Monday, September 13, 2021

Security

 

Finished the last lecture of the CS50 HTML series, with the discussion

on security concerns one needs to keep in mind during Web design.This was 

very informative - enligtening - to me.


The code below shows howeasy it is to create a false link. The user is clicking

on Google.com but the links that gets activated is that of the course site. That easy...

And who hasn't had the experience of ending up on an unexpected place on the Web, 

or clicking for what one thinks is information to end up on a paid course link etc.



Below, we are directed to a false Bank of America site ( just check on the url at the

top of the page. This too was easy; just copy/paste the html from the real BOA site,

available through 'view source code'. a person might just type in their account password.

This is called a phishing attack.



So what can be done. Any sensitive information going on the Web needs to be encrypted ie

not be sent as is, but translated into something else, with the aid of a key whichthe receiver can then

use torestitute the original message. Problem is , sending the key along with the message is also

 dangerous. The solution: a doubel key approach. The receiver send a publickey to the sender,

who encodes his information with. The information is then restored with a private key held by

the receiver of the message only. Very clever!!


Passwords are best stored as hash values (a communication of any length stored in a fixed 

length sries. One cannot restore the original from the hash but the same original yet always

generates the same hash. A sitecannot tell you what your forgotten password was; but can help you

generate a new one).



API keys serve to limit how much communication can occur between two services ( thus

avoiding denial of serviceattacks, where a site is deluged withrequest). These can also

monitor the authenticity of requests.





Using 'get' posts is dangerous, because others can 'get'  postings such as banking information. 

Post is safer, only so much so. in effect, someone can sneak in a request for a money transfer.

Django protects form this with the use of a token:




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)