Home » Canvas Host blog » Service Updates

Topic: Service Updates

Spectre and Meltdown CPU Vulnerabilities: What are they?

This week, we learned that billions of the microprocessors (CPUs) in existence today contain a flaw that could allow data and instructions to be monitored by an outside listener, as they are being processed. Affected CPUs are found in hardware devices ranging from smart phones, to PCs, to cloud infrastructures the size of a datacenter. The vulnerabilities are called Spectre and Meltdown, due to how each interacts with the CPU.

In plain English, for affected devices, a programmer (an attacker) could write a program that eavesdrops on a device as it processes data. Once uploaded to a device, it could listen in on the data and transmit it back to the attacker.

Unlike malware, which typically is unknowingly installed during an active user’s session, the Spectre and Meltdown vulnerabilities occur separate from the active user’s session, literally sampling and listening in on the data outside of the virtual programming space. Compare it to wiretapping, but at the bridge point between a CPU’s hardware and how it manages instructions.

The vulnerabilities take place in a way that would never be visible to the data owner or any portion of the programming space handling the data. Because the vulnerabilities exist at the hardware level, operating systems, which run firewall, security, and anti-virus services, would have no ability to prevent such intrusions.

If loaded onto your smartphone, consider that emails, messages, photographs — pretty much all of the data on your device — could theoretically be monitored without you or your phone’s operating system having any clue it was occurring. Now imagine it on a larger scale, such as with a cloud hosting service. With these vulnerabilities, customer data could be obtained, passwords and credit card information copied, and entire social media accounts compromised, all without a hint of anything awry. That’s what is so alarming.

And that leads me to a point regarding our stance on cloud hosting. Cloud has its use, but unless you’re looking at uncontrollable scalability concerns, in our opinion, the risks outweigh benefits. Since its advent, cloud hosting has concerned us due to the level of integration and reliance that both data and hardware share with one another. Your business might be located in Oregon, but your data could also be stored in New York, or Sweden, or Thailand, or all four places, wherever the cloud determined your data should be stored. And, your data neighbors in each of those places could be up to no good. Should there be a lapse in security, as with Spectre and Meltdown, the keys to the entire kingdom could effectively be handed over, all of your data obtained, and no way to know of or prove it.

And now, those concerns are a reality. Cloud computing takes advantage of pooled computer resources that are shared between users (tenants). With these vulnerabilities, one of those tenants could be an attacker, and simply implement their programs throughout cloud platforms, each snooping on countless other customers’ data. In several industry articles we’ve read, cloud hosting has been noted as the platform of greatest concern.

As a customer of Canvas Host, what we want you to know that while we are concerned about the potential impacts of these vulnerabilities, at this time we are confident your data is safe. None of your data is hosted in a cloud environment, and we carefully vet all customers in our network. Though we cannot guarantee your data is entirely safe from these vulnerabilities, through our business operations we have already taken many steps to protect you.

Patches for the vulnerability are already being finalized and released for most active operating systems. It has been noted that at least initially, the patches may cause as much as a 30% slow-down in CPU performance. This could considerably impact all data processing services, including hosting provider platforms like those we use.

We are actively monitoring our software vendors’ communications and are awaiting release of the patches. We will thoroughly test them before rolling them out to all of our hosting platforms, and will communicating directly with all of our dedicated customers to arrange for times when the patches can be rolled out to those systems, as well.

If you have any questions or concerns, please contact us and we’ll be happy to address them as best we can.

Thank you,

David Anderson, Owner

Sources:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://meltdownattack.com/#faq-why-spectre

Spectre and Meltdown logo credits:

Natascha Eibl, Graz University of Technology


Canvas Host selected as a 2017 Best for the World B Corporation

FOR IMMEDIATE RELEASE

September 12, 2017

Portland, Oregon — Canvas Host has been selected from among its B Corporation peers as a 2017 Best for the World honoree, as a Service Provider with Minor Environmental Footprint for the Long Term.

Certified B Corporation were evaluated and selected based on areas of impact, including: Best For Workers, Best For Community, Best For Customers, Best For The Environment, Best For The Long Term, and Best For The World: Changemakers.

A total of 846 businesses across 52 industries from 48 countries were recognized on the full list:
https://bthechange.com/the-2017-best-for-the-world-honorees-9412ab4a64f0

“We’re thrilled to have been selected as a Best for the World company”, said David Anderson, owner. “We intentionally operate our company to bring benefit to our team, our customers, our community, and the environment. B Corporation values are in our company’s blood. We can’t imagine doing business any other way. It’s such a huge honor to have made this list, and we intend to answer the challenge to continually impact our world in a positive way, for the Long Term.”

