Tag: Technology

India’s DPDP Act – A Ticking Clock for Indian Businesses

It’s May 14, 2027. Your company experienced a data breach three weeks ago that exposed customer names, phone numbers, and payment details. Your team patched the vulnerability, changed a few passwords, and sent an internal email saying “handled.”

Nobody told the Data Protection Board. Nobody notified the affected customers. There was no formal incident response. This is an internal email, and I hope no one noticed.

The Data Protection Board noticed. And now you’re looking at a penalty notice for ₹250 crore, for failing to implement reasonable security safeguards. Another ₹200 crore for not reporting the breach. All because a law that’s been on the horizon for years finally has teeth, and your organization wasn’t ready when it bit. This isn’t a hypothetical designed to scare you. It’s the exact scenario the DPDP Act was designed to address. And May 13, 2027, is the date those consequences switch on.

The Clock Is Already Running

India’s Digital Personal Data Protection Act was passed in August 2023. The operational rules were notified in November 2025. That notification started an 18-month countdown to full enforcement.

We are inside that window right now. May 13, 2027, is the date on which every substantive obligation under the Act becomes simultaneously enforceable: Consent mechanisms, Privacy notices, Breach reporting systems, Data retention policies, User rights, and Children’s data protection – all of it, at once, with no grace period after the deadline.

Here’s the part most businesses haven’t properly absorbed: the 18-month window wasn’t meant for waiting; it was meant for building. The period from November 2025 to May 2027 is intended to be spent creating the systems, controls, contracts, and governance structures that compliance actually requires.

Most enterprises we speak with are treating May 2027 as a start date. That’s exactly the backward direction.

Who does this apply to? Almost Everyone

Before some readers convince themselves this doesn’t apply to them, let’s be clear about scope. The DPDP Act applies to any organization, regardless of size or sector, that processes the digital personal data of individuals in India. Personal data is broadly defined as Names, Phone numbers, Email addresses, IP addresses, Device identifiers, Financial data, Health information, Behavioral data, and Cookies.

If you run an e-commerce platform, a fintech app, a healthcare service, an HR system, a SaaS product, a logistics operation, or an edtech platform, you’re in scope. If you’re a B2B company that stores client contacts in a CRM, you’re in scope. If you’re a startup with a few thousand users, you’re in scope. And here’s what catches international businesses off guard: the Act has extraterritorial reach. If you’re a company headquartered outside India but offering goods or services to Indian users, the law applies to you too, just like its friend in the European region, GDPR. The DPDP Act follows the data, not the geography of whoever holds it. The honest question isn’t “does this apply to us?” For most businesses, it does. The question is what you’re required to do about it, and whether you’ve started.

What the Law Actually Requires

A lot of DPDP “compliance” being done right now is surface-level. A revised privacy policy, A new cookie banner, A legal team sign-off, that’s not compliance, that’s theatre. It will fail the first real audit. Here’s what the Act actually requires, in plain terms.

1) ‘Consent means something.’ The DPDP Act doesn’t accept the kind of consent most Indian businesses currently collect, such as bundled consent (a single checkbox covering multiple purposes), which is invalid. Each processing purpose needs its own specific, informed, unambiguous consent. If you collect data for personalization, analytics, and marketing, that’s three separate consents. If you haven’t redesigned your consent flows yet, this alone is a significant piece of work.

2) Privacy notices that are actually readable. Notices must be standalone documents, separate from your terms and conditions, written in plain language, available in English and regional languages, clearly explaining what data you collect, why you collect it, and what rights the user has. Most current privacy policies don’t meet this bar.

3) A 72-hour breach clock. When a data breach occurs, you have 72 hours to notify the Data Protection Board. Neither to investigate nor to decide whether it’s serious enough to report or to notify. That requires an incident response process capable of identifying, assessing, and escalating a breach within hours, not days, not the exact Indian Stretechable Time zone activity. Most Indian organizations lack a tested incident response plan.

4) Real infrastructure for user rights. Individuals can request to see their data, correct it, or have it deleted. They can nominate someone else to exercise those rights on their behalf. You need a process to receive these requests, verify the person, fulfill the request across every internal system that holds their data, and complete the whole thing within 90 days. Building that end-to-end capability is harder than it sounds, especially when data lives across a product database, a CRM, a support system, and three SaaS tools.

5) Vendor contracts that reflect the new reality. Every third party that processes personal data on your behalf, like cloud providers, analytics tools, payment processors, and support platforms, must now carry compliance obligations. Most contracts signed before 2025 don’t include the security clauses required by the DPDP Act. That means reviewing and renegotiating contracts. Not a handful, every processor in your chain.

6) A named grievance officer. A contact point, whether a person or team, must be publicly listed on your website or app before May 2027. Complaints from users must be addressed. This sounds simple. It requires a working complaints process behind it to mean anything.

The Penalties And Why the Fine Might Not Be the Worst Part

Let’s look at the numbers, because they matter when we talk about Business.

  • ₹250 crore, for failing to implement reasonable security safeguards
  • ₹200 crore, for failing to notify the Board or affected individuals of a breach
  • ₹150 crore, for violations involving children’s data
  • ₹50 crore, for other breaches of Data Fiduciary obligations

These are per-violation figures. A single data breach incident can trigger multiple violations simultaneously, inadequate security, failure to notify individuals, and failure to notify the Board. Cumulative exposure from one incident can exceed ₹650 crore.

