Privacy and Security Issues: Web Security Solutions by EightDevs
We materialize your desires

Website Security Services: How to Protect User's Data

  • Xenia Liashko
  • 2019-11-19 17:43:05

Users are increasingly encountering moments when the site asks for permission to collect personal data or access to the equipment of the device: “Can we access the GPS location? Your microphone or camera? Your bluetooth? Can we send you push notifications about the latest chocolate discount news or subscriptions?

Permissions, as these requests are called, give networks exciting rights. Already, about a dozen browser functions include the use of low-level hardware and software functions, such as the clipboard, for the increasing ability of websites to access files on the user's hard drive. More to come soon. However, high performance is associated with a greater risk to the website's or app's security and privacy. Currently, there are few real alternatives to access management websites, apart from asking visitors and assuming they understand the risks involved.

These permissions are usually very easy for users to manage. When a user grants permission, the browser often remembers it and never asks if it is good or bad. It is known that users are prone to fatigue due to repeated and unwanted prompts. In general, however, permissions are good because users can block websites from accessing confidential data and tools, and allow access to trusted ones. However, these data and tools may still be sensitive. Privileges apparently transfer responsibility for browser protection to individual sites and the users themselves who grant permissions and are generally assumed to know what they are doing. This mechanism, therefore, leads to a special relationship between the site and the user, which can ultimately be used.

Supposedly malicious hackers violate a site and take control of its content — source code, embedded elements such as images, scripts, even third-party scripts. This is not an unlikely scenario, as evidenced by past violations of Slack, Ticketmaster, British Airways and many others who are victims of cyber attacks aimed at maintaining integrity (some websites are even threatened by many threat actors). What permissions they can give? You can access all features of the user who granted access to the site. They convert assets into liabilities.

Among other security and privacy issues, we can imagine that the permission column ends with events such as:

  • Webcams and microphones may be unexpectedly activated unexpectedly, or attackers may misuse the Web Audio API to track user devices with “inaudible” beacons or even send data out of the band.
  • API notifications or push API messages that appear to come from a source that the user trusts can be sent with links to malware and even display disinformation and propaganda in a coordinated manner for many users at once.

Website Security Services by EightDevs

Permissions are designed to reduce this type of risk. However, if a site with a large user base falls victim to an attack on the supply chain that violates the integrity of the site, the protection model is completely different, and many functions are subject to the whims of the attackers. A wave of the negative press would certainly cause such a violation, especially if the website was large or trustworthy.

Although none of these scenarios are yet known, it is important to consider these threats at the design stage and to keep the user as transparent as possible as permissions become more available. Can we expect users to understand the basic difference between granting access to an installed mobile application (often in a controlled environment) and a remote website? If this is not the case, the parties should be informed before asking for permission.

In some cases of violations, it is not difficult to imagine that regulatory aspects, such as the GDPR, may become relevant. This area is not well understood today. While it may not be clear whether authorization means “explicit and informed consent”, it means a sign of trust between the user and the website that is clearly communicated by the user. These decisions are unambiguous, although at hardly present any website explains the reasons or use cases before requesting an access gateway function. This is a common counter standard when a random site asks you to be notified.

See also: Web Security Solutions for business

Websites should be especially cautious when asking for the use of confidential browser functions. In particular, you can imagine websites that want to be sure if, when and how permissions are used. To assess the potential exposure risk, websites should also know how many users they have granted. It is unclear whether today's websites even think about creating inventory lists for such sensitive applications. But if there was a violation, many would probably ask these questions.

Website operators can prepare for this type of threat by knowing if sensitive mechanisms are used, monitoring their use and registering which users have registered to obtain privileged content. Site owners need to track unwanted site changes while protecting system integrity. While this issue is a major challenge, the use of mechanisms on the Internet that at least ensure the integrity of embedded sub-resources should be the norm.

Web browsers can also help by providing users with simple and easy ways to check and smoothly revoke site permissions. Fortunately, browsers have made impressive progress in this area in recent years. Finally, regulatory and law enforcement authorities should seek to understand the implications of this potential new relationship between users and services. As the evolution of the network is accelerating, it is important to monitor these changes.

Network standardization plays a key role not only for interoperability but also for ensuring user confidence in technology, including security and privacy guarantees. Standardization can be seen as a form of regulation of technology functioning. But if that is the case, the emerging role of technology in societies may sooner or later raise the issue of social oversight and control. This does not mean that we should invite the ever-increasing trend of national “cyber-power” in many parts of the world to influence technological standards. It simply means that we must maintain the pillars of interoperable software and hardware that make the Internet a great place to be useful and informative.

Get a website security check from EightDevs's team