Continuing on Web Security in 2023 series, the very first thing that comes to mind is “MITM (Man-in-the-middle) attacks”. So who exactly is this “man in the middle”, and what is he doing there?
Assume all the activity, and data coming back and forth between your backend and user (using your web front-end) is being monitored, as in, all the secrets and passwords, etc… are bare and visible to this “suspicious entity”, who may, at any given stage, use this information to form an attack. Scary, right? Now stop assuming and understand for fact that it is indeed happening and it is very real.
All this data coming back and forth between your backend and frontend is indeed visible to entities including but not limited to: Your hosting providers, your user’s ISP, network administrators on either side.
Now such an attack can come from either side but as a service provider, of course it is much much worse for you when the vulnerability is at your end which simply puts your entire user base at risk as compared to a eavesdropper at any individual user’s end which at very most would mean only a single user account had been compromised at your backend.
As a service provider there is really very little-to-nothing that you can do if this eavesdropping is happening at any individual user’s end but to protect yourself and your entire user base, you must implement following:
- Always use HTTPS!
It really is this simple! Do not ever serve your web pages on plain/unencrypted HTTP, rather force-redirect users to your secure website that uses a valid, high grade SSL encryption.
Now that you have a valid, high grade SSL encryption, you have successfully established a secure line of communication between your backend and frontend that cannot be eavesdropped externally.
- Protect and secure your servers!
This one is no-brainer, of course you already know this but all the more reasons for you to be paranoid about controlling access to your servers and knowing what exactly is going on inside them.
Viruses and malwares come in all shapes, sizes and colors possessing ability to leak any sensitive data that has reached your server after-the-fact that you have established secure communications using HTTPS, and these can be deployed at your servers by anyone including but not limited to untrustworthy designers, developers or even customer-support people at your hosting provider.
Keep production servers away from reach of anyone but you and your trusted IT administrators. Change SSH port from default one, do not use passwords but authorized key files (preferably Ed25519) for authentication, deploy a firewall, do everything humanly possible to secure them!
- Always use trusted service providers!
Now this point cannot be stressed enough, even after everything you have done, it all comes down to this question: “Can you trust your hosting provider?”
If you are using IaaS cloud or a VPS or even with bare-metal dedicated servers, your hosting provider indeed has the ability to bypass all your security efforts!
“Practice what you preach” is exactly why I highly recommend only using the hosting providers and CDN that are renowned and well established names, even if it comes with a higher price tag. We all know these big names: DigitalOcean, Amazon AWS, Cloudflare, Leaseweb, etc… Do not go to resellers, do not go for shared hosting, or simply stop reading all this.
Now that we have established everything that can be done from your side as a service provider, let us consider what can be done from user’s side:
People are stupid or at least most of the general population is dumb when it comes to IT and cyber security. People are targeted all the time with ransomware, adwares, malwares and all other forms of viruses. So let’s establish this fact, if people are using a compromised OS, web browser or any other form of vulnerability that exists in their devices which they have knowingly or unknowingly accepted, they are going to get hacked!
If an attacker (at user’s end, most likely an evil network administrator) has established a proxy between a user and your website, and that user has knowingly ignored all SSL warnings, they are going to get hacked!
And there is really nothing you can do about the fact; Well except for creating better awareness among them.
Now, if you are wondering as a user if you can trust your ISP or network administrator at your office? Well, perhaps look into using a VPN? Using a VPN will basically prevent your ISP and network administrators from eavesdropping on your data but again, all the same red flags and that simply means you trust your VPN provider better than your own ISP or network administrator. If choosing VPN, go for a well known and well established brand, look at reviews; Do not go for cheap ones; Neither the free “PPTP/L2TP VPN” that “some friend” has deployed for “your convenience”. Always-and-always find a vendor/partner you can rely on!