Assessing web security, at least the basics, is much simpler than you may think. A few free resources exist that can do a great job of assessing the Security 101 of your favourite web site.
First, let’s explain a few of the threat vectors. When you open a web page, your browser fetches a manifest (index) from the site. That index in turn points to other resources (advertising, images, tracking, …), and they in turn point to some, etc. Your security is, unless explicitly set, only as good as that weakest link.
In the video below I talk about the basic concepts of:
- Content-Security-Policy
- Cross-Origin-Resource-Sharing
- Cross Site Scripting (XSS)
- TLS (Encryption) strength
And I show how these 3 ‘check-me’ web sites can give you a simple score:
Let’s start with a real example. My bank. The Royal Bank of Canada. We’ll head over to the Mozilla observatory here. To my (sadness? no-surprise?) it gets an F. None of the basic protections are enabled. Now, I’m sure some will say, it probably gets better once you login. Maybe?
So, how do we interpret this. Well, no Content-Security-Policy is used. This means any 3rd parties they reference have cart-blanche to do whatever with my browser, my data. Install a javascript lib to watch me enter a password? Sure, no problem.
Next, there is no XSS protection. This site can be reframed in another, meaning i might be tricked into visiting something that looks like my bank, and has me enter my real password, but watches and takes over. Hmm.
Now let’s look at the encryption setup. Its a bank, I expect that this will be strong and proper, after all, this is why SSL/TLS was invented. We head to ssllabs.com to check. As predicted, the site gets an ‘A’.
So, here’s what I will ask you to do. Watch the video (feel free to subscribe!). Then, pick a site you feel should be strong (or are certain is weak). Test it with the tools I’ve shown you. Comment on the video or here on the blog what you got, and whether you were surprised about this or not.
And then apply this knowledge to your own web properties.
And then, get someone else to watch the video and do the same. Lets make security viral.
Finally, if you have an application you would like to expose to the Internet, and its not so strong in this area, I can help, read here!.