DEV Community

Cover image for Web Security
Huldas96
Huldas96

Posted on • Edited on

Web Security

The average modern internet browsing session can be fun but it can also be dangerous. There is always a risk of our personal information being stolen, our accounts being infiltrated and our computers infected with viruses. It is important to know how to browse the web safely and for developers to understand how to make products safe to use.

In this article I will take a brief look at web security methods and technology that can help ensure a safe experience.

How to identify unsafe websites

Today we have a lot of our personal information online. It has never been more important for us browse safely and be aware of red flags. It only takes a one time visit to a malicious website to get infected. But how do we know if a website is unsafe? Here are some points to keep in mind when you are unsure:

First of all; never click on an embedded link in an email. Even if it is from someone you trust. Their account could have been broken into and be spreading something fishy. Right-clicking a hyperlink and selecting "Properties" will show the destination of the link.

Double check the URL. Scammers have been known to set up websites that look identical to popular sites with the url being almost identical to the spelling of the original website you are trying to visit. An accidental mistype may lead you to a fake version of the site. Always make sure you typed in the correct address.

Does the website in question look a bit strange to you? Is it asking for really sensitive information? Does it have a list of contacts? Is there any information about the website online? Is the website offering you a service or product at a scandalous price? Trust your gut, if you feel that something is not quite right, then it probably isn´t. No magic taco holder is worth your security being breached.

HTTPS

We all know computers use HTTP or Hyper Text Transfer Protocol to communicate over the internet, this started with version 0.9 in 1991. When web developers at Netscape Communications saw the need for more secure connections over the internet they created HTTPS or Hyper Text Transfer Protocol Secure.
Originally, HTTPS used SSL or Secure Socket Layer to establish an encrypted link between clients but SSL 3.0 was officially deprecated in 2015 and today the standard is to use TLS or Transport Layer Security; the latest version of which being TLS 1.3, released in 2018.

The benefits of using HTTPS over HTTP lies in the encryption of the data sent between client and server; this protects against man-in-the-middle attacks and verifies that the client is seeing the correct, untampered website. This is immensely important for cases such as online banking, sensitive emails and the like.
Indeed, online banking was in the beginning usually the only place casual users would encounter HTTPS as it used to be a quite costly protocol to implement, requiring server-side certificates signed by a trusted third-party. In 2016 however, the Electronic Frontier Foundation with the support of web browser developers led a campaign to make the protocol more prominent. This campaign made a big impact and today you’re more likely to encounter HTTPS than its non-secure counterpart HTTP.

Firewalls

A firewall is a system which monitors all incoming and outgoing internet traffic in order to block malicious programs and connections. There are three main types of firewalls, these are Packet Filtering Firewalls, Stateful Inspection Firewalls and Proxy Server Firewalls.

Packet filtering is a widely used technique, especially suitable for smaller networks; it works by analyzing all incoming and outgoing packets and either blocks them or lets them pass, depending on whether the packet conforms to established criteria.
Stateful Inspection does not scan individual packets but instead monitors the state of network connections. When a connection has been accepted a stateful firewall allows all related packets through and keeps the connection open for a certain period. This method is less resource intensive and is therefore particularly useful in larger networks.
Proxy Server Firewalls are considered the most secure type of firewall. They are called proxy firewalls because they have their own IP addresses and sit between the client and servers on the internet. Proxy firewalls utilize stateful inspection in addition to using DPI or Deep Packet Inspection to analyze packets down to the application layer. These firewalls however do come with the limitation that since all the local network's traffic has to come and go through this dedicated firewall, it may slow down traffic in cases of heavy use.

Firewalls can be implemented in two ways, there are software firewalls and there are hardware firewalls, sometimes both.

Software firewalls are the kind most of us are familiar with, Windows computers come with a firewall called Windows Defender which is built into the operating system. Users can also download third party firewalls and they are often included in antivirus programs.
Hardware firewalls are made for enterprise purposes, they perform the same function as a software firewall but have a few key advantages. The first advantage they have is the simple fact that they are dedicated devices which perform all the cybersecurity functions before the traffic reaches the rest of the network, this provides an extra degree of protection. Hardware firewalls also offer more granular control over things such as traffic, screening guidelines and port access.

Applying security measures

After countless hours of developing the perfect weather app, you might just want to publish it on the internet for everyone to use. But without any security protocols it could easily be hacked and your users could be left unsafe to browse the forecast.

To apply good web security you need to be up to date with the latest security technology available. There are many different security standards that must be followed at all times. These standards are highlighted by the OWASP (The Open Web Application Security Project). Any website that is secure is most likely backed by different types of checkpoints and methods for keeping it safe. Essential steps include applying up-to-date encryption, patching up discovered vulnerabilities, setting proper authentication and so on.
The cruel reality is that attackers can be clever enough to find flaws within a structurally secured environment, so a constant security strategy is advised.

Top comments (1)

Collapse
 
shostarsson profile image
Rémi Lavedrine

Interesting.
I think you can do a part 2, part 3, etc... and speak about other perimetric security software.
Nevertheless, as useful as they are, these are just one part of security. An important one, but not the most important in my humble opinion.
I would say that secure code (security taken into account from the development part is very important).

Great article. 👍🏼