Explaining why security online requires experience and a different mindset from traditionally thought coding techniques.
Episode #10-14 released on November 10, 2019
These are the things that would happen tomorrow if HTTPS, point to point encryption and data security weren't just the norm, but a requirement in having a web-site or application. Whenever you access a web-site, you'd be the only one, besides the web-site or application, to know what you are accessing. You'd be the only one able to view the contents. Any messages or content you submit to the server would be private and protected from interception or modifications of any kind and this would include your ISP. Every transaction online would be more secure, in fact, most if not all, payment processing companies require SSL, point to point encryption and proper data security techniques to be integral to the shopping card and account experience. Your conversations would be private, and only you, the recipient and the service could access it. If the service had point to point encryption, only you and the recipients could access the messages. No one could inject malicious code into the files to infect you as a man in the middle attack would corrupt the packets and all corrupt packets are ignored anyway. And, no one could steal your session cookies and impersonate you online, and so much more.
Now, knowing all that, why aren't more web-sites using SSL encryption to protect every end user?
The first reason is cost, the second is implementation of the SSL certificates into the web-site.
Making a web-site is easy, coding it easy, however making a secure web-site safe is hard work and it needs to be updated and developers need to be careful about everything from mitigating cross site scripting vulnerabilities, dealing with data and protecting it, and making sure the all encryption is strong and properly implemented.
There are plenty of decisions that need to be taken early on, too. I've scrapped entire databases of user information because it was harder to go from one scheme to another and much easier to change security design by simply restarting process, but unlike social networks, it is easier for me to just do that because I own the data on my websites anyway, and no one else has access to it, or relies on it at all.
Which bring us to the process of designing a secure application or website. While, a great many people are gifted programmers, they lack the discipline and experience required when coding for security over function, mostly because the curriculum of schools and online courses related to programming focus on making code elegant and functional. There is, also, a distinct disconnect in the availability of information that would help, even the most novice of coders, code securely and focusing on data security above all else.
It is easier to make code secure when coding with the intent of data security from line one and committing to security through the entire process of coding, even if that limits the reusability of various functions in the process. However, the coding overhead required to code securely being done before is significantly less than the patchwork mess that occurs when it coded for at the end of the process, resulting in code that is more complicated, but less convoluted.
And, what would better programming practices, more end to end encryption and more secure tunnels do for everyone?
It would allow for a far more secure online experience. If every business, application and website was coded with data security first mind sets, most of the issues we are seeing today related to Facebook, Scotiabank, Desjardins, etc. would disappear in a heartbeat. Coders could even go as far as easily making it impossible for the complete extraction of databases by coding securely from line one, and simultaneously prevent man in the middle attacks, cross site scripting issues, etc.
Now, you might be wondering about just how far data security has to go and whether justice departments, police, etc. need to introduce backdoors or data collection laws to control how we code. That, however, is a topic we will definitely be focusing on next time.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net