Security and Internet Safety are extremely important for any Website, especially a site that could potentially store highly sensitive information.
Virtually all websites are under some form of attack on a regular basis, usually by relatively harmless "bots" that constantly crawl the Internet seeking easily attacked servers and sites. The exploits they search for are usually well documented and any reasonably competent site operator will ensure that these easy security holes are quickly patched.
The key to industrial strength security is to always be aware of the methods that potential attackers use to attack a site, and take away all of those methods. Our servers do not respond to any requests other than legitimate web requests, so there are no "back door" exploits possible. Every piece of data that goes into or out of our servers is subject to authentication and verification.
Our security plan consists of several layers:
-
Server hardware in a secure location, not accessible to any unauthorized persons.
-
Server software, hardened against attack and regularly tested and updated.
-
Application software, written with verifiable tested security measures.
-
Some obfuscation - things deliberately designed to confuse hackers.
-
Honey pots - fake programs that pretend to be things hackers can attack.
-
Specific permissions for user accounts, and enforcement of user accounts.
-
No critical information - such as credit card numbers - is stored on our servers.
We use design guidelines developed by Security Professionals and distributed through the Open Web Application Security Project, or OWASP. These guidelines contain comprehensive checklists and tests to ensure that Security principles are followed and tested.
Obviously we can't disclose all of our security measures, since that would give potential attackers a place to start. However, we can say that security of data and access were high priorities throughout the entire design cycle of this site and its contents. Because this is our business, we are highly motivated to never have a security incident, never lose customer data, and never cause a customer concern over the security of data they choose to leave with us.
HTTPS Certificate
We use HTTPS certificates for our sites. This means that data is encrypted so nobody between your computer and our servers can see what you're downloading or looking at, and they can't intercept any personal information you send, including your password when you log in. This is indicated by the Lock symbol on your browser.
We also keep track of current and deprecated cipher suites, and which encryption techniques have been cracked or otherwise compromised. We monitor the latest attack methods and vulnerabilities and ensure that known problems are dealt with immediately. For example: SSL2 and SSL3, Heartbleed, Drown, Beast, Poodle, TLS Compression, etc.
The site is designed so that information passed between your computer and our servers is minimal, and does not actually expose any personal information.
We regularly use the "Test Your Server" tool at Qualys SSL Labs to confirm an A-plus rating to ensure correct configuration and complete site security.