Throughout my other posts on web security, we looked at everything that could go wrong with our application from a technical perspective. However, despite all our efforts to make our application objectively as secure as possible, there is still one thing we should keep in mind : our application is going to be used by humans, and humans invariably make mistakes.
Many potential adversaries are aware of this fact and use every opportunity to take advantage of it :
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh— Tom Scott (@tomscott) December 23, 2016
This tweet was posted by Tom Scott, a guy who has posted multiple videos on security on the internet. If someone like him can almost fall for an attack like this, chances are, most non-technically oriented people will too.
We as developers should do our best to make sure our users do not get fooled, or are put at risk due to their own mistakes.
Here are a few tips you can implement on your website to save your users from themselves :
Ads are a necessary evil. No one wants to put them their website, but sometimes, they are the only way to pay the bills. What we can do, however, is watch where and how we place this kind of external content, because this is something we do not have full control over.
At its worst, misplaced external content can end up making a content hosting site look like this :
Which one’s the actual download button? After some experimentation, I found out that it’s the little red one on the bottom right. But that was certainly not my first guess. The other links lead to a direct
.apk (android app installation file) download, which could potentially be harmful if opened on an android phone.
Ads and other external content should be placed away from the main content, and it also helps to explicitly mention ads by putting a small label next to them.
There is a chance that someone might leave their laptop open by mistake in a place where others can access it (think about all the times your friends posted a scandalous facebook status on your behalf). While some actions are relatively harmless, others have much costlier implications.
This is why users should always be reauthenticated before performing an action that may compromise their security. For example, many websites like Google require you to enter your password again if you are changing your phone number, alternate email, or date of birth.
Joe went and visited a public internet cafe to check his bank details online. The problem is that Joe, being the careless person that he is, forgot to log out of his online banking portal.
Ordinarily anyone who uses that same computer would now have access to Joes banking portal. Fortunately, the banking portal had a session expiry time of 15 minutes, which means that if there is no activity on the website for more than 15 minutes, the current user is automatically logged out.
Always keep an expiry time for sessions on your site. It doesn’t have to be 15 minutes, but make sure it’s there.
If there is a chance that the area your users are entering could potentially compromise their accounts’ security, it’s always better to give them a warning.
A common example is the “You are being redirected to another site” warning that pops up when you click on links to external websites.
Another example, which I thought was really clever, is Facebook’s warning message which pops up when you open the browser console :
This may not be necessary for all occasions, but it’s still something worth appreciating.
Every time I sign in to my Google or Twitter account from a new device, or from a location different from the one I am usually in, I get an email letting me know.
Letting a user know when they have logged in from another can do a great deal in preventing a lot of damage if someone has in fact hacked in to their account.
If you want to learn more about security on the web, be sure to read my other posts on web security essentials :