CS3382 - Week Three

Web usability should include its security also. How to choose to run which level of web security

1. Have to think the data if is needed to secure, whatever financial or private. For example, accessing the site of CS3382 Web Usability Design and Engineering of City University must login 
2. If it must be encrypted on everything of the communication data

   Apply strong end to end encryption...... so that it is encrypted all the way between customers' devices and AIs' trusted internal networks
   Hong Kong Monetary Authority - Supervisory Policy Manual 4.2.3
   

3. Would be a way to handle brute force detection or basic request rate throttling. If need, time based lockout should be here. e.g. visiting to a ebanking web site, have tried to login fail three time, the account should be locked
4. If need session timeout here? how much inactivity, should be logout the account
5. Password strength. If it is enough? Three character set? Currently, there are many password cracking library here, e.g. Password Cracking Library (PCL)
   
6. Password reset. How can reset it? For example, must sign a reset agreement of bank if want to reset the password of ebanking
7. Page caching. Allow it or not. Have to think this whatever GET or POST HTTP request

   Never trust input from GET or POST HTTP request  unless properly validated
   CS4293 - Topics on Computer Security of City University
   

8. User name enumeration. Whatever the username is success, when the password is wrong, the username is also clear. Just sigin to Google, would see this

Reference

• http://keepitlocked.net/archive/2009/06/05/weak-and-strong-web-security-requirements.aspx
• CS3382 - Web Usability Design and Engineering of City University
• CS4293 - Topics on Computer Security of City University