Canvas Host recently renewed its certification through B Lab, the nonprofit certifying body for all B Corporations, and entered its eighth year as a B Corporation with its highest-ever B Impact score of 117 points. The measure evaluates a B Corporation on its impact with respect to Environment, Workers, Customers, Community, and Governance.

Full details of the B Impact score may be read in full on Canvas Host’s profile on the B Corporation website, at:
https://www.bcorporation.net/community/canvas-host

About Canvas Host

A sustainable web hosting provider based in Portland, Oregon, Canvas Host provides comprehensive web hosting, domain registration, email, e-commerce and dedicated hosting services. An Oregon Benefit Company and certified B Corporation, the company operates on triple bottom line principles of people, planet, and then profit, giving back to the community through partnerships with local non-profits and organizations, organizing monthly educational networking with Green Drinks, planting trees through Friends of Trees, and offsetting not only its energy consumption, but also 15 Portland-area homes with clean, renewable wind energy through Bonneville Environmental Foundation.

For information on Canvas Host’s services, please contact the Sales team at sales@canvashost.com, or by calling 877.HOST.503 x1.

***


Canvas Host Acquires England-based Web Hosting UK

FOR IMMEDIATE RELEASE

July 27, 2017

Portland, Oregon – Canvas Host, a Portland web hosting provider, acquired Web Hosting UK on June 13, 2017. Financial details were not disclosed. With approximately 600 customers and 1,100 domain names, the acquisition is among the largest for Canvas Host.

Jonathan Munn, owner of Web Hosting UK, said in a release to his company’s customers, “I chose Canvas Host due to the way they treat their customers and their values. I did not want to send my customers to a company that was orientated more towards the bottom line, but someone who was going to be there to help customers and offer bespoke packages. I would also add that I chose Canvas Host due to the technology they deploy and also the fact they offer the client base more than I could ever offer them. Finally, the fact that Canvas Host is a UK/US split company, will be helpful for our UK customers in adjusting to a new host.”

David Anderson, Owner of Canvas Host, added, “When we first spoke with Jonathan, we were excited about the prospect of expanding our hosting footprint ‘across the pond’. Though we have for years maintained a UK presence through our close colleague, Tom Craig, the majority of our customers are based in North America. We foresee many opportunities with this new family of clients entering our network, in terms of expanding our UK operations and brand presence, as well as shifting our mindsets ever-more global.”

About Canvas Host

A sustainable web hosting provider based in Portland, Oregon, Canvas Host provides comprehensive web hosting, domain registration, email, e-commerce and dedicated hosting services. An Oregon Benefit Company and certified B Corporation, the company operates on triple bottom line principles of people, planet, and then profit, giving back to the community through partnerships with local non-profits and organizations, organizing monthly educational networking with Green Drinks, planting trees through Friends of Trees, and offsetting not only its energy consumption, but also 15 Portland-area homes with clean, renewable wind energy through Bonneville Environmental Foundation.

For information on Canvas Host’s services, please contact the Sales team at sales@canvashost.com, or by calling 503.914.1118 x1.

***


Keeping Your WordPress Website Updated and Automatic Updates

The reality of the world wide web (the Internet) is that there have always been hackers and there will always be hackers. If you own a website, the responsibility for its security is shared between website owner and the website hosting provider. At Canvas Host, we implement many lines of defense against hacking to keep our servers secure, but that is only half the battle.

If website code is poorly written or not kept up-to-date by the website’s owner, it is still vulnerable to hacking. This is why we ask customers to do their part to keep their website secure. To this end, we offer this article to help educate you about the importance of keeping your WordPress code updated, and some of the ways we can help facilitate or even automate that process for you.

The nuts and bolts of this post:

  • Who: You (or you have us do it for you)
  • What: Get your WordPress update
  • When: NOW
  • Where: Installatron / cPanel
  • Why: To prevent your website from getting hacked and to prevent the rest of the websites on the server with you from getting hacked

You need to get your WordPress website updated NOW with Installatron/cPanel for two main reasons: first, to prevent your website from getting hacked and second, to prevent the rest of the websites on the server with you from getting hacked.

