 20:16 2020-02-17-041647.routes.00000842.json -rw-r--r-- 1 martin martin 643 Feb 16 20:36 2020-02-17-043649.routes.00000843.json $ As the RTR protocol communicates and increments its serial-number, the rpki-rtr-client software writes the routing information is a fresh file for later review.$ for f in data/2020-02/*.json ; do echo "$f `jq -r '.routes.announce[]|.ip' < $f | wc -l` `jq -r '.routes.withdraw[]|.ip' < $f | wc -l`" ; done data/2020-02/2020-02-17-022209.routes.00000365.json 128483 0 data/2020-02/2020-02-17-024242.routes.00000838.json 128483 0 data/2020-02/2020-02-17-035645.routes.00000841.json 3 6 data/2020-02/2020-02-17-041647.routes.00000842.json 5 0 data/2020-02/2020-02-17-043649.routes.00000843.json 9 5 $ Valid ROAs are listed as follows:$ jq -r '.routes.announce[]|.ip,.asn,.maxlen' data/2020-02/*0838.json | paste - - - | sort -V | head 1.0.0.0/24 13335 null 1.1.1.0/24 13335 null 1.9.0.0/16 4788 24 1.9.12.0/24 65037 null 1.9.21.0/24 24514 null 1.9.23.0/24 65120 null 1.9.31.0/24 65077 null 1.9.65.0/24 24514 null 1.34.0.0/15 3462 24 1.36.0.0/16 4760 null $ The code can also dump the raw binary protocol and then replay that data to debug the protocol.As the code is on GitHub, any protocol developer can feel free to expand on the code.Future of RTR protocolThe present RFC defines version 1 of the protocol and it is expected that this lightweight protocol will progress to also include additional functions, but stay lightweight. RPKI is a Route Origin Validation protocol (i.e. mapping an IP route or CIDR to an ASN). It does not provide support for validating the AS-PATH. Neither does it provide any support for IRR databases (which are non-cryptographically-signed routing definitions). Presently IRR data is the primary method used for filtering routing on the global Internet. Today that is done by building massive filter lists within a router's configuration file and not via a lightweight protocol like RTR.At the present time there’s an IETF proposal for RTR version 2. This is draft, work alongside the ASPA (Autonomous System Provider Authorization) draft and draft work. These draft documents from Alexander Azimov et al. define ASPA extending the RPKI data structures to handle BGP path information. The version 2 of RTR protocol should provide the required messaging in order to move ASPA data into the router.Additionally, RPKI is going to potentially further expand, at some point, from today's singular data type (the ROA object). Just like with the ASPA draft, RTR will need to advance in lock-step. Hopefully the open-source code we have published will help this effort.Some final thoughts on RTR and RPKIIf RPKI is to become ubiquitous, then RTR support in all BGP speaking Internet routers is going to be required. Vendors need to complete their RTR software delivery and additionally support some of the more secure transport definitions from the RFC. Additionally, should the protocol advance, then timely support for the new version will be needed.Cloudflare continues to be committed to a secure Internet; so should you also have the same thoughts and you like what you’ve read here or elsewhere on our blog; then please take a look at our jobs page. We have software and network engineering open roles in many of our offices around the world.

Pages

Recommended Content

Subscribe to Complete Hosting Guide aggregator