But here’s the thing most people miss when they focus on the fines: the Data Protection Board has the authority to order a halt on data processing while an investigation is underway. For a bank, for a payments platform, for any business where data processing isn’t a supporting function, it’s the product (a sigh of relief or tension that again it is the government aristocracy under the veil of y (democracy)). An operational suspension isn’t a fine you can absorb. It’s a threat to the business itself.

The fine you can budget for. The suspension you can’t always survive.

Why “We’ll Sort It Before the Deadline” Doesn’t Work

The organizations that implemented GDPR know exactly how this plays out. The timeline that looks comfortable eighteen months out compresses dramatically once the actual work begins. Data mapping alone, going system by system to understand what personal data you hold, where it lives, who touches it, and why, takes weeks, not days. And you can’t build compliant consent flows, privacy notices, or user rights infrastructure without it. Everything downstream depends on it. Then come the vendor reviews, then the technical implementation of consent management, security hardening, breach notification protocols, then the user rights infrastructure, then testing, validation, staff training, and much more, just a complete PDCA cycle(Plan-Do-Check-Act)

Each of these is a project. They can run in parallel — but they can’t all start in March 2027. Organizations that begin serious implementation work after mid-2026 will be operating under severe time compression. Some won’t make it.

The correct starting point is not a revised privacy policy. It involves appointing a compliance owner with actual authority, mapping your data, assessing your gaps against the specific obligations that apply to your business, and beginning structured implementation in that order.

The Opportunity Nobody Talks About

Here’s the thing about the DPDP Act that doesn’t get said enough. It’s not just a compliance burden, it’s an opportunity to do something your customers will actually notice and value: give them genuine control and transparency over their own data.

The businesses that approach this honestly, building systems that actually work rather than ones that look compliant enough to pass an audit, will emerge from this with something real and more trust. Better data hygiene. Stronger processes. A privacy posture that holds up as regulation tightens globally, because India won’t be the last place to legislate on this.

Those treating it as a box to tick will find themselves scrambling when enforcement begins. And scrambling is expensive, or we can say far more expensive than building it right the first time.

Where Does Your Organization Stand?

Some honest questions worth answering, not for anyone else, just for yourself:

  • Do you know exactly what personal data your organization holds, where it lives, and why you have it?
  • Have your consent flows been redesigned for DPDP, separate, specific, purpose-by-purpose consent?
  • Do you have an incident response process capable of moving at 72-hour speed?
  • Have your vendor contracts been reviewed against DPDP requirements?
  • Is there a named person in your organization with the authority and budget to get this done?

If the answers are unclear, that’s your signal. Not to panic, but to start. The deadline is fixed, the work is substantial, and the window is narrowing by the day.

May 13, 2027, is not a target date. It’s a cutoff. The businesses that will be fine on May 14, 2027, are those that started in 2026, not those that haven’t even started the scope.

The VPN Dilemma: Balancing Privacy, Security, and Digital Innovation

Hello, I’m new to the community. I’ve been facing issues connecting to 1.1.1.1 with WARP since yesterday. It was working fine before, but the problem started after my ISP performed some maintenance. I suspect the issue might be related to the ISP. Is there any possible solution for this?When I searched Reddit for answers about why WARP (aka 1.1.1.1) is not working, I found many similar comments, like:
“I believe that ISP has to do something with that because I am getting this issue after ISP maintenance.”

Curiosity led me to search for more articles on Reddit and other platforms, but unfortunately, I found very few, and they contained too little information.

Drawing from my five years of experience working and writing on technological aspects, I delved into understanding the dynamics of blocking services like 1.1.1.1. The reasons often seem to be tied to political and geographical factors, with the most common justification being “national security” and concerns over confidential data.

“I have been using 1.1.1.1 WARP from India, but 1.1.1.1 WARP mode is not working on the Jio network, while the normal private DNS is functioning. Reset network settings: Done. Reboot device: Done. Always-on VPN: Done. Clear cache and storage: Done. Uninstall and reinstall: Done. Reset private keys: Done. Still, WARP mode is not working. What should I do? And what is the reason behind this?”(solution quoted on the community page)
Many more solutions like this have been shared in the community pages, but sadly, nothing works. I am obliged to install another VPN, as I am left with no other option due to the urgency of the work.

Searching for the exact reason behind this, I came across some information that I’m not entirely sure is legitimate but seems relatable—or at least understandable.

One random user explained:
“Basically, the rule in India is that you can operate a VPN as long as you maintain data related to the user, including their name, ID, IP accessing from, and IP accessing to. I think the 1.1.1.1 client actually operated anonymously (because if I remember, you didn’t actually need to log in to use it). iCloud+ Private browsing maintains that information (account-related, etc.) so it should be safe. Similarly, running your own Tailscale cluster and enterprise VPNs are not impacted—for example, Cloudflare for Teams is allowed, and the Cloudflare One Agent app can be downloaded and is still available.”

