Web Security

This website was created as part of a Javascript class, and as someone studying web design and web development, I'm very concerned about safety on the Internet. Sometimes, browsing the Internet can be something like going door to door, collecting Halloween treats. Although there are many safe and fun sites out there that are a real treat, there is still the threat of getting something unpleasant and unexpected if you go to the wrong place or trust the wrong person. With that in mind, it makes sense to take a few steps to make yourself a little safer.

Remember when you were young and your parents told you not to give your name or any personal information to strangers because they might be untrustworthy? It's amazing how many people forget this rule when it comes to the Internet. Giving too much information away to strangers can be dangerous, although there are many things that a hacker can tell about you and your computer without you even telling them anything.

Anyone who can create a website and use the methods and properties of Javascript can obtain the information shown on the table below (Vodnik and Gosselin 344-345). The third column contains information about the computer that you are currently using. (I won't see this information, it will just show you in your browser by way of demonstration. I'm a student doing a demo for a class project, and I currently have no way to receive or store information of this kind, only show it to you.)

Property	Description	Your Computer
geolocation	Can provide access to data about a user's physical location and their permission settings regarding it.
onLine	Can determine whether the user's browser is currently connected to the network.
appName	Obtains the name of the browser currently in use.
appVersion	Obtains information about the version of the browser in use.
platform	Determines the operating system of the user's computer.
userAgent	Obtains information about the user's browser, platform, and compatibility with it.

Note: If you're using Firefox, it might report that you're using Netscape because the two of them have a common origin. When the page loaded, your browser may have asked you if you wanted to share location information. If you said no or if you have an older browser that doesn't supply geolocation information, you should see a message that the information wasn't available, showing you the effect of being careful with the information you choose to share. The altitude information may not be available even if the geolocation is.

If you chose to share your location information, you can see a map of your location below:

This is similar to what certain businesses, like fast food restaurants, do when you allow their site access to your location information so they can point out where their nearest restaurants or stores are.

These properties of Javascript were created for harmless purposes, such as assessing the browser software and capabilities of a user's computer in order to provide them with a site optimized for their system (Vodnik and Gosselin 345). However, unscrupulous people have found ways to use Javascript properties to cause harm.

In that way, Javascript has something in common with cookies, which were also designed to make users' experiences easier but which could be exploited by unscrupulous people. A web cookie (also known as an Internet cookie or browser cookie) is basically a file in your web browser that stores information about your visits to a website. Cookies are very commonly used to store information about the products in a customer's online shopping cart before they check out and to remember users' login information so they don't have to retype it every time they visit a site. Most of the time, using cookies isn't a security risk. However, some forms of malware can be disguised as cookies. Other cookies can monitor your actions online, interfering with your privacy and security. Browsers have ways to allow users to manage their cookies and privacy settings, and suspicious cookies can be deleted ("What are cookies?").

Good web developers consider ways that hackers can take advantage of their code to harm them or their website users. Here are some of the problems developers encounter and steps they can take ("Website Security"):

Attack	Description	Prevention
Cross-Site Scripting (XSS)	An attacker injects harmful scripts through another's website, targeting their users. The users are unaware that anything harmful has occurred because the site is known and trusted. However, the attacker can gain access to the cookie storing the user's site login information, allowing them access to the user's password and account. This is the most common type of attack.	To guard against this, the site developer should remove the markup tags necessary for code to execute from any user input. This is called "input sanitation."
SQL Injection	Attackers exploit vulnerabilities in order to execute SQL code that allows them access to a database. Once they have access, they can obtain users' data, modify it, or delete it. They could even create fictional identities for themselves in the system.	In order for an attacker to carry out this kind of attack, they have to give user input to the system that would change the meaning of the developer's SQL statements. To guard against it, a developer would have to prevent users from giving harmful input by "escaping" the characters they enter, which means adding symbols to the users' input to ensure that any characters they enter will only be interpreted as characters, not anything that could attach itself to the code and become part of it. Many web frameworks are already designed to do this automatically.
Cross-Site Request Forgery (CSRF)	An attacker borrows someone else's credentials without their knowledge and uses them for fraudulent purposes. For example, someone might know of a site where people pay money. So, they build their own payment form like the legitimate one but with their own bank account as the destination for the money and e-mail it to people who use the legitimate site. They prevent the people receiving the form from seeing it and disguise the "Submit" button as a link that they are likely to click. If they click the link while they are also logged into their account on the legitimate site, the attacker's form automatically takes the payment information they submit to the legitimate site from that site's cookies and uses it to send a payment from the user to the attacker.	Developers can prevent this type of attack by adding a secret piece of user-specific information to the user's legitimate form submissions. This secret piece of information would come from the server, not contained in the user's cookies, so the attacker would not know what it is and couldn't incorporate it into their own form. Web frameworks are also designed to prevent this kind of attack.
Clickjacking	The attacker causes users who are trying to click on a link for a known site to instead be routed to a site contained in an iframe created by the attacker so they can obtain the users' login information.	The best defense is for the developer use appropriate http headers so that the site cannot be embedded in an iframe on anyone else's site.

The information on the table above is really for designers and developers to head off problems before they start. But what about you, the site user? What can you do to help keep yourself safe? Here is a list of safety tips to help you protect yourself from malware and online scammers ("Browsing the web safely"):

Keep your software up-to-date to protect your computer from viruses and hackers.
Make sure that you understand your browser's security settings. Sometimes, the security settings can limit the way your browser functions, but they help protect your computer from malware and warn you if a site you visit is untrustworthy.
Create unique passwords for the sites that require them. Do not use the same password over and over.
The only sites where it is safe to download files are those which you know well and which operate legitimate businesses with verifiable credentials, such as your bank or an official app store with a known reputation. Like with collecting Halloween treats, only accept them from sources you know!
When answering e-mail or looking at a message board or social media, do not click on links offered by unknown senders. Even if you recognize the sender, do not click the link if the message is unexpected or suspicious. Sometimes, hackers can temporarily gain control of the accounts of people you trust.
Ignore any offers which seem "too good to be true." They almost certainly are. Do not give any personal or confidential information to an unknown person, even if they appear to be offering you money or some kind of prize in a contest.
On social media, only accept friend requests from people you actually know.
Before buying anything online, shop only at reputable sites, make sure that you know who you're buying from, and check on the site's refund policy.
In any financial transaction online, look at the very beginning of the site's URL in the address bar to make sure that the payment site is secure. Secure sites should begin "https", not "http", and there should be a padlock icon next to the URL.
When in doubt, get out! If anything about a site you're visiting or a transaction you're considering is making you uneasy, leave the site immediately. It's like throwing away an unwrapped treat from your treat bag. With so much other good stuff to eat, why bother with something that looks suspicious?

Remember, have fun out there, but be safe!

Helpful Sites

These are the sites I consulted when assembling this page, and they offer further useful information on the subject of web safety.

Browsing the web safely: This is a site created by the government of Australia to educate citizens about ways to keep themselves safe on the web.
What are cookies?: A Norton page that explains the purpose of cookies and how they relate to web security.
Website Security: This site explains different types of security risks and how to handle them, especially for designers and developers.

Book

Vodnik, Sasha and Don Gosselin. Javascript. 6th ed. Boston, MA: Cengage Learning, 2015.