Monday, August 2, 2010

Do You Trust Websites? Paranoia, Part 2

In my previous post I talked about some of the security implications that come from inherently trusting unknown computers. Today I am going to talk about websites. Again, you can call me paranoid if you want to, I'm just trying to get you to think about things from a different perspective.

What is a website? A website is a server that you connect to through your web browser. Some sites are strictly informational, but nowadays almost every site out there is interactive in some way. You can create an account that you can access with a username and password. Accounts are normally tied to an email address. You use your account to interact with the website in some meaningful way. Nothing I've said so far should be terribly new to most people familiar with the Internet.

Now onto the things you may not have thought about. 

Is your connection to the website secure? Some websites, like your bank, use an authentication and encryption protocol known as SSL/TLS to verify the identity of the site and to protect all of the traffic being transferred between your computer and the server. Not all sites use SSL/TLS because it costs money for the website to setup and adds additional processing load to the server. SSL/TLS is not dependent upon the use of a username and password, which means that it can be used on sites where you don't have an account. It also means that just because you have to login to use a site that the connection isn't necessarily secure. Many, many sites requiring a login do not encrypt their connections.

Where is your account information stored? The answer to that question is that your account information is stored in a database. The database is probably stored on the same physical machine as the web server for low volume sites while higher volume sites may store the database separately. Databases are typically not encrypted because it doesn't make sense to do so.

Who has access to the website's database? Obviously the webserver has access to its database. Some people will have access to the database too. For low volume sites this may be a single person who runs the website. Or it could be the guy that the website owner pays to manager the site. For larger volume sites, it might be a team of people who have access to the database. Depending upon what the access control policies are like for a company, it could be that everyone who works there has access to the database, like how Facebook is, or at least used to be.

How is your password stored? If a website was designed with security in mind, passwords will be encrypted before they are stored. The way that works to take your password and then encrypt it before it is stored in the database during account creation. When you go to login in the future, your password in encrypted and compared with the stored value. If the two values match, you are logged in. But this requires more work, which leads some sites to just store your password without encrypting it.

What happens when security fails? Websites are designed by people. People make mistakes. People can be negligent. Even websites run by people with the best intentions who have all the right knowledge can suffer security incidents. But how are you to know which websites are careful and which ones are careless? Just because a website is large and well known doesn't necessarily mean that your data is safe. The job posting site Monster.com has been hacked more than once, leading to the compromise of account information including passwords. And remember, most people use the same password or two for all of their online accounts.

I'm not saying you shouldn't use online accounts. If I did that would make me a hypocrite considering that I use Twitter, LinkedIn, and Facebook, not to mention the fact that this blog, my email, and my website are all hosted courtesy of Google. What I am saying is that you need to think about what you put online before you do it. Just because something isn't available on the open web doesn't mean that it is protected. When you put your trust in a website you are putting your trust into the hands of potentially hundreds if not thousands of people who you don't know.