Another user added:
“Cloudflare stores user data on the Zero Tier corporate plan, which is tied to accounts. The free 1.1.1.1 app did not require an account, hence it was removed. I cannot answer as to why Proton VPN continues to work or has not been removed. I only gave an opinion as to why the free Cloudflare product may have been removed. For what it’s worth, you can set up your own VPN and run it, and as long as you maintain a user login and account history, you can operate a VPN.”

The list of removed VPNs includes other services like Hide.me and PrivadoVPN. Apple, citing a demand from the Indian Cyber Crime Coordination Centre—a division of the Ministry of Home Affairs—stated that these app developers had created software that contravenes Indian law.

On the other hand, several VPN providers have robustly opposed the Indian government’s mandate. When the framework was introduced, prominent developers like NordVPN, ExpressVPN, Surfshark, and ProtonVPN publicly criticized the requirements, with some even indicating plans to remove their server infrastructure from India. For example, Surfshark’s services are no longer purchasable via UPI, a payment method that was available before the rules came into effect. Despite these challenges, NordVPN, ExpressVPN, and Surfshark continue to operate in India, although they have scaled back active promotion of their apps in the country.

The Indian government’s actions against VPN service providers hold even greater significance when considering the country’s position as one of the world’s largest VPN markets, with substantial growth anticipated in the coming years.

In 2023, India’s VPN market generated an impressive $4.166 billion in revenue and is projected to reach $7.681 billion by 2030, growing at a compound annual growth rate (CAGR) of 9.1% from 2024 to 2030. With an estimated 270 million VPN users in 2021, the market remains dominated by a limited number of providers, including Surfshark, NordVPN, ExpressVPN, PureVPN, IPVanish, and others. Despite regulatory challenges, these players continue to cater to a substantial user base in India.

The restriction on VPN services is not unique to a major country like India; several other nations are also engaging in this “banning game” under the guise of national security and data regulations. Countries such as China, Russia, Germany, and Italy have also implemented measures to control or restrict VPN usage, citing similar justifications of safeguarding national interests and ensuring compliance with local laws.

I referenced the community pages solution and inquiries because I haven’t found any direct comment or official report from the Ministry of Home Affairs (MHA), Government of India, regarding the banning of these regulations. This raises the question: while policymakers, law experts, diplomats, and technocrats may have discussed these bans, similar to the DPDP, why are such policies put out for public comment even after being enforced?

Close-up view of a mouse cursor over digital security text on display.

Why is everything being imposed in the name of national security? The challenge is that, while we advocate for encryption and data privacy, we also ask for data storage, suggesting that privacy might, in fact, be a myth. Our devices, always with us, listen even when not in use, reinforcing this paradox.

It’s a social dilemma of the Internet age. On one hand, we promote privacy and encryption, while on the other, innovators are developing AI systems that collect all our information. I’m not arguing that imposing regulations on the majority is wrong, but is there a way to balance technology, innovation, and regulation? This is simply a thought from a technical writer’s perspective.

Feedback on DPDP Rules, by February 18th 2025: IT Ministry

The government has released the draft Digital Personal Data Protection Rules, 2025, aimed at strengthening data privacy. While the rules outline clear guidelines for consent, data retention, and breach notifications, they notably exclude penal provisions. The draft is open for public consultation until February 18, 2025, inviting feedback on its implementation and potential improvements.

On Friday, January 3, 2025, the Union government unveiled the draft Digital Personal Data Protection (DPDP) Rules, 2025, designed to implement the provisions of the Digital Personal Data Protection Act, 2023. Although the Act was enacted more than a year ago, the corresponding enforcement rules have been under development and are now open for public feedback.

The DPDP Act establishes a legal framework to regulate “data fiduciaries”—entities responsible for collecting personal data from “data principals” or individuals—and aims to safeguard this data from misuse while imposing penalties on organizations that breach data protection norms.The DPDP Rules, 2025, represent a significant milestone in building a secure, transparent, and user-focused digital environment.

The proposed rules outline the obligations of data fiduciaries when collecting user data. They require fiduciaries to inform users about the specific data being collected, the purpose of the collection, and provide a clear and detailed explanation enabling users (referred to as “Data Principals”) to give informed and explicit consent for the processing of their personal data.

The draft DPDP Rules are open for public feedback until February 18. According to the Ministry of Electronics and Information Technology (MeitY), submissions will be treated confidentially and will not be disclosed at any stage. Stakeholders can share their inputs through the MyGov portal, where the Ministry is accepting submissions.

Key Highlights:
1. The draft DPDP Rules propose the registration of “consent managers” who will assist data fiduciaries in obtaining user consent in a standardized format. The rules permit the government and its agencies to collect personal data for providing subsidies and benefits, subject to specified standards. Data collected for statistical purposes is exempt from certain restrictions.

2. The rules also mandate the deletion of user data if a service—such as an e-commerce platform, social media, or online gaming—is not used for an extended period, following a 48-hour notice to the user. Data fiduciaries must display the contact details of their data protection officer on their website.

3. The rules require that consent notices be written in clear, plain language and include essential details, such as a list of personal data being collected, to help users make informed decisions about data processing. Data fiduciaries must also provide a communication channel allowing users to withdraw consent or exercise their rights under the Act, such as requesting data erasure.

However, it lacks specificity, as the rules do not require mapping each piece of personal data to its exact purpose. Instead, data must simply be listed separately, leaving room for improvement in clarity and accountability.

4. For Children’s Data, the rules mandate that data fiduciaries adopt appropriate technical and organizational measures to ensure verifiable parental consent before processing any personal data of minors. To achieve this, fiduciaries may rely on voluntarily provided details of identity and age, a virtual token linked to such details issued by authorized entities, or verified details available through services like Digital Locker.

5. The processing of Indian citizens’ data outside the country is subject to future requirements that the government may outline through subsequent orders, ensuring additional regulatory oversight.

6. Users must be notified if their personal data is compromised, ensuring greater transparency and accountability. The rules also mandate that detailed incident disclosures be made to the Data Protection Board within 72 hours of a breach. Data fiduciaries are required to implement technical and operational safeguards to prevent data breaches and must notify the Data Protection Board of India (DPBI) of any breach within 72 hours.

7. The Rules establish specific data retention and erasure timelines for large e-commerce platforms, online gaming services, and social media intermediaries. The system must delete user data if the user hasn’t logged in for three years. While this is a significant move toward better data management, the reasoning behind limiting these requirements to these three categories remains unclear.

8. The rules clarify the processes for exercising rights under the Act, ensuring that both Consent Managers and Data Fiduciaries provide clear instructions on how users can exercise these rights on their websites or apps. This is a promising development in enhancing user control over their data. However, the requirement that Consent Managers must be Indian companies raises concerns about balancing accountability with fostering competition, potentially limiting options for users and companies.

In conclusion, the draft DPDP Rules, 2025, represent a significant step in strengthening data privacy and user rights in India. As the IT Ministry invites public feedback, stakeholders have a crucial opportunity to shape the final framework and ensure its effectiveness in safeguarding personal data.

You are under surveillance!

You search for a pair of shoes on a search engine, and suddenly, every ad you see is about shoes. You browse a housing site, and before you know it, your phone is buzzing with calls and messages about properties. You search for a nearby restaurant or explore a business idea, and bam! Your screen is overflowing with ads instead of the information you actually wanted. It feels like a hidden camera is always watching, anticipating your every move, doesn’t it? It’s like having a personal assistant—except you never asked for one! And this assistant? It’s so efficient, it even seems to work ahead of your own thoughts. Welcome to the digital world!

This type of constant surveillance is what we call surveillance capitalism. Big tech companies—let’s say the big four—use this model to turn your data into a resource, treating your searches and interests as their products. Whether you’re intentionally seeking information or just satisfying a passing curiosity, the moment you enter your data, it’s no longer just yours. Even if a website says it’s “encrypted,” that data is fuelling the encryption of their own massive datasets, which they use to craft algorithms that steer your next online experience. Search for anything, and in the background, those algorithms are quietly deciding what to show you next.

It’s not just that you’re searching the web—the web is also searching YOU. And while it may seem convenient to have such personalized suggestions, it’s important to realize that this is really about influence. These companies aren’t just catering to your needs; they’re shaping what you’ll do next.

Surveillance capitalism refers to the practice of monetizing data collected by tracking people’s online and real-world behaviors. This type of consumer surveillance is primarily used to tailor marketing and advertising strategies. The term **surveillance capitalism** was first introduced by John Bellamy Foster and Robert W. McChesney in a July 2014 article in *Monthly Review*, a socialist magazine based in New York. Their original concept centered on the U.S. military’s surveillance of citizens.

The term surveillance capitalism is more closely associated with the economic theory proposed by Harvard Business School Professor Emerita Shoshana Zuboff in September 2014. It describes the large-scale monetization of individuals’ raw personal data, used to predict and influence their behavior. Surveillance capitalism operates through steps like data collection, prediction, and the creation of behavioral markets. While it’s not tied to any specific tech or business process, it represents a business philosophy driving the massive data economy. Most people don’t realize the extent of this data collection until their privacy is breached, revealing that their confidential information has been commercialized and turned into profits—often to the tune of billions—by other companies.

There are no serious proposals for regulating the data collecting abilities of technology companies. However, Google did pay a large data privacy settlement in November 2022.

In her book, Zuboff predicted that data collection will continue to grow as it becomes increasingly central to the market and as technology becomes more embedded in daily life. She highlighted the rising use of IoT devices, like fitness trackers, which provide new opportunities for sharing user data with marketers and advertisers. Zuboff also referenced a 2016 Microsoft patent for software designed to detect users’ mental states. She warned that this type of technology could lead to a new level of privacy violations, as it would activate sensors to capture voice, speech, videos, images, and movement.

The question now is, can we regain control over our data in this system that’s so deeply ingrained in our digital lives? Or is this just the new normal? It’s something worth thinking about as we continue to navigate this always-connected world.

ICANN Issues Breach Notice to .TOP Registry

In a recent development, ICANN has issued a Notice of Breach to the .TOP Registry Operator after URLAbuse highlighted multiple compliance failures. The breaches include neglecting abuse reports, not adhering to internet safety protocols, and failing to pay required fees. ICANN has mandated corrective actions to be completed by August 15, 2024. URLAbuse continues to play a crucial role in identifying and reporting internet abuses, ensuring a safer online environment.

