Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Trusting Apps and Websites

_DSC1498Most people will know a little bit about IT security, and probably the importance of awareness to protect themselves. IT security, unfortunately, is a complicated business. Even sometimes when people think they know about, say, protecting their security credentials, they actually just barely understand the breadth and depth of the matter. Here’s what I mean.

Do you consider about why you should trust the apps and the websites that you use?

When you visit a website which asks you to create an account, what username and password do you use? Now, most people ought to know to use unique passwords at each website. So this is not much of a problem, assuming of course that people do in fact use unique passwords that, once stolen, provides little information about what their password at another website might be.

You see, some people’s idea of a unique password might be, for example, based on the formula that they append the website’s domain name to a standard password prefix. For example, if their standard password prefix is test, then they will use the password testfacebook at www.facebook.com, and the password testtwitter at www.twitter.com. So, hypothetically, if Facebook has been broken into and the attackers have all the user passwords, they could make a reasonably good guess at passwords that might be used at other websites.

But this is really a minor matter.

The bigger thing is about people who entrust their credentials at one system with another system. There are clever and more secure ways to do this, of course, and indeed many systems will use them. For example, Hootsuite may need authorisation to post as you on Facebook, but they don’t actually need your Facebook username and password. As clever as that might sound, should you actually trust Hootsuite? (I’m merely using this as an example, there’s nothing specific about Hootsuite or Facebook in terms of any security flaws that I’m saying here.)

Many people don’t think twice about granting such authorisations. If you give an app or website authorisation to access your Dropbox files, then that app or website basically has access to all your Dropbox files. That includes secret files you may choose to put in there, whether they are already in there or those that you upload in future. Granting access to your Dropbox files is a really big risk, but many people don’t think too much about that.

Worse yet are those apps or websites that actually ask for your login credentials on another system. No doubt there are logical and sensible reasons why those credentials are required, so some people don’t think twice about given them. The problem is this, do you trust that the app or website will do only just what it says it wants to do, and nothing else?

It doesn’t stop there. Suppose the app or website is good, in the sense that they will not misuse the credentials or authorisations you have shared with them. However, what if they get broken into by the bad guys? It’s one thing to believe that a reputable app or website will not misuse your credentials or authorisations you’ve delegated to them. That doesn’t mean that they won’t fall prey to attackers who may steal and abuse those credentials and authorisations.

In other words, when you decide to give an app or website your credentials, or delegate some authorisation to them, you need to decide how much you trust that app or website, but also how much you believe that app or website is secure and won’t itself become compromised.

In real life, do you hand over your house keys to a domestic cleaner, or other service personnel? You would probably think twice, and perhaps then decide you won’t do that. Cars come with valet keys precisely because you don’t trust the valet completely, and some people choose not to use valets because they don’t trust them at all. Many of us somehow don’t carry over this common sense determination of trust levels to the apps and websites that we use.

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy