Privacy should be an incredibly important consideration for you; it is for your users. Just about all privacy breaches on the Web are jumped upon by the media to fuel the argument that commerce on the Internet is dangerous and should be avoided. It's an incredibly sensitive subject, and, to complicate matters, it's even difficult to reach a consensus on the definition of privacy! Quite fortunately, adding privacy technologies to your application is simple, and most privacy problems are easy to remedy.
Like privacy, integrity is also of paramount importance: changed or deleted data can lead to wasted time while data is rebuilt or restored from backups or, worse, the integrity attack might go unnoticed and decisions might be made based on incorrect data.
Privacy StatementsIt's recommended that your Web site include a privacy statement to let users know what data you collect about them and how you intend to use it. For example, it's common to include a privacy policy link at the bottom of a Web site's home page.
You can get information on privacy policy and privacy statements at the TRUSTe Web site at www.truste.com or from the Better Business Bureau at www.bbbonline.com. The TRUSTe Web site includes an excellent wizard to help you form the basis of a privacy statement.
Note that a law was passed in April 2000 in the United States requiring all Web sites that ask for certain information about children under age 13 to receive permission from parents to gather the information. The rules are part of the 1998 Children's Online Privacy Protection Act, and there are stiff fines for violators. Refer to http://www.ftc.gov/bcp/conline/edcams/kidzprivacy for further details.
Finally, if you offer a privacy statement, it's crucial that you adhere to it!
Ensuring privacy is all about mitigating information disclosure threats (the I in the STRIDE model, first described in Chapter 2, "A Process for Building Secure Web Applications"); integrity issues involve tampering with data threats (the T in the STRIDE model). We discussed some of the approaches used to mitigate these threats in Chapter 2, including the following for mitigating information disclosure threats:
You can use the following methods to mitigate data-tampering threats:
What Is Canonicalization?Canonicalization is a way to reduce a name to its canonical—meaning, in this case, standard or recognized—form or forms. For example, in Microsoft Windows 2000, a username can appear in one of two forms: user principal name (for example, cheryl@development.explorationair.com) or Security Account Manager (SAM) name (for example, EXAIR\Cheryl).
Other canonical name variations include those for server names: you can use a Domain Name System (DNS) name (for example, webserver.explorationair.com), a NetBIOS name (such as \\webserver), or an IP address (such as 172.0.0.42). In NTFS, a filename can take the long form, such as ThisIsALongFileName.doc, or the FAT 8.3 filename, such as ThisIs~1.doc. If you make decisions based on the name of something, it's important that you use a canonical representation of the name. You can choose which canonical form to use for each type of name, but you must be consistent.
You'll notice that privacy and integrity issues are often deeply intertwined. If an attacker has illicit access to data, he might also be able to modify the data. For example, compare the following access control lists (ACLs) used to protect a file. The first ACL allows every user to have read access:
The next ACL allows every user to have read and write access to the file:
The first ACL could lead to an information disclosure threat if other security mechanisms fail—the last access control entry (ACE) in the ACL allows all users to have read access to the resource. The second ACL is much more troublesome; it could yield a data-tampering threat because the last ACE allows all users read and write access to the resource. As you can see, a single ACE can change the vulnerability from a privacy issue to a privacy and integrity issue.
You can mitigate this by replacing the Everyone ACE with a Windows 2000 group ACE and adding trusted users to the new group. If you do this, only users known to you will have access to the resource. The new ACL looks like this:
The moral of the story is to use appropriate ACLs on protected resources.