URLAbuse successfully triggered action against the .TOP Registry Operator, prompting ICANN to issue a Notice of Breach on July 16, 2024. The notice outlines several compliance failures by the .TOP Registry Operator, including neglecting abuse reports and failing to follow essential internet safety protocols.

ICANN has set an August 15, 2024, deadline for the .TOP Registry Operator to implement corrective actions. These actions include creating a plan for Uniform Rapid Suspension (URS) compliance, updating their website with abuse contact information, confirming receipt of abuse reports, and enhancing DNS abuse mitigation efforts. If these requirements are not met, ICANN may initiate termination proceedings under the Registry Agreement.

The question remains: when will the .TOP Registry Operator take strict action, and why is such negligence occurring in a highly interconnected internet world where DNS is a fundamental root?

References:
  • https://www.icann.org/uploads/compliance_notice/attachment/1225/hedlund-to-wenxia-16jul24.pdf
  • https://news.urlabuse.com/ICANN-Issued-Breach-Notice-to-TOP-Registry-After-URLAbuse-Complaint

Geo-fencing: Location On Work

In the world of technology, tracking is not a strenuous task, which will require meticulous efforts. Geo-fencing is one of the technology blessings we are working with. But what is this geo-fencing, how has it developed, in what ways it works, how is it useful and where is it used? Let’s discuss all these answers one by one via this article.

GEO-FENCING

In the word Geo-fencing, the Prefix “Geo” is a Greek word meaning “earth or land” and “fencing” means “drawing an imaginary border” Thus, Geo-fencing defines as setting up fencing or a virtual perimeter boundary to know whenever an object enters within the marked fencing zone.

As the definition explained above, defines Geo-fencing technology as a location-based service (LBS). In this, the app or any other medium by which the service is in use depends on GPS (Global Positioning System), Wi-Fi or cellular data and RFID(Radio-Frequency Identification) to activate the organized action which is based on whenever a device enters or exits the set virtual boundary locations or Geo-fence. The alert can be sent in many ways set up by the developer, it can be in a trigger form of text, pop-up, push notifications, track alert messages etcetera. 

How the Geofencing Work?

The developer set up the virtual boundary using GPS or RFID services or even an IP address in some cases to set up the fencing zone and then set up a per-planned alert system for the device which is going to enter or exit from the fencing zone. As soon as you enter the fence, will be tracked by the developer in case of tracking; you will get a push notification, if the fencing is set up for some marketing or business deals, you will get a message if the fencing is set up for any other purposes related to work personal or professional. So, therefore we can say that Geo-fencing has made life easy for everyone except those who are in the adversary zone. The fence in the Geo-fencing can vary in the perimeter zone, i.e., they can be changed,  reduced or increased depending upon the user and developer. 

Example: If you are running a salon and you want the customers in closer proximity to your location to know about the venue, you can set up the fencing perimeter and send the alerts in whatever format you want to give. 

Geo-fencing Application

In this era of digitization, Geo-fencing has become a crucial way for every sector whether it is a public or private one; whether it is in the security zone or marketing world; whether it is in IT or business firms. Once geographic fencing is set, the opportunities and usage are seemingly endless and that’s one of the reasons that it has become especially popular in marketing and social media lines.

Some of the common Geo-fencing Applications are as follows:

Security: Geo-fencing can be used to make your devices more secure. Like you can set your own Geo-fencing for your device for a specific area like your home, to get push-up notifications whenever someone enters your home.

Social networking: With Geo-fencing development comes its usage in one of the most popular platforms of the last decade called social media. Geo-fencing is the social media app network that gives the application of location status, location sending, and location-based stories to other devices and all these are all made possible with Geo-fencing. 

Human resources: For fencing the on-field employees, and workers and to track the employees, companies nowadays use Geo-fencing to keep a record of employees. Geo-fencing is also useful as a way to automate time cards, employee clocking means keeping track of when they go in and out, within the premises.

Marketing: Geo-fencing is a popular way for business firms to promote themselves by an alert pop-up whenever you are within the fencing range of the company. One of the best use of Geo-fencing is that it helps businesses in targeted ads to a specific audience instead of mass-adherence to figure out the right set of strategies with the right set of people based on the user’s location data.

Telematics: Telematics, the process of merging telecommunications and informatics via any device- Geo-fencing plays a very useful role here as well by allowing companies to set virtual zones around sites, work premises and secure zones. 

Smart appliances: Smart appliances have made us enter the smart world and Geo-fencing is one of the smartest use of these smart appliances  With the capability of smart work of appliances, it’s easier than ever before like reminding you of some household chores, reminding you some office-related files, kids assignments and all. 

The use of Geo-fencing in handling Pandemic COVID19:

When the entire nation is struggling for survival from the pandemic coronavirus, people in technology are working to tackle this problem via the use of technology. Developers from different zones of the country have developed a geo-fencing-based app for COVID-19 to track the people who are on the fence about getting affected by the Coronavirus.

Ministry of Electronics and information technology (MEITY)-GOI has developed an app called ‘AAROGYA SETU’ for citizens to know the risk of contracting COVID-19 by Geo-fencing tracking service. The tracking is done via Bluetooth & location-generated social graphs, which can show your interaction with anyone who has tested positive-All you have to do after the installation is to switch on the Bluetooth and location. By switching on the following you will be in the line of sight of developers and once you crossed paths with the red zone area you will get an alert message based on the information. Thus, Geo-fencing is playing a crucial role in handling this pandemic.

Geo-fencing Future

In this world of data-privacy where everyone is concerned about their data getting stolen, Geo-fencing faces the same criticism of possibilities of a data breach but as said by Nasscom chief R. Chandrasekhar, ‘There is nothing called fully perfect security in IT’, thus we can’t play the data-breach game with Geo-fencing anymore. According to a press release from Markets and Markets (https://www.marketsandmarkets.com/), the Geo-fencing industry is expected to grow by over 27% by 2022, citing “technological advancements in the use of spatial data and increasing applications in numerous industry verticals.”

References:

https://en.wiktionary.org/wiki/Wiktionary

https://meity.gov.in

https://en.wikipedia.org/wiki/Geo-fence

HTTP V/S HTTPS

HTTP (HTTP://)– Hyper Text Transfer Protocol is a Protocol designed for communication between client (Web browser) and server(Web server). It was projected in 1989 by the world wide web. It operates on Port 80 and transfers data in plain text. There were a few revisions in HTTP until http1.1 released in 1996.Then after finding so many loopholes, There was a mega release of HTTP/2 in 2015. Later, HTTP/3 as the proposed successor to HTTP/2 came out, which is already in use on the web, using UDP instead of TCP for the underlying transport protocol. 

Advantages of HTTP:-

  1. HTTP can be implemented with other networks as well as protocols.
  2. HTTP pages are stored on computers as internet caches.
  3. The platform of HTTP is independent, thus allowing cross-platform porting.
  4. It can be used over Firewalls.

Issues with HTTP:-

  1. HTTP is a stateless protocol, which means it does not require the HTTP server to retain information or status about each user for the duration of multiple requests. Each time the requests will be treated unique or new irrespective whether it is new or old.
  2. No privacy, as open for all, and anyone can see the content.
  3. Data Integrity is 0, here as security and privacy are absent here and anyone can alter the content.
  4. Anybody irrespective of a genuine user or not, can intercept the request and can get the username and password.

HTTPS (HTTPS://)– Hyper Text Transfer Protocol Secure, an advanced as well as the secured version of HTTP. It allows secured transference with the help of SSL (Secure Sockets Layer). HTTPS is a combination of SSL/TLS with HTTP. It provides encrypted data and secured transference with the help of key-based encryption algorithms, in which key is generally 40 or 128 bits in strength. It operates on port 443 and transfers data in Cipher (encrypted) format.

Advantages of HTTPS:-

  1. Sites running over HTTPS are redirected, which means even if you type in HTTP:// by mistake, it will redirect to an HTTPS over a secured connection.
  2. Secured with SSL/TLS and provide full encryption over data.
  3. Each SSL Certificate contains unique, authenticated information about the certificate owner.

Issues with HTTPS:-

  1. HTTPS protocol can’t stop stealing confidential information from the pages if they are saved as cache memories on the browser.
  2. SSL data can be encrypted only during transmission via a network, thus the text in the browser memory is still not cleared with SSL.

Difference between HTTP and HTTPS :-

                 HTTP

               HTTPS

-Hyper Text Transfer Protocol

-Hyper Text Transfer Protocol Secure

-Less secure and encryption is absent.

-Secure and encrypted with SSL/TLS.

-Uses Port 80.

-Uses Port 443.

-Doesn’t scramble data before transmission, thus vulnerable to hackers.

-Scramble Data before transmission, thus secure.

-It operates on TCP/IP level protocol.

-It operates on the same HTTP protocol but with SSL/TLS.

-No SSL and data encryption.

-SSL and data encryption are required.

-Fast in procession.

-Slow in processing in comparison to HTTP.

-It operates on an Application layer.

-It operates on the Transport layer.

-It transports plain text information.

-It transports cipher text information.

Difference between GUI and CLI

GRAPHICAL USER INTERFACE (GUI)

COMMAND LINE INTERFACE (CLI)

-Based on graphics

-Based on commands.

-Easy to handle as graphics and icons work 

-Difficult to handle as requires command expertise

-Requires more memory

-Requires less memory

-Requires mouse and keyboard

-Requires keyboard only

-Appearance can be changed

-Appearance can’t be changed

-Low precision is there

-High precision in comparison to GUI

-Slow in performance

-Fast in performance in comparison to GUI

-More user friendly

-More advanced and powerful

-More flexible

-Less flexible than GUI

SSL/TLS-Secure Connection

Whenever we browse the internet, we see some site URLs, there is a padlock present and in some, it is absent. The presence of this padlock symbolizes secure communication between the user and the server. This padlock consists of a secure communication certificate and that certificate communication is called SSL Certificate communication i.e., Secure Socket Layer. SSL’s function is to build a secure chain of trust between the user and the server. The certificate is provided by a Certificate Authority (CAs) like Let’s Encrypt, Bypass, Comodo, GeoTrust et cetera, which actually builds the chain of trust running the certificate validation in a hierarchical manner.

