On being secure

With all the recent news about the US government collecting and analyzing everything we do online and in our daily lives, we’ve all been looking for ways to increase our privacy.

Today, an article was posted on Hacker News about Google Analytics not being served over https. After reading this, I remembered that I use it and questioned whether or not I should keep it on this blog. Google Analytics has been installed on this blog for years, but today I found it hard to answer exactly why. It provides no real value to me other than satisfying my curiosity.

In the end, I decided to remove it. Not only because it is not served over https, but because the only real parties it benefits are Google and the NSA. My site is not large or popular, but it’s just one less site on the network being tracked through that channel.

I believe, in life, we should lead by example. I believe the web should be secure by default. I believe web servers should only function when using encryption (Supporting http was a design flaw, https should have been the only option. Even a self-signed certificate is safer than plaintext http.)

To that end, I’ve come up with a short list of simple things us website owners can do in order to hinder attacks or snooping by third parties. I’ll compare my own site against this post and update as I move toward compliance (red means failure):

  1. Serve content only when encrypted by perfect forward secrecy.
  2. Serve content entirely from web hosts and CDNs under your control.
  3. Encourage others to do the same.

It’s amazing how quickly my view on this has changed. If you would have asked me a year ago whether or not it was important to self-host images and scripts used on your site (or whether you should even be hosting your blog yourself versus using a third-party service like Tumblr), I would have answered an emphatic no and provided many reasons why letting a bigger, better player handle that is much better.  As a site operator, I want my site to be as fast as possible. As a web user, I want to be as secure as possible. Which is more important?

With the way things are now, it’s worth being a second or two slower to serve knowing that your stuff is your own.

Get Google Analytics to E-Mail You Scheduled Reports

This may not be new to many folks, but I just discovered a neat feature in Google Analytics that lets you set up scheduled, regular reports in several common formats.

This came in handy with a Powerhouse Web Solutions client who wanted to know who was hitting their website, when, and where from, but is not technically savvy enough to navigate the myriad of options found on the full Google Analytics website.

E-Mail Reports Button in Google Analytics
Setting it up is simple.

To get started, simply log into your Google Analytics account and view the stats for the site you’d like to have reports for.

Then, click the E-Mail button as seen in the above screenshot and set your options. I like the idea of the Analytics Overview page being E-Mailed but if you want one of the drilled down reports E-Mailed, simply click the E-Mail button while browsing that particular page.

Image of Google Analytics schedule E-Mail form
Tons of options.

You can E-Mail yourself (and CC to other E-Mails) reports on a daily, weekly, monthly, or quarterly basis and they can be generated in the PDF, XML, TSV, and CSV formats.

Normally, I configure Google Analytics to have a separate client user for each website so that they can log in and see their full stats directly. But, this works really well in circumstances where the client may not have the time or technical know-how or where you’ve got to send a report to a higher-up.

What other neat tricks are hidden in Google Analytics? Share them in the comments!