Let’s begin by stating that if none of this interests you, but you do acknowledge the necessity of having your website be secure, Canvas Host can look at your hosting package and provide a quote as to the feasibility and cost to enroll your website(s) with Installatron. Please be aware that your website may not easily import with Installatron (because of modifications to WordPress or permissions from a previous web host) so any quote for the work is based on the assumption that the import and configuration is standard and you will be notified if that is not the case.

Email to Request a Quote for Automatic Updates

FOR THE DO-IT-YOURSELF-ER

For those of you who have been keeping your WordPress website updated on your own, you are probably aware that there are three components of your website that require regular/ semi-regular updating:

  1. The plugins;
  2. The theme(s); And,
  3. The WordPress framework itself.

It is my preference that if running updates manually, they are done in a specific order: Plugins, Themes, and WordPress. There is a whole discussion to be had about the reasons for this, but we will leave that for another time.

The first question to be asked is this: Is your website already managed by Installatron?

If you don’t know the answer to this question, you need to log in to your hosting account cPanel and go to the cPanel Section called Software. The Installatron Applications Installer link will be in this section.

Finding Installatron in Canvas Host cPanel

If you see your website homepage next to a panel with your website details, then your website is in Installatron. If not, then your website needs to be imported into Installatron and please continue with this tutorial if your website is not in Installatron or skip down further if your website is already in Installatron.

What if my WordPress website is not in Installatron?

If you have gone to cPanel and discovered your website is not Installatron you can set up automatic updates after importing the website into Installatron. At this point you should be in your hosting cPanel and you should have selected the Installatron Applications Installer. Since your website is not in Installatron you will be directed to the Installatron page where you can search for application. Here you will scroll down a select the WordPress icon/ option.

Selecting the WordPress option in the Canvas Host Installation software

On the next screen you will select the option underneath the Install this application drop down (import existing install).

Importing an existing WordPress install at Canvas Host with Installatron

On the next page you will select the continue option in the “From this account” section.

Importing from your website hosting account with Canvas Host's cPanel

Next, you will select the domain and directory (if there is one) that you would like to import and push the import option. Your WordPress website should begin to import.

Setting the domain and directory when importing a WordPress website into Installatron

Now you can continue to the next step.

What if my WordPress website IS already in Installatron?

At this point we assume you are already logged in to cPanel and have clicked inside of the Installatron Applications Installer. Next you should identify which WordPress website (you may have more than one) for which you want to configure automatic updates.

A screenshot of a website that has been imported to Installatron with Canvas Host

Check the checkbox next to the website you want to configure for automatic updates. Then select the wrench icon or push the edit option.

Screenshot showing the edit option for Installatron's automatic website updates

An overview of your Installatron settings for this website will load. Slide down on the page and configure the options that work for you. A good set of options is to select the following:

  • Automatic Update (Update to any new version.)
  • WordPress Plugin Automatic Update (Update WordPress plugins as new version become available.)
  • WordPress Theme Automatic Update (Update WordPress themes as new versions become available.)
  • Automatic Update Backup (Create a backup and automatically restore the backup if the update fails.)
  • Email Notification (Send all email notifications for the installed application.). This should generate an email to whatever email address you originally have had on file with Canvas Host
Some automatic update settings for Canvas Host

Scroll to the bottom of the page and make sure to press Save All in order to update your settings.

Automatic Backup Settings Screenshot for Canvas Host, cPanel, WordPress, and Installatron

Some considerations:

  • If you have premium themes or plugins for that require an update key or purchase, Installatron will not be able to run updates.
  • If updates break your website Installatron should restore to a back up and (if you asked for email notifications) provide you with a message that there was an issue).
  • Canvas Host cannot guarantee the software provided by Installatron however it was tested prior to this blog posting and has worked to keep several websites updated with no issues.
  • Any customization you or your web developer may have done to your website might render different results.

We encourage you to attempt to go through this process with any WordPress websites you have hosted at Canvas Host and if you would like us to go through the steps that is something our IT and Web Development Staff can handle.

We hope this article helps you better understand the importance of keeping your code updated, how it can be done within Canvas Host’s environment, and how our staff can help you if needed. Please contact us with any questions about this article, or our WordPress updating and design services.


Converting a non-SSL Website to SSL

ssl certificate

There are two kinds of websites on the Internet: Those that use SSL, and those that do not. When accessing a website protected by SSL, your browser’s address bar may turn a green color, or a golden or green padlock icon may appear next to the start of the website URL in that address bar.

If the website is accessed at https://, but the SSL certificate is incorrectly configured, or more commonly, the website is not entirely encrypted because it is trying to serve files not protected under SSL, your browser will show you a popup alert informing you of this error. Websites serving errors to visitors can cause confusion or a breakdown in trust with the user, and potentially lead to lost sales and traffic. So, it is vital to ensure your website is correctly configured for use with SSL.