Most modern web browsers have flagged sites without SSL/TLS as insecure or unsafe. Going forward, SSL/TLS certificate may become a mandatory website hosting requirement. By hosting a website with SSL/TLS certificate, it provides security to the data transferred between the website and the Website visitor, by encrypting the communication, in addition to this the SSL/TLS certificate also helps to verify the identity of the site, thereby helping users to surf on a secure and encrypted connection. The SSL certificate consists of Website Owner information including Domain and sub-domain name, the Validity period of the certificate, Public key used for encryption

TLS is the new or updated version of SSL; TLS has evolved from SSL (Secure Socket Layer) only, which was developed by Netscape Communication in 1994. SSL 1.0 was never used but followed by SSL and 3.0. TLS 1.0 is based on SSL 3.0. TLS 1.3 is the latest version, published in the year 2018  and almost all Cas are using or moving to TLS1.3. The presence of secure connection or TLS can be seen through HTTPS presence in URL, which is an implementation of TLS encryption on top of HTTP protocol, which is used by all the websites running web services. Hence, any website over https is deploying TLS only.

                       USER——–(SSL/TLS HANDSHAKE)——–CLIENT

SSL CERTIFICATE VALIDATION AT DIFFERENT LEVELS:

1)    DOMAIN VALIDATED CERTIFICATE: In this validation, only a domain name is validated and a certificate is issued in this validation name only. That’s why it is the easiest validation in the SSL certificate validation game. It is beneficial for servers who are just willing to take SSL for namesake or blogs, and small enterprises not dealing with products or selling.

2)    ORGANISATION VALIDATED CERTIFICATE: In this validation, additional details like the address of that particular server with the domain name will be required for the validation check to pass. Thus, it is a bit more stringent than domain one. The additional details validation makes it more trustworthy on the user’s end.

3)     EXTENDED VALIDATION CERTIFICATE: This is the most cost-equipping, trustworthy, time taking validation. This is required by all the large e-commerce, enterprises and business to mark up with the customer trust level.

TYPES OF SSL CERTIFICATES:

1)    Single Domain SSL: As the name defines, it is a single domain name, thus, only and only single name domain SSL will be generated, and no other name or sub-domain name will be able to use the certificate.

2)    Wildcard SSL certificate: The domain and all sub-domain along with this will be able to use the certificate known as Wildcard SSL. The sub-domain list can be seen by clicking on the padlock icon in the URL.

3)    Multidomain SSL certificate: Multiple distinct domains can use a single certificate issued in the name of all the distinct domains. The domains are neither the sub-domain of a single domain nor the multiple pages of a single domain.

TLS/SSL HANDSHAKE:

(Image Source: https://www.geeksforgeeks.org/secure-socket-layer-ssl/)

Phase 1:  This is Establish Connection Phase. The client sends a ‘HELLO’ message with its TLS version, List of Cipher Suites and Random Client’s Number and the server replies with a ‘Hello’ message along with its SSL certificate, Cipher suite chosen and a Random Server’s number.

Phase 2: This is the Pre-secret master key Generation Phase. A client sends one more random string which is encrypted with a Public key (which is taken from Server’s SSL certificate), commonly called a ‘pre-secret master key’. The server decrypts this secret key with the private key of its certificate.

Phase 3: This is thesession key Generation Phase. The client as well as the server generates the session key using its own random numbers and pre-secret master key. The session key at both ends generated will be the same.

Phase 4: Handshake Ends. The session key will be verified and authenticated at both ends, it should be the same, then only a secure connection is established and the data moves now in an encrypted manner. If anyhow the key differs, the connection won’t be established. Once the connection is established both client and server send a ‘Finished’ message to each other and a green signal for encrypted data transfer will proceed.

This TLS/SSL handshake is validated till TLS1.2, in TLS 1.3 the handshake has been changed a little bit. In place of a 4-way handshake, it is now based on 2-step handshake validation or completed in just one round trip of a handshake. The TLS1.3 is more secure, encrypted and less time taking than all the previous versions.

UPGRADE IN TLSV1.3:

                              (Image Source: https://timtaubert.de/images/tls-hs-static-rsa.png)

Phase 1: Establish Connection. Same as TLS1.2 Phase 1, TLS1.3 also commences the handshake with the “Hello” message with an add-on of a list of supported cipher suites and a guess of which key agreement protocol will be chosen by the server along with the Client’s chosen key agreement protocol.

Phase 2: Validation Completion. The server replies with a “Hello” message with the key agreement protocol that it has chosen, key share, certificate and ‘Finished’ message.

The Server “Finished” message, which was sent in the 6th step in the TLS1.2 handshake, is sent in the second step in TLS1.3. Thus, completing the round trip in just 2 steps.

Phase 3: Finished Message. In the last step, the client will validate the server certificate, and generate a key share while using the key of the server. Once all the checklists are done client sends a “Finished” message. Now, the data encryption begins.

