02 July 2015


Posts relating to the category tag "policies" are listed below.

02 July 2015

HTTP Strict Transport Security (HSTS) Preload Lists

There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).

Partial screen capture of Chrome's preload list with the entry for clerkendweller.uk highlighted

Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS deployment, not least the effect on other sub-domains.

Since the browser needs to make at least one request before it can read this HSTS policy, the user is still vulnerable to the use of a first non-TLS connection.

However, if a web site is TLS-only and has the HSTS header, with an expiry of at least eighteen weeks (10886400 seconds), has the "includeSubdomains" and "preload" attributes set, then the information can be hard coded into certain web browsers such that they will never request the site without using TLS, regardless of what a user types in or clicks on.

The machine readable HSTS preload lists are:

The entry for clerkendweller.uk in Chrome's list is illustrated above.

Once you have configured your website, use this form from Google to submit your information. The data is included with the preload lists for Safari and Firefox. Note the inclusion in the preload list is irreversible.

Posted on: 02 July 2015 at 07:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 January 2015

Application Security and Privacy Mapping 2015

I have updated my chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK.

Principal Influences on UK Web Applications' mind map diagram for January 2015

For a fuller explanation, read my post about the update last October.

Access the Principal Influences on UK Applications 2015 chart, hosted on my company's web site.

Posted on: 14 January 2015 at 10:39 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

09 January 2015

FTC Final Order Against Snapchat

Following a public comment period in May-June 2014, at the end of December the US consumer protection body Federal Trade Commission has approved a final order settling charges against Snapchat that lasts for twenty years.

Part of the FTC's final order against Snapchat Inc showing the text 'VII. IT IS FURTHER ORDERED that respondent within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report. VIII. This order will terminate on December 23, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order's application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.'

The charges related to how Snapchat deceived consumers about the automatic deletion of private images sent through the service.

The key FTC documents are:

The final order, 23rd December 2014::

  • Prohibits Snapchat from misrepresenting how its products or services maintain and protect the privacy, security, or confidentiality of any covered information
  • Requires Snapchat to establish and implement, and thereafter maintain, a comprehensive privacy program
  • Requires Snapchat to obtain an initial and, for 20 years, biennial assessments and reports from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession
  • Requires Snapchat to retain for 5 years records of all communications, complaints, notifications about possible order compliance failures, and assessment materials
  • Requires Snapchat to ensure it provides a copy of the order, and keep evidence of this, to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of the order
  • Requires Snapchat to notify the FTC of relevant corporate structure changes
  • Requires Snapchat to provide, within 90 days of the order, a document detailing the manner and form of its compliance with the order.

The order ends on 23rd December 2034 — an additional twenty year compliance overhead on top of the privacy program they should already have had in place.

I wonder if US consumers are also affected by the Moonpig API saga.

Posted on: 09 January 2015 at 08:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 December 2014

Business Failure at the Speed of Software

This week we saw two events where the automated nature of processes lead to major business failures.

Partial extract from the RepricerExpress showing some of the liability clauses in its terms and conditions of service published at http://www.repricerexpress.com/terms-and-conditions/

On Friday, a number of Amazon retailers were affected by a pricing problem. Those that had chosen to subscribe to the third-party RepricerExpress service that automatically adjusts prices to match or better competitors, found their products were being sold for as little as 1 pence. Those organisations that despatched their own goods were able to spot the problem themselves, but those that used Amazon to stock and ship product, were affected more seriously because Amazon simply carried on regardless for some time.

The cause of the hour-long issue has been fixed. RepricerExpress's clients are outraged, and of course for some of them this could put them out of business. I am sure RepricerExpress will be reminding its clients what they agreed to in the RepricerExpress end user licence agreement (partial screenshot in the image above). Including for example that the maximum liability "shall be limited to a sum equal to the total Licence Fees paid to the Licensor in the period of 12 months considered retrospectively from the date the cause of action arose". So, how much would you pay for something that can reduce your product prices by almost 100%? £20-70 per month apparently seems to be the answer.

Express indeed.

Then on Monday, taxi-like company Uber, which had another PR disaster last month, managed to incense everyone by rapidly escalating its prices in Sydney as "demand increased" i.e. people attempted to leave the city during the dreadful cafe hostage event. Later reacting to pressure, Uber cancelled the change and offered some free services instead and a refund to those affected by its pricing.

These have a common factor of automated software making unmoderated changes to pricing that would clearly be perceived as unreasonable to a human. And doing it fast.

Superfast fail.

Automation is good — but enumerate all the possibilities, and implement limits, checks and alerts. And monitor these. And more importantly, check your contracts and who is liable for what. Then do a risk assessment and make sure someone senior reviews this and makes some decision about the risks. Can you survive the unexpected?

Posted on: 17 December 2014 at 17:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 December 2014

Guidance on the ASA's Online Remit Extension

The UK's Advertising Standards Authority (ASA) has had a digital remit since 2011 in the form of the CAP Code Digital Remit for Advertisements and Other Marketing Communications.

Advertisements and other marketing communications by or from companies, organisations or sole traders on their own websites, or in other non-paid-for space online under their control, that are directly connected with the supply or transfer of goods, services, opportunities and gifts, or which consist of direct solicitations of donations as part of their own fundraising activities.

Last week the ASA announced guidance on the remit extension. Broadly the new guidance explains through example cases that the ASA Council will take into account the entire context in which claims are made, in determining whether the primary purpose of the communication is to sell something and therefore whether it falls within the remit of the CAP Code.

