Improving Online Security: A Usability Tool

Many years ago I didn’t really care much about javascript, java applets, flash, etc.. from being run inside my browser. Nor did I care about what was being done with the cookies sent to and returned by my browser.

I’ve changed that.

I’ve been using noscript for some time now. This alone gave me some pretty good insight into how embedded scripts and objects can drive user experience on the web and how it’s quite possible to develop an interactive and interesting experience without any of it. It also puts me through the experience of not being able to access sites that rely heavily on such things. This gave me a much greater appreciation for the need to develop websites with usability and accessibility in mind beyond the simple “use alt tags in your images” bit.

Recently I’ve extended this blockade to cookies. I’ve configured Firefox to not accept any cookies at all.

How quickly things break down.

Almost immediately you (re)discover all the tricks.

Sites that, as soon as you hit them, immediately try to assign a cookie to identify you. If cookies and scripts are disabled this usually gets you a blank page where a script-driven redirect no longer works. Other times the entire page will load only to immediately redirect (meta refresh) to another page that says the site won’t work without cookies (despite it obviously working just fine).

On other sites that rely on interstitials to force users to view advertisements you’re able to bypass the ads completely now that they can’t tell if you’ve seen the ad or not and default to “yes you have”.

Then I went about setting exceptions to disabling cookies. Specific sites only. A whitelist, much like noscript. This way I could do this for an extended time without disrupting my experiences at my usual hangouts.

This led to some very interesting situations with online payment systems. One particular company I do business with redirects you through four different servers with completely different domain names just during the login process, each one requiring their own cookies be set. As you progress through making a payment you hit each server through embedded objects or just directly visiting the site. At times it was quite frustrating trying to identify each server, but it also gave me a lot of insight into how the company conducts their online business and how they’re structured. Information normally transparent to the user who has scripts and cookies globally enabled.

It is, at the very least, an interesting exercise. It is something I think every web developer ought to subject themselves to just to fully appreciate the situation and how they might apply lessons learned in the experience to their own work.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s