Posted: Tue Feb 26, 2008 1:24 am Post subject: Protecting the identity of people browsing my website
I have a couple of questions regarding the privacy of people browsing my website.
It's possible for a website to know the IP of those connected to it, right? So I'm assuming it's possible for a hacker to be able to find out that info and see who is connected to a website at any particular time.
Is there any way to stop a hacker from being able to identify the members / connections to a website? If I use SSL will that encrypt or hide the users' IP and other identifiable information?
For someone to establish and maintain a connection to a webserver (or any other computer) that computer must be able to see their IP address. The operating system network stack, at the very least, must see it. If any application chooses to use the IP to decide what access will be given (eg only accepting connections from a range of known addresses) then it will also have to see this information.
However, there may be no need for the web application to store the information in any way for future reference.
A typical web hack might target an exploit in the web application itself to get at the data which runs the site, or sits on databases behind it. So if the IP's are not stored by the application it would be safe from these attacks.
If an attacker could get through to see the logs on the server they could potentially see historical connections, and probably live ones as well.
Thanks for your help Adam, that's very interesting information. I'm fairly careful with security but this is the first job I've had where someone is highly concerned with protecting the site users' identities.
I see what you're saying about the web hack and I take the point - only things that are available in the database to the website itself would be available to a web hacker. That's good news, I think, as the server logs etc would be harder to get to through the web front-end (or impossible), right? We're already designing it to hold very minimal user information within the system itself so that if a login is breached nothing identifiable would be accessible.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum