twitter
    Find out what I'm doing, Follow Me :)

Saturday, November 13, 2010

Protecting Your Business's Website

1. When a user logs in, maintain the HTTPS connection.
Do not switch to HTTP. In the past, certain issues with CPU performance have necessitated a switch to the less computationally intensive HTTP. But Gmail has shown that the processor impact is negligible and well worth the additional security.

2. Monitor the source IP address.
If anything changes, consider it a bit suspicious and prompt the user for their password again. If someone has stolen a user's cookie, the culprit might try to access your site from a different network. There are very few reasons for a user's source IP address to change spontaneously during their shopping-cart checkout. (One valid reason would be that the user walked away from a Wi-Fi hotspot and their smartphone switched from Wi-Fi to a 3G connection.) The minor inconvenience of asking a customer to reenter a password is nothing next to the significant security benefits of challenging a suspicious connection.

3. Monitor Web browser characteristics.
In the case of a public Wi-Fi hotspot, both the valid user and the attacker are usually masked behind the same source IP address, so rule #2 isn't a good indicator of a session hijack. So another thing to monitor is Web browser characteristics. Every Web browser has a user agent string (an identification badge showing what browser and version a person is using). If your Web application notices that a customer started a transaction on Internet Explorer 8 running on Windows 7 but then in the middle of the session the Web browser changes to Safari 5, you should consider that to be suspicious and prompt the user for their password once again.
A visit to Panopticlick tells how trackable a browser is.A visit to Panopticlick tells how trackable a browser is.Since a clever attacker can fake the user agent string, try looking at other metadata--a combination of the user's screen resolution, installed Flash version, and system time zone, for example. Panopticlick contends that a particular user's mix of plug-in versions, security patch levels, and Web browser versions is almost a unique fingerprint. Any of those data points would be useful to monitor during your customer's transaction session.

No comments:

Post a Comment