Category: Web
You Won't Find The Key Under The
Doormatposted in web on 2 March 2012
Using the internet we all surrender our information (both sensitive and unimportant) to online applications that eventually dump them in a database.
If you think your information is safe in the database, think again.
Obviously there is a general problem with access to these databases that can render information resting there insecure. The problem arising with most online applications is that most of them use passwords to access the database that are stored unencrypted on the server.
Even for commercial online applications it is quite common to store the crucial password that grants access to all data resting in a database in a simple configuration file, in clear text. For example, Magento, the well known online shop software, stores the database password in the file "app/etc/local.xml" where it shines in all its glaring plain text glory.
Of course you can start to secure these files. It's the most natural thing to do. And you have to do it, fast. Because under normal circumstances, these config files are readable for everyone on the server when the default installation has finished. Most online applications seem to rely on the fact that the administrator knows that there is work left to be done. Following the principle of least privilege is a good guide to make those sensitive files as secure as possible on the server. But let's be honest, relying on the assumption that no unauthorized person will ever see the content of such a file may not be prudent.
It's a little bit like putting the key under the doormat.
Adding Confidentiality to Your Website
posted in web on 30 Jan. 2012
Contact forms are omnipresent. They often substitute an email message and as such it's hard to imagine a business website without it.
Being nothing more than unprotected emails, contact forms lose one important quality that would make them even more useful on a website, confidentiality. For customers there is no way to convey a message to a business owner securely by using the contact form, because eventually it'll end up as an ordinary email, unprotected.
With the Web Encryption Extension there is an alternative available now.
Can Online Services Be Secure?
posted in web on 15 June 2011
Certainly not, if you store credit card information or passwords in clear text on the servers. Recent data theft disasters have shown, that it is not enough to operate a "secure server" and leave all customer's information unencrypted on this server.
Because if you think your secure server is invincible, all your customer's data is at risk, the moment it turns out that the secure server is not as secure as you thought.
What's even worse, your customers have entrusted you with their data believing that operating a secure data center will be sufficient to protect their personal data from falling into the wrong hands. It's time to destroy this false belief.
|
Secure Solutions For Small Businesses
|
|