Cipher Suite:  A complete set of cryptographic algorithms require to secure a network connection through SSL/TLS. For each set, there is a specific algorithm. The SSL/TLS does the Handshake process for building the secure connection and during the handshake, the client and the web server will use the following cipher suite components:

O  A key exchange algorithm is used to determine how symmetric keys in the handshake will be exchanged. Example: RSA (Rivert-Shamir-Adleman).

O  An authentication algorithm, which function is to tell how the authentication at both ends client as well as server will be implemented and finished. Example: DSA (Digital Signature Algorithm).

O  An Encryption cipher, to encrypt the data. Example: AES (Advanced Encryption Standard)

O  A Message Algorithm, a function is to check and administrate how the data integrity checks will be carried out. Example: SHA (Secure Hash Algorithm)

LAMP SERVER installation through Repository Packages

The website you see or the blog you are reading right now is working on a web server and to write that website some coding language has been used, using a database to store the information. Thus, when these components work together to serve a web page or website to the user or visitor, they create a LAMP Server. These components together are called LAMP Stack.

By LAMP Stack here means is;

(L)inux as Operating System (OS)

(A)pache as Web Server (WS)

(M)ySQL as a Database (DB)

(P)HP (Hypertext preprocessor) as a programming language,

But for these OS, WS, DB, and programming languages, other options can also be considered. For in place of LINUX, one can use windows, then, it will be called WAMP, or In place of PHP, perl or python can be used or APACHE can be replaced by nginx or mariadb can be used in place of MySQL. All 4 components are used or opted for according to the requirements.

Why LAMP server, when other forms of the server are present there?

LAMP is open source, easily customizable, customer-support is available, and it is a mature stack, thus, mentioned all characteristics make the LAMP server more accepting and easier to use.

The open-source servers are MEAN, XAMPP, LLLMP, LEAP, and LAMP and the non-open-source servers are WAMP, WIMP, and MAMP.

Requirements for making a web server for a web page are a VM based on the required OS.

1.) OS of choice, like for LAMP server LINUX is the required OS.

      2.) Install APACHE: The Apache web server is a popular open-source web server that can be used along with PHP to host dynamic websites. It’s well-documented and has been in wide use for much of the history of the web.

       –To clean old configurations if any:

   sudo yum clean all   

–To update the package      

   sudo yum update                                                  

–To install APACHE server service

   sudo yum install httpd -y                                     

–To enable Apache service

   sudo systemctl enable httpd.service                   

–To start Apache

  sudo systemctl start httpd.service                       

–To know the status of Apache service,  it should be in running status

  sudo systemctl status httpd                                

–To enable port 80 (http) on firewall for Apache

   sudo firewall-cmd –permanent –zone=public –add-service=http                      

 –To enable port 443(https) on firewall for APACHE (remember to install SSL module and call the      same in the configuration file.

   sudo firewall-cmd –permanent –zone=public –add-service=https                    

 –Reload Firewall service

   sudo firewall-cmd –reload 

–To know the version and status of the APACHE server

   sudo rpm -qi httpd    

–To know error logs, if face any                                              

   sudo /var/log/httpd/error_log      

–To enable port 443 we need to have the specific module for https in conf.d                           

     cd /etc/httpd/conf.d           

1.1) How to give a name to your webserver

–Install Bind to give a name to your webserver

   sudo yum install bind  

–Edit conf file with this zone creation in the same file                                           

   cd  /etc/named.conf                                                

   zone “example.com” {                                             

        type master;

        file “/var/named/example.com.zone”;

    };

–In the zone file, do these entries

cd /var/named/example.com.zone                     

$TTL 86400

@   IN SOA  ns1.example.com. root.example.com. (

        2017022801 ; serial

        3600       ; refresh

        1800       ; retry

        604800     ; expire

        86400      ; minimum

)

@   IN NS   ns1.example.com.

@   IN A    10.197.52,185

 –Create zone name files in APACHE server config folder

cd /etc/httpd/conf.d/example.com.conf             

<VirtualHost *:80>

    ServerName example.com

    ServerAlias www.example.com

    DocumentRoot /var/www/html

</VirtualHost>

–Restart the Apache service and check the same IP with the name this time instead of the IP

   sudo systemctl restart httpd                                  

 3). MariaDB installation: maria DB function is to manage the database and this database can be vertical or horizontal scalable.

  –To install mariadb

      install mariadb-server mariadb -y     

  –To start mariadb                           

     systemctl start mariadb                                               

  –To enable mariadb

     systemctl enable mariadb                                            

  –To know status of mariadb

    systemctl status mariadb                                                                                 

  4). PHP Installation: To run or create any web page or to run multiple pages or options over that web page, a language will be required and for that PHP, Perl, or python language package needs to be installed.

    –To update all the packages

        sudo yum update 

    –To install php database                                                                 

       sudo yum install php php-mysql php-common php-gd php-mbstring php-mcrypt php-devel php-xml      

   –To restart service

      sudo systemctl restart httpd                                                  

   –To verify that PHP is installed and working, create a file as ‘info.php’ in the root directory as   

     /var/www/html/ with the following content

      <?php

      phpinfo();

       ?>

      After creating check at the following URL “http://server-address/info.php”. 

      If your PHP is working fine, you will see a page with the PHP information.

      Bravo! your LAMP server is ready.