This is maybe quite a broad question and I tried to look for other stack exchanges where addressing my question would suit better – but in the end I decided that it might be still a question of a technical nature, and so I am posting it here:
I recently started to think more about privacy and security and I realized that I as a web user can only do so much about staying untracked. VPN, (slow) Tor, privacy helpers, add-blockers, Firefox are just a few tools to name, but still I realize that the information that I normally share (like installed add-ons, browser size, IP location etc.) can still very well be fingerprinted.
Normally as a web-developer I am told that we should add analytics, that we should find out more about the users to «make a better service», but I think I would like to do the opposite.
So:
Are there steps I could take, when building a website, that help the visitors to stay untracked? And I don't mean «not installing google analytics», I mean things like somehow actively messing with the statistics, so that my hosters server is incapable of tracking things correctly or similar things...
Right now I can't really think of anything, but I somehow believe that I as a person who builds bricks of the internet could and should be able to influence these kind of things directly...
For now I see the obvious things:
- not using statistic services
- use https
- not using any third party tools that might include tracking or open doors for other trackers
But still this seems to just omit the bad things, but I can't actually do active stuff...
So I would be very glad to hear your thoughts about this. (Or guide me to a place, where this discussion fits a better..)
Cheers
merc
As a web developer, you can only control your website.
Assuming you aren't caching any data or using cookies, then users shouldn't be tracked while using your website by tools like 3rd party cookies.
Here is a good article about online tracking and how it works.
As far as I know, there isn't an effective way to actively mess with tracking statistics. Your best bet is to avoid installing libraries or tools that track your users.
Related
I have been programming a small e-commerce platform to sell jewelry.
Initially I wanted to make it web3 compatible ( accept meta mask payments ) and given that I work as a dev I wanted to take the DIY approach as opposed to platforms like Shopify specifically.
Now that I’m getting closer to finishing the website , I contemplate to myself - should I just switch to using Shopify instead ? My contemplation stems from unknown vulnerabilities that I am anticipate ..
My site uses Stripesnd paypal for payments. I don’t save any other data besides order info and shipping address .
Is there any underlying vulnerabilities that Shopify takes care of that I’m not thinking of ?
It seems simple enough to take payments on a site but I have a feeling I am not thinking about some major implications of not using a platform like Shopify .
On one hand I’d really like to use my own website given all the time I’ve spent making it ( also like my front end design better than any template I’ve seen ) so this post is for people to give me their perspective on both pros and cons so I can decide whether I just neeed to dump my work and start over with Shopify or continue on the way forward with DIY coming out as hero ;)
Thanks In advance fam
It is perfectly possible to make your own website and make it secure enough, somebody made Shopify too after all. :) It is also easily possible to leave vulnerabilies in your code that then get exploited. The problem is that if you don't have a good grasp of what you should have even looked at, it will be quite challenging to actually get it right.
You should be aware of potential code level vulnerabilities, and use secure coding and architecture principles to structure and code your website. OWASP is a great resource that helps with learning about those. Higher level principles include things like least privilege, segregation of duties, defense in depth, minimizing attack surface, secure defaults, failing securely and so on. Actual code level vulnerabilities include things like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), tampering with parameters, session management errors, authentication or authorization errors and so on, there is a lot of these. And your 3rd party libraries that you included can (and will) also have some of these, how will you discover that, and will you have the capacity to keep up with latest versions?
When hosting your own service (even in an IaaS cloud environment like AWS EC2), that brings its own challenges in terms of security too - you need to care about the ops side of security as well. Things like would you even notice if there's an attack? Would you know what to do if a customer called with their money spent on things they didn't buy? Would you have forensic evidence to prove if they are actually lying? :)
You can use tools to scan for some of these vulnerabilities, but that will never be comprehensive - actually, nothing will. Automated tools are very useful, but will miss a lot of things. You can also buy penetration testing services, some of those are really good (and some not), they will find vulnerabilities the same way attackers would - but those are quite expensive.
However, having said all this, the most important thing is to keep your defenses proportionate to the risk. This basically means you don't want to spend more on securing your website than the maximum amount you may lose in case of a compromise. Outsourcing payments to Stripe or Paypal is a great start, because if you have the integration correctly set up, you likely already limited the maximum possible loss quite a bit.
