Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I want to display some very sensitive information on a web page and I want to ma

ID: 661491 • Letter: I

Question

I want to display some very sensitive information on a web page and I want to make sure that nobody, except the user in front of the browser, is able to access this information. I'm aware that in general is it not a good idea, but some site manage to do it. For example : LastPass

What are the security risk to consider?

How would you proceed to implement it securely?

Assume that the client computer is not compromised and that it's the client problem to be sure no on else is looking above his shoulder.

Explanation / Answer

There is no magic way to safely display text on a webpage. Either it is safe to display or it isn't, and which of those buckets your data falls into depends on your threat model. What specific threat are you wanting to protect against, and what is the risk of the threat being utilized in an attack? To counter the risk, what is the value of displaying the data to the user? Is it important enough that they see the data that the value outweighs the risk?

In the case of LassPass, the entire application is designed to allow you to manage passwords. Sometimes that means you need to see the passwords in plain-text. It's an important feature of the app, and thus, worth the risk of a shoulder-surfer discovering the password. For most other applications, there's not really much value in displaying a plain-text password to the user, so displaying it wouldn't offset even small risks.

So, you have to decide for your use case is the value of displaying the data to the user greater than the risk, or not?

Beyond this, it's worth mentioning that there is a third way. You could leave it up to the user. You could ask them (via a checkbox, or a link, for instance) if they want the data to be displayed. Then it's up to them to determine if the value of seeing the data outweighs not only the general risk, but the specific risk at that instant. (They might choose differently if using a computer at home vs. a kiosk in a crowded mall, for instance.) So you could default to the safer option of not making the data display, but give the user the option to override that default. Realistically though, there needs to be significant value in displaying the data for you to even display it at all. Generally in the specific case of displaying a user's password in plain-text, that value simply doesn't exist.

Related Questions

I want to compile custom functions during run time based on user written scripts
Question #654652
I want to complete my assignment because due is tomorrow. Thanks. 5. How can sea
Question #1766803
I want to complete this using c++ but I am not sure how to address this problem.
Question #3821158
I want to conduct an experiment for an engineering statistics course and want to
Question #3134091
I want to confirm a solution that I have for this problem. Please show all steps
Question #2942620
I want to confirm a solution that I have for this problem. Please show all steps
Question #2942631
I want to confirm that this answer looks correct or if I am missing anything for
Question #3742237
I want to construct a complete graph where each node is connected to every other
Question #650513
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I want to disable common forms of third-party tracking on websites. I currently
Next
I want to do a MAKEUP LINE DetallS. Select a product, line of products, or brand

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.