Security Is Not Magic
Web security always felt a little bit out of my grasp of understanding. I knew not to leave passwords in plain text laying around, but that was really it. Working on the Pivotal Cloud Foundry Security Enablement team has taught me a whole bunch, but the most important lesson is that security is not magic. I want to share some of my basic learnings. So here they are.
Security is a spectrum
The only way to be absolutely sure that your data is safe is to never use any online services. No website can guarantee that your data is safe with 100% confidence.
I had a conversation with family regarding password managers, like 1Password or LastPass. They said “I don’t use a password manager because then it only takes one password for a hacker to steal all of my information.” And that isn’t wrong. That could happen.
But unless you are able to remember different randomly generated password for every single site that you use and never write them down, then it is probably a better option. Password managers are at least end-to-end encrypted, meaning that even they cannot decipher your information. It is certainly better than reusing simple passwords for multiple sites, because it only takes one insecure site to risk access to a lot of your data. Having strong, different passwords for all your sites is worth the risk of a password manager.
Using any site to manage your data has inherent risk. Might as well use a tool built for this purpose.
Use the right tool for the job
The sec-eng team has been working on trying to discourage people from commiting credentials to github. My first question was “well if it is a private repo, why does it really matter?”
The short answer is that that is not what github is for. The stuff in github is not encrypted, so you are banking on github’s security as well as your own. And what if someone on your team decides to make that repo public at some point? I am sure that I would forget that there were secrets hidden somewhere in that code base.
Keep credentials in a place designed for secrets.
Encrypted secrets are still secrets
If you encrypted something, it is safer than something in plain text. But that doesn’t mean it is safe. If someone stores your encrypted data, they have unlimited time to try to get access to your keys.
Encryption is a valuable tool for private data transfer, but just because it is obscure doesn’t mean it is safe to leave in the open.
Encrypting twice isn’t more secure
Encryption is only secure if you manage your keys properly. Adding more layers of encryption just makes key management harder. What’s more, algorithms have the potential to conflict with each other, causing information to be leaked by encrypting more than once.
There are correct ways to encrypt something more than once. For example, we use RSA to encrypt the public keys for certificates. Just think twice before inventing your own security methods.
The least amount of services should know about your credentials
The best tools are ones where you only store credentials in one place and all your services can access them. The more places your credentials are stored, the more places you need to remember and protect.
Don’t create your own encryption
Encryption algorithms and protocols have been tested and tested again. The recommended algorithms are not crackable at this time. Using two insecure algorithms together does not make a more secure algorithm. Use TLS the way it is supposed to be used.
Keep your dependencies up to date
Packages that are actively getting worked on will be constantly releasing patches for holes in their software. Take advantage of those patches.
Security is not magic
A lot of “hacking” is really just finding a way of getting people to divulge information that should be private. Phishing attacks are purely someone trying to trick you into giving your passwords to them. Social hacking is people trying to gain access to an account through tricking someone into breaking the rules. But this is not some fancy algorithm that is capable of breaking through all walls. Sure, security vulnerabilities are real risks, but generally the average web developer just has to make sure that private credentials are private and don’t run code from places you don’t trust. That will get you most of the way there.
If you are trying to protect your data from the NSA or something, you can put in all the encryption and passwords you want. But if they want something from you, they can just kidnap you and hit you with a baseball bat until you give them the passwords. More encryption probably won’t help.
So there is no way to be 100% sure that your data is secure. But it is easy to lower your risk by keeping your credentials private and make it hard for you to risk leaking information.