So should you code an ecommerce website yourself, and sell stuff? In the light of the above, it's very opinionated, but I think why not, just consider the above, manage your risks, learn about potential vulnerabilities, mitigate them the best you can, and prepare for things to go wrong. In the end, it's probably cheaper to just use a ready-made service, though a lot less fun. :)
I would say, you should... and you can use any SaaS eCommerce platform: Shopify or BigCommerce or Snipkart without giving up your DIY custom features, because those platforms can be used as a headless eCommerce platform.
This way you don't have risks around managing backend and data (platform will do this, and not loosing the custom features and fine-tuned customer experience you implemented yourself)
I am building a website for a client. He's asking me to do security audit of the website. I don't have expertise in security audits and the budget is low. However, I am trying to give the best value to my client. Is there any tool using which I can perform security audit of the website at a low cost?
There are also a few SaaS vulnerability scanning tools that I personally use for my website. Some are free or have subscription-based plans according to users' budgets. Providing you with a detailed report along with consultation from a security expert if required.
I have faced similar issues in the past, it's difficult to find an all in one solution as it is and usually the clients don't even know what they want, also they don't realize that getting security audits done will subsequently increase the cost from the original budget by a huge margin.
I did however, go through the comments and found https://reconwithme.com mentioned, will have a look and provide feed back after using it. I have tried acunetix and they're good but is extremely expensive for start ups who are just entering the game.
Forgot to mention the tool I use, its called ReconwithMe.
Ok so ive been tasked with doing "research" on building an intranet for a potential new client for my company and they want some kind of answer by Monday (like any company, they REALLY want this project).
That said, ive been doing "Reasearch" and have so many tabs/windows open that im going nuts and getting lost since my research doesn't have direction...taking in too much and need assistance.
i have 2 questions after a brief explanation.
Essentially, From my understanding, an Intranet is...well in plain
terms, a website that is offline? has a deeper framework because of
the documents that will be available(i think its for a school)and the
ppl who can access them but can also have access to the internet?
Since its for a school(not sure if its mainly for teachers or teachers
and students ) im assuming alot of documents either way.
aside form being private, throughout my research, ive read alot about file security, firewalls, and...and.. im starting to get overwhelmed.
Me myself, am a web designer/so-so developer. decent knowledge of js/jquery and php/mysql though i feel like im just getting started in the web-developer part. Good knowledge of standards HTML/css, designer tools etc...
That said, these are my questions.
1.What is actually involved in planning to create this? What tools( read CMS if possible ) can i use to create any of this. Like to make this happen what do i actually need, and need to know? what direction should i take. If you can direct me and help me close some of these 30+ links spread across my 3 monitors id owe ya lol.
i can build many things and dont mind giving it a HARD go but, this seems like a HUGE project and, im SURE that if my company takes this job, id be put on it. now i can do some of the parts of this project but not 100% sure im the right person for this. Theyre counting on me for a yes/no answer as to whether i can do it (they know its big and itll take time to accomplish) but so...with my skills posted above, am i the right person to do this? or is this more akin to an ACTUAL tried and true developer?
Thank you for your time and, any tips/links/cms info/ i mean ANYTHING that would make this easier PLEASE dont hesitate to share. i dont mind doing the research but i need direction.
i dont want to tell them "YES i can do it" and in a month or two im on pause stuck and the yes turns into a "no i cant do it"
If you have no experience in setting up networks, then you are probably not the man for the job (unless your client is willing to let you have a shot at it for the experience, on a no-win, no-fee basis). Certainly do not over-promise and under-deliver!
I deal with quite a lot of schools, and I know many of the smaller ones will use the secretary's computer as a server, with a simple Windows home network to place files in a shared directory. Its a cheap and cheerful alternative, within their own skillsets to manage.
You should also check with the govermental department with relevant oversight (Dept. of Education, I'd imagine) to see what guidlines, requirements, and grants, are available or required. There may be a specific recommended route to take here, with made to measure firewall protection provided to you.
Larger schools will have invested in proper servers, with automatic external backups in place. I'm not qualified to give advice on how to set those up however. Hopefully someone else here will :)
Best of luck!
CMS may be included as a Intranet website, but Intranet includes much more than CMS. Your best stragetic is tell your boss find a network system integrator to do this project collaboratively. Intranet involves more networking technology (L2, L3, switching, routing, firewall, wireless, etc etc) and physical instrument (ex. cabling).
