Sunday, August 2, 2009

Microsoft's Guideline 1


How to Trust a Web Site.


How do you know which Web sites you can trust? Some Web sites request personal information that you would rather keep private, display advertisements you do not want to see, or expose your computer to software that contains viruses or other security threats. It's difficult to be completely certain, but there are a few key things to look for.

·
Is it certified by an Internet trust organization such as BBBonline, TRUSTe, or Web Trust?

Sites that display privacy certification logos have agreed to follow certain practices like providing a comprehensive privacy statement. If you read these statements, you should be able to determine what data the site collects and what the site does with that data (for example, share it with a third party or use it to display personalized advertisements). The certification does not mean that the site collects no data. It means that the privacy statement will tell you what data the site collects so you can decide if you want to use that Web site.

·
Is the site from an organization you know and already trust?

For example, it a vendor you have a positive ongoing relationship with or a widely recognized brand or institution that you trust? The site should provide a privacy statement or a Terms of Use statement. Reading these statements should make it clear what will happen when you use the site. If you are not comfortable with the terms or behaviors (for example, you do not want to be tracked or to see advertisements), do not use the site.

·
If you don't recognize the site, do you have other information to help you decide?

You should thoroughly research the site before using its services. Read the site's disclosures, ask friends and colleagues you trust, and search the Web for positive or negative articles about the site.

·
Does it ask you to provide sensitive personal data?

If you are asked to provide sensitive personal data (such as your password, social security number, credit card number, or bank information), only do so if there is a valid reason and if the site uses a secure method to collect this data. Look for a statement indicating this information will be encrypted or look for the golden padlock symbol in your browser status area to indicate that the information will be transferred using secure methods.

·
If it is a retail site, does it have a return policy?

When making a purchase on a Web site, verify that the site has a posted return policy and that the terms are acceptable to you.

Be cautious of a Web site if…

You were referred to the site by e-mail from someone you do not know.
The site contains objectionable material such as pornography.
The site makes offers that seem too good to be true. Are they just trying to lure you to their site?
You are asked to provide a credit card number without proof that the transaction is secure.
The site offers free membership but asks you to provide extensive personal information that does not seem necessary or that you do not want to provide.

1 comment:

Sitanshu said...

Dear Sujit,

There were some very interesting guidelines on this title. I still thought that you may like to mention to your visitors about "Trusted Sites".

Trusted Sites are those sites that have a trusted securities certificate. Companies like VERISIGN for example issue "Trusted Security Certificates". That certificate means that the site is protected by SSL (Secured Socket Layer). To obtain such a certificate "VERISIGN" company would thoroughly investigate the ownership and history of the site. Once the site has received such a certification, their clients could be rest assured that they are opening a "Original Site" and not a "Fake Site".

But the irony is that hackers have managed to find a flaw even with the way a browser could be fooled into clicking into a site that is not SSL certified.

During a MITMA (Man in the middle attack phase), an attacker could wait for a person to click on a site that has an SSL certfication. But that site is a bogus site (meaning the person sending the link inserted the trusted site certificate, but the really is not SSL certified" . It has a "Site name that contains a Proper SSL certified site name followed by a blank followed by the rest of the name which is "the complete fake site name".

FAKE SITE = GOOD SITE PARTNAME + NULL + FAKE SITE NAME

Browser stops reading at the NULL character

So when you click on the link with that kind of site name with a null character in the middle of the name followed by the fake site address, you are really conned into entering into a fake site that the browser could not catch. Here you start entering your personal data like credit card number etc. and you become a victim.

I tried explaining a difficult concept in a few words. For more clarity please visit this link on a recent news item...

http://www.msnbc.msn.com/id/32258426/ns/technology_and_science-security/

Please keep writing. We are all indebted to you and your blog.

Sitanshu