Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Question: Client- VS Server-side #117

Open
HackersCardgame opened this issue Jan 11, 2023 · 0 comments
Open

Security Question: Client- VS Server-side #117

HackersCardgame opened this issue Jan 11, 2023 · 0 comments

Comments

@HackersCardgame
Copy link

Hello BigFive-Web Team

first: thank you for your free open source app for the public to take a BigFive Test

I have some Questions about security:

Premises:

  • Psychology Test should be treaten as medical data
  • I looked at the source code briefely, it seems to be a database that stores the result
  • furter the IP in Apache2/NGIX is anyway logged with this unique identifier in my case 63be6d73b56fa70008dcd39d
    => so you will have the TestID linked with an IP in all cases

so why not calculating / drawing the result or the complete test on the endpoint of the person to be tested?

Therefor you would need a STRUCT (like in C) or an small json that could be translated to BASE64

STRUCT:
BigFive: 5x Parameter      =  +5 Bytes
each has 6x SubParameters  = +30 Bytes
1x UX Timestamp = long     =  +8 Bytes
                             =========
                             ~40 Bytes (for the use case "BigFive Test")

which will result in something like MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OQo=

if you would use a # instead of / or ? everything would be done on client side

https://bigfive-test.com/result/63be6d73b56fa70008dcd39d
                               ^
https://bigfive-test.com/result.js#MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OQo=
                                  ^

to keep the data not in the database but in the URL and only on client side because things after # will not be transmitted to the server and you can fetch the BASE64 in the displaying javascript with window.location.href and then draw the graphics with javascript on client side

also in an older version the ? operator is used and the graphics is calculated in the php file is not optimal in my opinion

https://openpsychometrics.org/tests/IPIP-BFFM/results.php?r=3,7,3,3,3.1#_V
                                                         ^

or maybe also as QR Code

Benefits:

  • Interoperability between Websites with different Databases
  • there would be no need for a database anyway
  • customers IPv4/IPv6 is not linked with his "medical record"
  • customer does not give his data to unknown people

Disadvantages:

  • you can not use the customers data on your server / additional apps

=======

Further a view like this from the Facebook variant of the BigFive test that was removed would be better to compare two persons with one blink
FiveLabsVariant

since this would not be a security thing but an idea / feature request please tell me if i should move that to another issue

With kind regards

Marc jr. Landolt
eidg. dipl. Informatiker HF
Neuenburgerstrasse 6
5004 Aarau
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HackersCardgame