Perhaps not directly programming related, but definitely product / commercially related. And I can't find a dupe, so I thought I would ask.
I have had a bit of trouble trying to figure out what best to say to people who have called and asked for advice. The Microsoft message is a bit worrying - basically, be worried, lock up everything and hold on tight. Some of the people I have directed towards that route have objected because of what it does to their browsing experience.
The "go get Firefox" message seems to be going down a bit better. What is the real story and what is the best advice to give?
How much actual risk does it pose between now and when MS patches it?
Edit: here are the links that my community seem to be reading...
WSJ
NP
BBC
Switch to another browser, already.
Chrome and Firefox would be my first two choices. Firefox would probably be best for now, just because it has a longer history.
The only way to prevent this on IE is to follow Microsoft's workaround procedures, which will cause a huge headache for users.
Use Firefox
Use NoSript (if you want proper defence in depth). I can simply say 95+% of all client-side exploits requires JavaScript and 90% of the time these are loaded from a 3rd party website. Therefore switching FF and using NoScript is a really good solution.
How much actual risk does it pose
between now and when MS patches it?
If you look at 0days in IE there are bunch of them, and IE got the worst security track. Also it's one of the most targeted application for attackers because there is clear profit in it. Therefore using IE generally not a good idea.
If you have to use IE,
Use protected mode
Use the latest stable version
Keep your windows updated
Run it as least priviliged user
Use a process control and personal firewall application such as Comodo Firewall (process control application if you can use them right can solve many of these problems, but got a massive overhead in user)
Details of previous IE issues, there are lots of them!
http://secunia.com/advisories/product/11/?task=advisories (IE 6)
http://secunia.com/advisories/product/12366/?task=advisories (IE 7)
You can inform them to patch by following some workarounds but as you notice it's not going to save them on the long run.
Apart from switch browser, pay attention to the emergency patch - get it installed.
I don't know much about poking at servers, etc, but in light of the (relatively) recent Wordpress security issues, I'm wondering if it's possible to obscure which CMS you might be using to the outside world.
Obviously you can rename the default login page, error messages, the favicon (I see the joomla one everywhere) and use a non-default template, but the sorts of things I'm wondering about are watching redirects somehow and things like that. Do most CMS leave traces?
This is not to replace other forms of security, but more of a curious question.
Thanks for any insight!
Yes, many CMS leave traces like the forming of identifiers and hierarchy of elements that are a plain giveaway.
This is however not the point. What is the point, is that there are only few very popular CMS. It is not necessary to determine which one you use. It will suffice to methodically try attack techniques for the 5 to 10 biggest CMS in use on your site to get a pretty good probability of success.
In the general case, security by obscurity doesn't work. If you rely on the fact that someone doesn't know something, this means you're vulnerable to certain attacks since you blind yourself to them.
Therefore, it is dangerous to follow this path. Chose a successful CMS and then install all the available security patches right away. By using a famous CMS, you make sure that you'll get security fixes quickly. Your biggest enemy is time; attackers can find thousands of vulnerable sites with Google and attack them simultaneously using bot nets. This is a completely automated process today. Trying to hide what software you're using won't stop the bots from hacking your site since they don't check which vulnerability they might expect; they just try the top 10 of the currently most successful exploits.
[EDIT] Bot nets with 10'000 bots are not uncommon today. As long as installing security patches is so hard, people won't protect their computers and that means criminals will have lots of resources to attack. On top of that, there are sites which sell exploits as ready-to-use plugins for bots (or bots or rent whole bot nets).
So as long as the vulnerability is still there, camouflaging your site won't help.
A lot of CMS's have id, classnames and structure patterns that can identify them (Wordpress for example). URLs have specific patterns too. You just need someone experienced with the plataform or with just some browsing to identify which CMS it's using.
IMHO, you can try to change all this structure in your CMS, but if you are into all this effort, I think you should just create your own CMS.
It's more important to keep everything up to date in your plataform and follow some security measures than try to change everything that could reveal the CMS you're using.
Since this question is tagged "wordpress:" you can hide your wordpress version by putting this in your theme's functions.php file:
add_action('init', 'removeWPVersionInfo');
function removeWPVersionInfo() {
remove_action('wp_head', 'wp_generator');
}
But, you're still going to have the usual paths, i.e., wp-content/themes/ etc... and wp-content/plugins/ etc... in page source, unless you figure out a way to rewrite those with .htaccess.