Protecting User Information

Welcome to the Protecting User Information Wiki
In today's web, the protection of sensitive user information is more important than ever. Many techniques and tools are used to protect the identity of a user from outside parties. Most commonly, this includes utilization of HTTPS (Hyper Text Transfer Protocol Secure). However, other means exist beyond HTTPS to ensure user information is protected under a web service.

HTTPS
HTTPS is the forefront of security regarding websites and web applications. In essence, it is a security layer over an existing protocol that encrypts user traffic between a server and the client (a user). This is done by either SSL (| Secure Socket Layer) or TLS (Transport Layer Socket), and now the standard for encryption protocols). These technologies provide public-private key sharing, or asymmetric encryption, to create a one-to-one communication relationship between these points, essentially disabling snooping from outside parties.

Websites secured by HTTPS are identified by the browser, which also tell the user if the certificate has expired or if it is valid. This is extremely important for two reasons. Firstly, expired certificates mean that the website has not maintained authenticity with the authorizer and is inherently unsafe. Secondly, an HTTPS certificate can be generated by anyone with access to the tools, which are widely available. These certificates technically encrypt a user's connection, however are not generally trustworthy. Therefore, the certificate is marked untrusted and is visibly shown to the user.

Password Salting and Hashing
Another mean of protecting user information is through password salting and hashing. This is a prominent security measure for protecting user information, as it makes a password unreadable to intruders. Hashing is the process of using a hashing algorithm to create a one-way translation of the input data. Many hashing algorithms exist for the purpose of security measures.

In-brief, hashing is a technique in which data is taken and, with the use of an algorithm, translated into new information. Hashing algorithms exist for many applications, but the ones used for security come with two particular benefits - slow performance and one-way hashing. One-way hashing is important as it means the output of the algorithm is entropic and unpredictable. This is done by providing a fixed-length output (no matter the input, the output will always be n-characters in length, where n is the output length), and an underlying algorithm that ensures input cannot be reversed. Therefore, the words apple, alple and elppa are all indistinguishable from each other when hashed.

Slow-hashing is favorable because it prevents hackers to brute forcing variants of passwords. Hashing a value once is relatively unnoticeable in-terms of speed. However, hashing hundreds of times could take hours and would likely deter most hackers from trying to crack passwords.

Salting is an extra layer of security added to a hash. A salt is a keyword appended or prepended to a hash to make them more unique. Often hackers will deploy rainbow tables to identify easily guessed passwords. Salts help aid against those, since a salt is generally unique to the website, making rainbow tables useless.

XSS Prevention
Cross-Site Scripting (XSS) is a JavaScript exploit that allows malicious users of vulnerable websites to force JavaScript to run on other user's browsers. The exploit could be as benign as creating a minor nuisance for users, to stealing banking information entered into forms, as this information is not yet encrypted.

XSS prevention is typically built into browsers today, preventing code that access files or scripts in a way that would be indicative of XSS exploitation.

SQL Injection
SQL injection is the process of attacking databases using form inputs on webpages. Malicious users insert formatted SQL queries that are used as regular input to the intended queries and are run by the website unknowingly.

SQL injection is very easily mitigated. However there have been severe oversight in the past, including the Sony data breach of 2014. The process of SQL injection mitigation is by sanitizing and cleansing user input to ensure that an SQL query inserted is nothing more than regular text.

If not mitigated, SQL injection can allow a malicious user unprecedented access to the entire targeted database. With this access, they can do a dump of the entire database to retrieve sensitive information -- allowing the sale of this information to inquiring parties -- or simply delete information stored. Deletion of the information could either cause stability issues in the underlying system or bring it down entirely.