On January 28, 1981 the Council of Europes "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was opened for signature. For over 30 years, this treaty has been a cornerstone of data protection. Since 2007 this day is celebrated as Data Protection Day - or Data Privacy Day outside Europe - to raise awareness and promote privacy and data protection best practices.
2016 has been a year filled with data breaches and cybercrime. Famous and infamous websites have leaked huge amounts of sensitive private information, the FBI hacked into an encrypted iPhone, and ransomware temporarily disabled a large number of San Fransisco Metro computers. Data privacy and protection should be on the agenda of every software provider worldwide, including us. Now that end users become more aware of the consequences of sharing data online, it becomes more important for us to demonstrate that the software we make can be trusted with their data. Here are a few quick tips that can help you do that.
#1: Be open and express your intentions
Recently a friend pointed me to the website of a really cool software project. The website and the project looked legit, and it had one of those nice donation widgets. I searched for information about the people or organization behind it, but could not find any. This means I will not make a donation. Openness is a basic requirement for trust. Make sure to have information in your website or application about who you are. This will increase the level of trust users have. The same goes for your cookie and privacy policies. We encourage you to have a look at at the ones on our website.
#2: Add a second authentication factor
Many users still use terribly insecure passwords, like 123456 or password. These will be hacked in milliseconds, because they are in the top 100 of every password list! Add a second factor to the login process to prevent account hijacking and abuse through brute-force login attacks. Check out our TOTP (Time-based One Time Password) demo, which uses the free DataFlex Authenticator
#3: Use HTTPS
Users are becoming more and more mobile. You never know which access point they use to connect to your services, or whether it is the real one or a spoofed SSID. Encryption between client and server prevents eavesdropping and keeps transferred data confidential.
Add HTTPS to your websites or web applications. To do this, you need a certificate and configure IIS to use it. For publically accessible websites or web applications we use letsencrypt-win-simple . This extremely easy to use program helps you generate no-cost secure certificates and automatically configures IIS to use them. It can even set up an automatic certificate renewal process so you dont have to worry about certificate expiration. The TOTP demo link from the previous tip actually uses this and uses a secure HTTPS connection using a Lets Encrypt certificate.
For websites and web applications used only on the internal company network you can set up a self-signing Certificate Authority (CA) on a server, generate your own certificates, and install them into IIS manually. Install the CA root certificate on all client computers to remove the "Connection is not secure" messages in the web browser.