Wednesday, October 8, 2008

Security

A few weeks ago it was announced that the Republican Vice Presidential pick had her email account accessed by an unauthorized person. This person was able to gain entry into her account by impersonating her. Her email address was hosted by Yahoo which provides a question/answer challenge using personal information about the account holder to retrieve a lost or forgotten password. The hacker was able to use the Internet to find this information and gain access into her account.

From the Associated Press,
The hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code. Using those details, the hacker tricked Yahoo Inc.'s service into assigning a new password, "popcorn," for Palin's e-mail account, according to a chronology of the crime published on the Web site where the hacking was first revealed.


This demonstrates one of the issues present with the Software as a Service model. Due to the centralized and globally accessible nature of SaaS applications it becomes difficult or impossible to limit access to the parts of the application that lie in front of the authentication mechanism. Yahoo was in this situation and made a decision to sacrifice elements of security to enhance the convenience of their mail system. Making it easier to retrieve lost credentials makes the regular customer happy but gives greater leverage for those malicious people to cause harm.

Companies that develop web applications have to make tradeoffs in the design of their products all the time. Security is something that should never be taken lightly though. In the case of Yahoo, it seems that their security decisions need some reworking.

It is challenging in the anonymous world of the Internet to confirm an identity. Most times, web applications implement password recovery procedures by sending a confirmation email to an address that is known to belong to the user. This is acceptable in most cases, but when the application is an email provider themselves it causes some issues.
Posted by at

3 comments:

Sumi said...

Security issues are going to pop up everywhere and as we aim to have our own e-business running, it is important for us to look into this part of web seriously and decide the security measures that we will take while providing services to our customers.

October 8, 2008 at 10:50 PM
Shruthi! said...

Security is probably the most vital factor once the project has been imlemented. As we can rely on Google Chrome for the SNS site like "Orkut" we need to go for our own security measure while designing our website.

October 9, 2008 at 10:45 AM
teja said...

Security is the main concern not only for web applications but for everything.For web applications security is the main thing.We must be able to provide security for each and every aspect of the website.

October 14, 2008 at 7:45 AM

Post a Comment

Subscribe to: Post Comments (Atom)