Web Development Fundamentals: Rational Security Rant

Grant King

Grant King

5 min read
Share

I am not a security expert. I know there is a ton I don't know about the various methods used to execute electronic crimes, or their various mitigations. Still, I feel compelled to talk about some basic ideas surrounding specific areas of computer security that I feel sufficiently knowledgeable about to discuss from an experiential perspective. I want to reach people who may be vulnerable to misinformation that may have them looking for threats from the wrong direction.

I've noticed a behavioral pattern lately. Then, I heard widely-liked advice that attempted to justify the reasoning behind this behavior. I believe both the behavior and the justification are gravely misguided. Here is the misinformative directive in a nutshell:

"don't ever click external links"

Now, beyond the fact that this directive is too general to follow coherently, what is wrong with it? To talk about that, let's briefly review some common concerns about what the result of clicking on a link could be:

"They will steal your data"

Lordy, another very general statement rooted in fear that lacks any coherent practical application, yet greatly limits the cautious ignorant user. Let's just address this one to begin, because it is a big thing to address.

I'll start by stating that your personal data is relatively within your control to divulge, regardless of what websites you visit. Websites are owned by individuals or businesses who only have access to the information that you give to them and that they trade (or leak).

There is some technical information that is automatically transmitted any time you do anything online, including click a link, but these systems have been engineered to minimize the potential for abuse. Systems that intentionally store and congregate any useful amount of this information are pretty good about informing their users in small writing. Maybe they compile technical information (such as screen resolution or browser versions or preferred language) over a period of time to determine the needs of their users, on whole. Systems that are capable of making deep insights from automatically-transmitted information or cross-platform activity are systems that are on a scale that would be very hard to operate outside of industry or government behemoths, not just the scale of a single website or platform. This is to say that your online navigational activity doesn't realistically affect your risk to being a victim of useful data misuse by malevolent small-actors.

The most real danger for a malicious entity "stealing" your data – that is obtaining any information that you did not explicitly give them, is if they attack a vulnerable store of information that you gave to someone else. This extortion is only the result of a malicious user vs a vulnerable website's infrastructure. This means a malevolent actor attacks the system that is hosting the website (maybe by leveraging a multi-faceted attack that targets an administrator), not an individual everyday user. This is historically the only significant means for illegally extorting valuable user information. Clicking on an external link does not increase your risk for becoming a victim to this type of crime against organizations and groups of users.

Do you know what data you are trying to protect by refusing to leave giant platforms? I don't think most people have a firm grasp on what information is accessible by the owner of a website. Again, any webmaster can only access very basic technical information (that can be easily hidden or spoofed by your privacy-enchanced browser) and the information that you intentionally grant to the website.

Speaking of platforms, the more time you spend on a multimedia platform-based website, the more interaction data you generate. The platform owners are not the only ones who can model and store public parts of this data. If you are concerned about nonspecific, ethereal, activity data: I think it is safest to spread activity across many independent systems as possible to minimize the potential for risks from behavioral targeting that can enhance the efficacy of attacks based in social engineering tactics.

There are various technical exploitations that exist within every client-server relationship on the Internet; clicking to one website or another almost certainly isn't going to suddenly "infect" your local system or make it more vulnerable after you disconnect. Of course there are rare exceptions that briefly exist before they are patched, but these rare vulnerabilities aren't delivered through distinct predictable avoidable actions; it wouldn't make sense to attempt to avoid these rarities by not clicking on external links. A criminal owner of any website would find it impractical to make their thing more dangerous except by using social engineering tactics that lead the user to divulge information that they shouldn't.

Let's remind ourselves of some basic facts of computer system security: nothing is invulnerable. Security focuses on patching known avenues for abuse while weighing risk against practicality. If a party is determined to do something illegal with a computer, they will very likely find many ways to accomplish their goal. It is impossible for the non-expert to anticipate where the next sophisticated threat could come from. Basic common sense and situational awareness is enough to equalize all reasonable threats to a reasonable extent, assuming that you are using the latest software on the systems you use. This means you should be just as secure interacting within any particular domain on the Internet; any one website is likely to be just as directly secure as the next for aware users. Indirect risks will need to be assessed based on the presentation and function of each website, and the trust you can put into its owners. This is just like in the physical world: you can reasonably expect to go to the grocery store and avoid being mugged by the owners or other patrons, but the price and safety of the goods they sell and the structural integrity of their edifice is something you have to investigate in order to trust or not trust. Like venturing out into the world and encountering different individuals and establishments, browsing the Internet and living in a reasonable Internet society requires some reasonably-derived initial inherent trust.

The myth of the rogue godlike hacker who will invade your system and gain access to life-ruining information should you make one judgmental misstep, is one that is harmful to the fabric of the non-monopolistic web. Imagine if people believed that buying bananas from anywhere but Walmart would surely result in immediate tetanus and rabies. There is so much wrong with this, where do we even start?

The Internet needs to be a place full of individual voices. Addressing each independent voice as a certain threat is wrong, and will only consolidate power to areas where there is an actual increased threat from higher levels.

So I'll leave you here, for now. I hope some of this made sense. I hope you aren't afraid to click on any external links.

Stay smart, use your head. Be aware of what you are typing, and where. Be aware of what permissions you are granting to different domains. Beware of ads and dark patterns and actions that produce copious amounts of intimate interaction data: these are the things that can compromise user safety on both platforms and independent websites. Inspect the network activity if you are unsure if a website is performing under false pretenses. Remember that every system is venerable. Automatically transmitted data is generally safe because it is useless outside of the industrial and behavioral scale, not because you didn't click a sweet person's link. Behavioral data that you generate over time by interacting with large groups and vast content on social platforms is another story: something that has been historically dangerous for countless users. Otherwise, I hope everybody will please try to fearlessly enjoy the grand diverse tapestry of the weird independent web.

What do you think? What did I forget to mention? What are your red flags that make you avoid things when interacting on the Internet? How do you safely surf the web?

<3 Grant

Read more