If you have just installed SSL on your hosting account, there are additional steps you will still need to take to ensure the site functions properly with SSL.

The following steps assume you are using WordPress, the most widely used application framework in our network. (Similar steps are required for other frameworks, such as Joomla, Drupal, and Magento, but are not addressed in the scope of this article.)

1. Change the main links within your application framework to reference “https://”

Log into your website’s administration panel. In WordPress, navigate to Settings -> General, and note the following:

WordPress Address (URL)
Site Address (URL)

Change these values to ensure the full URL in each contains https:// and not simply http://.

Optionally, if you are more of a database administrator type of person, you can log into the MySQL database for this WordPress installation using phpMyAdmin within Cpanel, and navigate to the the “homeurl” and “siteurl” variable values in WordPress’s wp_options table, ensuring the link for both variables begins with “https://”.

2. Force SSL requests with a .htaccess file

The .htaccess file lives in the document root of your website. In Cpanel, this directory is /public_html/. The file may not appear when using an SFTP program or when accessing File Manager through Cpanel, so be sure to set “show hidden files” is set in your application.

To force SSL requests throughout your website, include the following rules in your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L
]

Make sure that “www.example.com” is replaced with your actual domain name.

3. Verify images and included files are called with https://, or an absolute file path for the URL

Though the first two steps should adequately enforce file and resource requests for your website should be served securely, we have found many cases where “hard-coded” links, such as an IMG tag with a TAG parameter requesting a file, beginning with “http://” can be all it takes to make a page fail to fully load in SSL and therefore result in a popup error.

A good example of this would be a WordPress blog post or page with an included file. By default, images placed using the WordPress Media Library, will by default be written out as a complete URL, meaning the IMG tag will show http:// or https:// as part of the included file’s URL.

For this reason, we recommend that you search for and replace all references to included files throughout your website, so none request http://. One plugin that achieves this at the database level is simply named, “Search & Replace”, and can be downloaded here:

https://wordpress.org/plugins/search-and-replace/

Even then, we suggest a manual review of all prominent pages or blog posts of your website, to ensure the links have been altered.

If performing this manually, you can simply change the IMG SRC value and strip out the entire protocol and URL, leaving just the file structure. For example, instead of a tag like this:

<img src="http://www.canvashost.com/path-to-the-included-file-or-image.jpg" alt="" />

You could change the reference to:

<img src="/path-to-the-included-file-or-image.jpg" alt="" />

When modifying links in this way, the browser automatically understands that whatever website address you are at (in this case, on our website, at https://www.canvashost.com), should be used to pre-pend that link, so the browser will understand the IMG tag to effectively read:

<img src="https://www.canvashost.com/path-to-the-included-file-or-image.jpg" alt="" />

This is a bit of a hack, but useful if you ever plan on changing the primary domain of your website, or wanting to reference the website through additional domain names that have been aliased/parked on the account, as the absolute file path will still be valid for each of those requests.

4. Verifying your website theme uses either SSL or absolute file path

This may present the trickiest aspect of website cleanup. Your website theme (or template) contains file path callouts to images, stylesheets, javascript files, and other included files, all of which will need to be hard-coded to “https://”, or be stripped down to the absolute file path as demonstrated in step 3.

You can verify the state of your website by first accessing it with a browser at https://(your domain), so your browser is attempting to reach it securely. If you don’t see any errors, you may be all done, as the same theme files will be loaded regardless of which page of the website you access.

If you happen to see a browser error, try viewing the page source. In Firefox and Chrome on a PC, for example, this can be done by pressing Ctrl-U with your keyboard. The actual, served HTML code will be displayed. Once viewing the source code, simply search for references to “http://”, such as “src=’http://”, to see cases where the theme is trying to load files or images with http:// and not https://.

The next step will be to individually log into the theme files and make necessary adjustments, just as done in step 3. Once you’ve completed this cleanup, try loading a fresh copy of the website and go over this until the broken padlock icon disappears from your browser’s address bar. You’ve done !

5. Canvas Host can help!

If you’re still stuck or simply want some help, Canvas Host is happy to assist. We’ve helped many customers through these steps. Though it is billed work, it costs about $200 to fully ensure a website is protected by and working properly with SSL. If you are interested in learning about our SSL clean service, please contact our Sales team at sales@canvashost.com.