Securing html code & protecting content with HTML Security
HTML security consists of three different security measures:
- HTML encryption to ensure web content cannot be accessed by unauthorized users.
- The use of digital certificates to validate a domain and ensure content is coming from a trusted location (the URL in the browser address bar).
- Encryption of content as it travels from the server to the client and back again (SSL).
What exactly is HTML security?
The definition of security is very complicated. Technology purists (and security experts) will tell you that is concerns the Confidentiality, Integrity and Availability (CIA) of information.
That is all very well. But what does it all add up to?
Most of us want reassurance that what we see is what we get – in other words do you get the information when you need it, is it right, and can you rely upon it.
Now no technical measure is going to tell you if information sent to you over the web (or on CD-ROM for that matter) is actually right. That is something that is too difficult for technical mechanisms such as Digital rights management (DRM) to sort out. (In fact it is totally impossible for a technical mechanism. We are entering the debate about right and wrong, and technology would not know anything at all about the correctness of content, and it never will). So you have to rely upon being able to show that the information came from a particular source, and you can prove that.
So html security is dependent upon the recipient being able to verify where the information really came from. This is critically important when you get a web message that says that you need to update your bank password details. How do you know that the message really comes from the bank? Well, the fact of the matter is that currently you don’t. As a matter of fact it is actually more likely that the message comes from a bunch of crooks who are trying to capture your personal information so that they can rip you off big time!
We therefore learn that html security is severely lacking in terms of current web systems (see also comments on web page encryption and the dangers of believing that SSL actually can be relied upon to protect web page (html) information) and that you cannot possibly place reliance upon information that you receive from html web pages unless they have additional protection measures that provide assurance that the information really does come from the apparent or claimed source and that it has not been altered by others prior to your inspecting it. Given the prevalence of so called ‘phishing’ attacks – messages created to induce you to divulge secret information that will enable someone else to impersonate you, you have proof positive that there is little html security implemented in current web systems, if any.
So html security is a target, in fact a highly desired target, that almost no systems today achieve. People using Protector HTML Security are able to provide their users (customers) with the assurance that their web content is real, reliable, and correct – it is what they actually published and not what a hacker has decided to provide instead.
But whilst the vast majority of web sites prefer to provide html without security there will be many users who will be bitterly disappointed relying on what they thought was the correct web site, when in fact it was nothing of the kind. Html security needs serious promotion in order to stamp out the current failures to ensure that the html you receive and process can truly be relied upon.