The guidance provides six illustrative case studies that show that if the primary purpose of a web page is to sell something it is almost certain to be in scope, and how the scope can grow by including other marketing communication copy on a web site. Similarly, the context of the page in regards purpose and navigation can affect whether the remit applies, advertgames that are closely linked to products increase the likelihood of being in scope, and user generated content (UGC) can be misused so that it then becomes within scope

So I believe a claim of security or privacy that is intended to help complete a sale would perhaps fall within the remit.

Posted on: 16 December 2014 at 19:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 October 2014

HTTP Security Headers

Earlier this year there was a useful post about implementing Hypertext Transfer Protocol (HTTP) security headers from Veracode.

Golden yellow coloured lichen on the rocks forming the cliffs around the 14th-century Dunstanburgh Castle, on the coast of Northumberland in northern England, located between the villages of Craster and Embleton

On Wednesday in a follow-up post, Isaac Dawson presents an analysis of the security headers of the top one million web sites, and compares the findings with a similar assessment in March. That's quite a lot of sites, but not enough to include this site in the data set. But according to Alexa, this blog just scraped into the top million (apparently at 962,150 as I write this), so maybe will be included in the data next time.

The headers reported on are, in report order:

  • X-XSS-Protection
  • X-Content-Type-Options
  • X-Frame-Options
  • Strict-Transport-Security
  • Access-Control-Allow-Origin
  • Content-Security-Policy (and X-Content-Security-Policy & X-WebKit-CSP)
  • Public-Key-Pins.

Overall, a very low proportion of sites are using these defence mechanisms.

You would not expect/need every web site to have all of these defined, but understanding why and when they help is important. There are also other headers that shouldn't exist, or at least not contain certain values.

Posted on: 24 October 2014 at 08:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 October 2014

Application Security and Privacy Mapping 2014

The chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK has been comprehensively updated.

Partial image of the 'Principal Influences on UK Web Applications' mind map diagram

Principal Influences on UK Applications is managed by me and published on my company's web site as a mind map diagram and text tree, together with a change log. The primary sectors addressed are software applications in the retail, financial services, professional services, charitable, marketing, telecommunications and government sectors.

My focus for this chart is:

  • Mobile app and web application (web sites, web services) development
  • Guidance and standards
  • Regulators, regulation and legislation
  • Supporting organisations such as professional groups, trade bodies and academic institutions).

The chart can also be useful beyond the realms of application security and application privacy. For example, organisations implementing an information security management system (ISMS) needing to keep up-to-date with compliance requirements, and those seeking knowledge on wider information assurance (IA) aspects.

The related UK Information Assurance Community Map, published by the Information Assurance Collaboration Group (IACG), will also be of interest to some readers.

Posted on: 10 October 2014 at 07:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 September 2014

FCA Consultation on Use of Social Media

In 2010, the former Financial Services Authority (FSA) published guidance on Financial Promotions Using New Media. At that time new media communication channels were stated to include "social networking websites (Twitter and Facebook), forums, blogs and i-phone applications".

Partial view of the title page from the Financial Conduct Authority's consultation document 'The FCA's Supervisory Approach to Financial Promotions in Social Media'

One of the successors to the FSA, the Financial Conduct Authority (FCA) which is responsible for regulation of the financial industry providing services to consumers in the UK, has announced a new consultation to clarify and confirm the previous guidance around promotion of services.

The FCA's Supervisory Approach to Financial Promotions in Social Media provides examples of social media in the non-exhaustive list "blogs, microblogs (Twitter), social networks (Facebook, LinkedIn, Google+), forums, image and video-sharing platforms (YouTube, Instagram, Vine, Pinterest)".

This proposed guidance is open for consultation. Feedback can be provided until 6th November by email to Richard.Lawes@fca.org.uk or by post to Richard Lawes, Financial Promotions Team, The Financial Conduct Authority, 25 The North Colonnade, London E14 5HS.

Posted on: 23 September 2014 at 08:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 September 2014

ICO Seeks Feedback on Use of the Data Sharing Code of Practice

Further to my post on Monday about the new privacy seals consultation, the ICO has requested feedback on the use of one of its major guidance documents.

Photograph of the transparent cased Sinclair ZX-80 computer exhibit at the recent Barbican 'Digital Revolution' exhibition in London

The Data Sharing Code of Practice was launched in May 2011 and provides statutory guidance on all internal and external sharing of personal data. The ICO has requested feedback on how the code is being used by organisations, in the form of an online survey

The survey runs until 5th October 2014.

Posted on: 12 September 2014 at 08:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 September 2014

Google AdWords Policy Update 2014

Google has notified AdWords customers of upcoming changes to its usage policy.

Photograph of a country road at night with snowy slush on the ground and fog in the sky lit up by a car's headlights

The policy has been consolidated and is now grouped by the following sections: prohibited content, prohibited practices, restricted practices, and editorial & technical quality standards.

  • Prohibited content includes adverts promoting of counterfeit goods, products or services that cause damage, harm or injury, products or services that are designed to enable dishonest behaviour, and other offensive or inappropriate content.
  • Prohibited practices include abuse of the AdWords network, irresponsible data collection & use, and misrepresentation of self, product or service.
  • Restricted content includes some types of adult-oriented content, copyrighted content, trademarked content, and some techniques when promoting alcoholic beverages or gambling or healthcare products/services.

AdWords customers must also all applicable laws and regulations.

The upcoming policy change will replace the existing policies later this month. For future reference see also the policy change log.

Posted on: 05 September 2014 at 08:19 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Policies : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/policies
Requested by on Friday, 27 November 2015 at 00:52 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk