Security Question: Client- VS Server-side
HackersCardgame opened this issue · comments
Hello BigFive-Web Team
first: thank you for your free open source app for the public to take a BigFive Test
I have some Questions about security:
Premises:
- Psychology Test should be treaten as medical data
- I looked at the source code briefely, it seems to be a database that stores the result
- furter the IP in Apache2/NGIX is anyway logged with this unique identifier in my case 63be6d73b56fa70008dcd39d
=> so you will have the TestID linked with an IP in all cases
so why not calculating / drawing the result or the complete test on the endpoint of the person to be tested?
Therefor you would need a STRUCT (like in C) or an small json that could be translated to BASE64
STRUCT:
BigFive: 5x Parameter = +5 Bytes
each has 6x SubParameters = +30 Bytes
1x UX Timestamp = long = +8 Bytes
=========
~40 Bytes (for the use case "BigFive Test")
which will result in something like MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OQo=
if you would use a # instead of / or ? everything would be done on client side
https://bigfive-test.com/result/63be6d73b56fa70008dcd39d
^
https://bigfive-test.com/result.js#MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OQo=
^
to keep the data not in the database but in the URL and only on client side because things after # will not be transmitted to the server and you can fetch the BASE64 in the displaying javascript with window.location.href and then draw the graphics with javascript on client side
also in an older version the ? operator is used and the graphics is calculated in the php file is not optimal in my opinion
https://openpsychometrics.org/tests/IPIP-BFFM/results.php?r=3,7,3,3,3.1#_V
^
or maybe also as QR Code
Benefits:
- Interoperability between Websites with different Databases
- there would be no need for a database anyway
- customers IPv4/IPv6 is not linked with his "medical record"
- customer does not give his data to unknown people
Disadvantages:
- you can not use the customers data on your server / additional apps
=======
Further a view like this from the Facebook variant of the BigFive test that was removed would be better to compare two persons with one blink
since this would not be a security thing but an idea / feature request please tell me if i should move that to another issue
With kind regards
Marc jr. Landolt
eidg. dipl. Informatiker HF
Neuenburgerstrasse 6
5004 Aarau