Cheapskate's Guide

Home Contact

How to Create a Family Website

1-16-19



My project for myself last week was to create a family website. Although I'd been considering it for years, I had never gotten around to it. Now that I have, I've found it to be an interesting challenge, both technically and socially. I've found the two biggest issues so far to be usability and security. The development of my own family website is an ongoing process, so I hope to learn even more, and I plan to update this article as I sort out additional issues that come up and find ways to solve them.

There are many reasons you may want to consider creating a website for your own family. You may have become disenchanted with Facebook. You may want more storage than you can get for free from Dropbox. Here are some potential uses for a family website:

These are all methods of creating a closer family. And, I'm still thinking of other methods, and ways of implementing them that are easy for nontechnical family members to use.



The Technical Issues:

I think the vast majority of people who are reading this article will want to pay some company to host their website. There are many articles available on the internet dealing with the details of using Wordpress and other hosting services, so I will not be discussing that here. For those of you who would like to do it yourself, I've already written an extensive article on hosting your own website from home on a Raspberry Pi. Hosting a website on a Raspberry Pi costs next to nothing, and it gives you the ability to control many aspects of your website that would otherwise be beyond your control. But it requires knowledge and a significant outlay of your time. All the details are there for you to read, so there is no need for me to rehash them here. As far as technical issues go, my intent with this article is to only mention additional technical issues associated this particular kind of website, and to discuss (mostly in general terms) how I managed to solve them for my family website. The details of many of the technical issues that I will discuss here will not be important to those of you who decide to pay to host your website on a hosting company's server, because they should provide you with the website templates and software you need. For the rest of you who are doing it yourself on a home server, I will explain as I go the issues I faced and how I overcame them--to the extent that I have.

In general, my approach is to use light, fast code wherever possible and to reduce as much as possible the amount of data that is uploaded and downloaded. I also want to limit my code to PHP code. So far, I have not found it necessary to run any java scripts, which add additional CPU usage, complexity to the server installation, and additional security risk. I also decided to begin my family website by favoring simplicity of design over flashy Facebook-type applications, which is consistent with my previously-mentioned goals. With this in mind, I have implemented the following:

  1. A low-security php password script to separate my family website from the rest of the internet.
  2. A more secure area for file downloads that requires individual user names and passwords, which are implemented using the built-in Lighttpd webserver security features.
  3. A forum that is implemented using a PHP forum script that I wrote.
  4. A method of allowing family members to add their email addresses to an html page using an html form combined with a modified PHP webpage commenting script that I wrote.

I expect to add solutions to the above list as time goes on and the website is used more by family members. If they choose not to use the website, I'll remove it and retain the knowledge that I've gained for other website projects.

There are major security issues associated with each of the above implementations. I'll discuss those in detail in the security section of this article.

I decided to make the more secure file-download area of my website using nothing more than a directory structure that is made available to users by the following additions to the Lighttpd server configuration file, /etc/lighttpd/lighttpd.conf:


   # Make a directory that requires a password to access.
   auth.debug                   = 2
   auth.backend                 = "htdigest"
   auth.backend.htdigest.userfile  = 
                  "/etc/lighttpd/.htpasswd/htpassword_file"
   auth.require          = ( "/file_download_directory" =>
      (
                   "method"  => "digest",
                   "realm"   => "Password protected area",
                   "require" => "user=Bandit"
      ),
   )

   # Allow the internet users to get a directory listing 
   # of /file_download_directory:
   $HTTP["url"] =~ "^/file_download_directory($|/)" {
      dir-listing.activate = "enable"
   }

I've explained in my article on creating a webserver on a Raspberry Pi (link provided above) that all the lines of the lighttpd.conf file shown above that begin with "auth" are used to password protect a directory, so that anyone who wants to access it must enter a user name and password. I've also explained how to set up the encrypted password file that this requires. The next lines, the ones that begin with "$HTTP["url"]", make the password-protected directory (in this case, a directory named "file_download_directory", directly below the server root directory) visible to the user, and also make it possible for the user to open or download any files located there. This approach means that I don't have to implement a PHP download script to enable the user to download files from this directory. This also means one less PHP script is available for a hacker to potentially use to attack the website. An additional benefit to me is that my internet data cap will not be encroached upon by people repeatedly browsing pictures. They will download pictures once, and view them many times without any further data transfer. This solution may not look as great to users as a flashy Facebook type of implementation, but it's simple, its reasonably secure, and it works.

Note that, in order to ensure that user names, passwords, and any data transfered are not visible to the rest of the internet, you need to also turn on SSL/TLS encryption to make this an HTTPS-enabled website and transfer the user to the HTTPS website before he enters his user name and password and enters the password protected directory. I've explained how to do this in my Raspberry Pi website article.



Usability:

If your website is hard to use, no one will use it. I wish more website developers understood this! It would make all of our lives so much easier. You have to develop a website with nontechnical users in mind, even for a family website. This means you have to make any directions and rules-of-use on your website clear. You have to make the website structure simple. And you have to make uncomplicated procedures for using it. You can't have a 10-step method for downloading files!

Unfortunately, the need for security sometimes outweighs the need for simplicity. When this occurs, simple, clear directions, and clear explanations regarding the associated hassle can to some extent ameliorate users' reluctance to deal with security issues.



Security:

Security is a huge issue for a family website. I need to be blunt here, to make it clear what you are up against. Therefore, this section of the article will be rated PG-13 for graphic reality. The fact is that many, if not most, families have family members who are untrustworthy and dishonest. Some families even contain members who are worse, people with whom no one wants to have any contact at all. And I'm not talking about simple snobbery here. I'm talking about self-preservation. So, not only do you have all the problems with internet hackers and thieves, you also have security issues with the members of your own family. I'm assuming here, that at some level, you want to extend your website to as many members of your family as possible, even the dishonest ones and the ones you don't know very well. But, you want members of your family to feel confident and safe while disclosing any personal information about themselves that they choose to disclose. If they're worried about disclosing information, they won't use your website. This necessitates some rules-of-use and a tiered security structure for your website.

You may choose a different security structure than I propose here. If you've found something that works, please let me know by making a comment using the comment form below. I've decide to split my security into three levels:

Before I talk about the levels, let me explain some facts of life about computer and internet security. First, there is no such thing as a secure computer. Period. So, the best security precautions begin with the assumption that your computer and computer network have already been compromised and always will be. Accepting this means not putting anything private on your website in the first place. However, if you must have some private information on your website for people to remain in contact--because that's part of the point of the website--limit it to first names, email addresses, and less-private conversations. You should also monitor the contents that family members put on your website and delete any other private information that they may have unwarily disclosed.

You have to make everyone who uses your website aware of the security risks. Yes, this may deter some of them from using your website. But, this is the only honest way to run a website. Begin doing this by making sure to remind your family members in the text of your webpages not to give out any personal information other than that described above. Explain the security precautions that they need to take and what will happen if they fail to do so.

Now for the levels. Level 1 is an area of your website where all family members (honest and dishonest, with the exception of any dangerous ones, whom you should not invite in) are allowed. This must be separated from the rest of the internet somehow. I accomplished this by doing the following. I mailing a letter (not an email) to all family members for whom I could get home addresses. The letter contained an invitation to the website. The letter also explained the purpose of the website and gave the URL of the website and the password to enter it. There is only one password for everyone to use. It is easy to remember but long enough to provide some minimal separation from the rest of the world on internet. As I alluded to earlier, I'm assuming Level 1 has already been compromised. Level 1 contains our family web forum, autobiographies of family members (which have been screened for undue private content by me), a page for members to upload only their first name and an email address (with appropriate security warnings in the text of the page), and a family news letter. I'm using a PHP password script that I found on the internet for free, to which I added some security features to upgrade its security even more. This is a little dangerous, but remember that I've already assumed that Level 1 has been been and always will be compromised. Even if I had perfect security, Level 1 would be compromised by untrustworthy family members who I have invited to be there. I've also implemented some additional security precautions at Level 1 that I will not describe here. You should do the best you can, even at this level, to screen out as many internet hackers and thieves as you can, even though you are assuming that Level 1 is compromised. After all, 10 hackers with access is less dangerous than 10 million hackers with access.

Level 2 contains a file sharing area where members of the family can download files, including picture files. I decided that the uploading of files using a PHP script was too much of a security risk (to the webserver, not to the information being uploaded). There are so many known security loopholes associated with uploading files with a PHP script that I'm afraid that there must also be many unknown ones as well. And I will not give anyone access through Linux ssh or scp. I've already explained, above, how I set up the file-sharing directory for downloading files. Anyone who wants files uploaded can email them, or by some other means transmit them to me, and I will upload them securely. Yes, this does make the website harder to use, but, in this instance, I felt that the security issues overrode the need for usability. At Level 2, I decided to assign user names and passwords that users cannot change without my help. This prevents them from using easily-crackable passwords, like monkey123, and it also saves me from having to write a most-likely less-than-secure PHP script for them to use to change passwords. I expect at this level that family members will feel comfortable trading information like home addresses and telephone numbers. Any more personal information can be disseminated over the telephone or by US mail.

I have come up with a list of rules for family members to follow at Level 2. The rules are in the file-sharing directory to prevent those who do not have access from seeing them. I don't feel there is a point in possibly insulting people with rules who don't need to follow them. Here is my current list of rules for Level 2:


File-Sharing Area Rules

Your access to this area may be suspended or revoked for any of the following reasons:

  1. Sharing your user name and password with anyone who uses them to break a rule.
  2. Posting someone else's personal information without getting their approval first.
  3. Using anyone else's personal information in any way that they consider to be intimidating or abusive. This may include but is not limited to:

If these seem like rules that a security Nazi would come up with, remember that they are for the protection of your family members. Needless to say, members of my family who I already know won't follow the above rules will not be granted access to Level 2.

Level 3 is for more highly sensitive information, which might include things like birth dates or copies of passports. I can't see a need for this right now. But if it should ever occur, this will involve encrypting the relevant files using secure encryption software before uploading them to the file-sharing directory.



Summary:

My goal was to design a website where family members can enjoy more contact with each other, while still feeling secure about trading the minimal contact information that is required for that purpose. This requires careful attention to website security concerns, and some diplomacy. I think the three-tiered security approach that I've designed will fulfill that purpose. That's all I have to say for now. If you see something I've missed, please use the comment form below to make me aware of it. Thanks.



Related Articles:

There's no Such Thing as a Secure Computer--How to be Relatively Secure

What I Learned about the Internet by Creating My Own Website

Why I am Dropping Namecheap and am Seriously Considering Dropping Gmail

BabbleWeb : A Free Website Visitors Comment Script

bwfForum : A Free Website Forum Script

Comments


Required Fields *

*Name:

*Comment:
Comments Powered by Babbleweb

Copyright © 2018-2019 The Cheapskate's Guide to Computers and the Internet. All rights reserved.