A division of Libraries and Academic Innovation

Gelman Hours for GWorld Holders
TODAY Saturday Tomorrow Sunday Monday Tuesday Wednesday Thursday Friday
24 hours 24 hours 24 hours 24 hours 24 hours 24 hours 24 hours
Visitor HoursComplete Hours InformationHolidays and Closures
GELMAN: 24 hours
background image of Gelman Library

Scholarly Technology Group

by Christian Aldridge, Web Developer for Libraries & Academic Innovation

If you’re patching your Drupal installation regularly (core and module updates) you’re halfway there.

An important disclaimer: I’m not addressing the server environment (LAMP stack) in this post, which is critical to security. If you’re using a hosting service, be sure to check on their security policies and makes sure they’re updating your server.

Part 1: Secure Your Connection

Make sure you’re configured to pass login and form submissions over a secure connection. If you’re using a hosted service, check their options for adding a certificate to your site: on some services (like Dreamhost) it’s as simple as checking some boxes.

In a future post I’ll address adding certificates to your site in detail (configuring Apache and generating certificates) so you can run connections securely over https using SSL (Secure Socket Layer).

If your site accepts both http and https requests (instead of routing all requests over https), I recommend the Secure Login module (https://www.drupal.org/project/securelogin). This will let you force login requests and form submissions over https. Why is this important? If you don’t use a secure connection for logins or forms, all the submitted information (including passwords) is sent using clear text (unencrypted plain text) and can be intercepted.

These are the settings I tend to use, which include forcing forms of any kind to submit over a secure connection:

Screenshot: Secure Login module admin settings

Note: if you’re using the Drupal login block on a page and you’re using Secure Login, that page will load over https. By default new Drupal 7 installations include the login block on the home page.

A last point on securing your site: it’s good for SEO! Google ranks secure sites higher, so you can check off another box on your Search Engine Optimization to-do list.

Part 2: Accessible Spam Protection

On my sites I use the aptly-named Honeypot module (https://www.drupal.org/project/honeypot), a simple and effective way to catch spam in forms (comments, contact forms, anything that allows an anonymous user to submit something). I prefer Honeypot over Captcha because (a) it’s invisible to the user and (b) it meets accessibility requirements.

Comment sections tend to be hit the most on the Drupal sites I’ve built, and with Honeypot I’ve reduced spam to very manageable crumbs. If new comments from anonymous users are set to require approval (which I highly recommend) this will keep your site “spam free” on the user side and limit the spammed comments to a trickle that are easily deleted.

Once you install the module, you can adjust the settings from the configuration page:

Screenshot: Honeypot module admin settings

I’d start with the default settings and then adjust from there if anything is getting through. I recommend starting with the time limit setting first, then tinkering with the element name if spam is still managing to get through. And remember to check the logs!

These two easy steps will help make your Drupal site both more secure and less of a headache.

by Dan Kerchner

This past spring, four of us here at GW Libraries had the privilege of attending the 2016 Code4Lib conference, featuring a wide variety of talks and discussions relevant to anyone interested in technology in libraries, archives, and museums.

 

The closing keynote was given by Gabriel Weinberg, the CEO and Founder of DuckDuckGo.   If you're not familiar with DuckDuckGo, it's a search engine committed to not tracking you.

 

Tracking Your searches:  Good and Bad

 

When you search using Google or other engines that track you, there's the obvious privacy issue around the company recording of all of your searches, but there's another aspect (let's refrain from judging it for the moment) which is that it affects the results of your search.  Sometimes you may actually want that, but sometimes you don't.   But let's first see when and why this happens.

 

You and I May Get Different Search Results

 

I'm going to use Google as an example, but this could apply to Bing, Yahoo, and other popular search engines as well.

 

Search engines that track you incorporate several factors into determining which results you see.  If you're logged in to Google and haven't turned off the personalization settings, to the extent they can be turned off, then Google bases your results, and their rankings, on your previous searches (and possibly other information it knows about you from terms in your email, etc.) to try to present you with results it thinks you're likely to want and to click on.  Other factors it takes into account include your location based on your IP address.

 

When you're hungry and want to quickly find something to eat nearby that you might like, you might want results that are localized and perhaps even take into account what it knows about your preferences.   But when you're doing research for a paper, you may simply want the most objetive, consistent search results possible.

 

Here's an example:   A Google search on "Obama" yielded slightly different results when I was not logged in to a Google account, versus when I was logged in to my (personal) Google account.  The top news links were different:  NBC, BBC, ABC, versus NBC, CBS, BBC; and a New York Times link was ranked considerably higher when not logged in, versus logged in:

 

 

 

 

One result of personalized results is the phenomenon referred to as the "filter bubble," a concept coined by Eli Pariser in his 2011 book.  A filter bubble means that you're presented with results that tend to further reinforce your existing preferences, beliefs, and opinions.  There is some controversy around the extent of the effets of this, but it has been a topic more in the forefront lately, particularly when it comes to social media and how platforms such as Facebook and Twitter determine which news items to prioritize in your feed.

Privacy, Tracking, Personalization and Other Search Engine "Features"

 

Let's check Wikipedia to get a rough sense of which search engines employ tracking, share information with third parties, and which don't:

 

From https://en.wikipedia.org/wiki/Comparison_of_web_search_engines#Digital_rights as of June 30, 2016:

 

 

Is the knowledge that your information might be shared with third parties, and that the search engine might be at least attempting to modify your browser settings ("browser hijacking"), worth the tradeoff of the benefits you derive from using those search engines?  That's a personal choice, but it might be worth your while to try out a variety of search engines, paying attention to which track and which don't track.

 

Can't I just use Incognito Mode?

 

Incognito Mode seems to be somewhat misunderstood by many people.  Incognito Mode is a browser feature that refrains from saving your browsing history and cookies in the browser itself, but if you're logged into Yahoo, Google, etc. within the incognito-mode window, they're still saving your searches on their side, and results may still incorporate your location and/or IP address.

 

Trackless Search Engines

 

One solution to concerns about privacy and objectivity is to consider using a search engine which doesn't track you.  One of these is DuckDuckGo, which we mentioned earlier.

 

Libraries and Privacy

 

GW Libraries follow in the long-held library tradition of respecting and protecting patrons' privacy as well as providing objective search results when you use our research tools:

 

  • We won't share your circulation records, and records of electronic materials that you accessed.

  • We don't track you!  When you search through the library web search interfaces, you will get the same results as anyone else in the GW Community, and the GW search engine is not tracking or saving anything about you.   We wrote it, and the code that runs it is open source, so you can see it for yourself on github!

  • And last but not least, you won't get advertisements!

 

The only factor that can change your search results is whether you're using the GW Libraries search interface from an on- or off-campus IP address.  This is because some of the resources, usually resources that GW pays to provide, are available to you as a member of the GW community, but not to the general public.

 

We do anonymously log search queries that come through the "All" tab (fondly known as the "Bento" search).   The queries are anonymous; they are not associated with any user or even an IP address.  We use these to better learn about our users are searching for - particularly the most popular searches - and we use what we learn to improve the research tools we provide.

 

Here's an example of a view that we as GW Libraries staff can see.  Note that there's no information about who submitted each search: