Meta Refresh 2013

The design and engineering of user interface on the web

HOW TO tell if you're designing an insecure site

Submitted by Akash Mahajan (@makash) on Jan 28, 2013

Section: Patterns Technical level: Intermediate Session type: Lecture Status: Confirmed & Scheduled



Attend this How To session and you will gain the fundamental understanding about these and more.

  • Why does a secure password reset feature on a website work the way it does?
  • Why is it important for a browser to notify when you are going to a https website?
  • What does the phrase "Secure By Design" mean?

BONUS (Only if time permits)

  • Why an Aadhaar card will not ensure that your personal information is safely stored in a government database? In other words biometric authentication doesn't mean data can't be stolen and misused.
  • Why favicons are instruments of evil?

45 Minutes of Standup without any buzzwords

Maybe you attended a deep, profound session on existential design and how to nodejs the f*@# out of your existing responsive cloud meta architecture but I promise to keep my talk buzzword free and regale you with some classical humour from the 20th century.


Using the format Yahoo started and Quora completely hijacked, I'll answer 3 basic questions about the internet, covering security, design and how things go bump on the internet.

MetaRefresh is an interesting conference. Among all the hasgeek conferences this is the one where you see an overlap between the left- brained and the right-brained. On one hand you meet amazing designers who are creating art and on the other you have front-end engineers who run routes and scripts around all of us.

My session is about the place where these two meet. The session is about why frontend engineers need to understand and embrace the simplicity of the protocol they are building upon. Designers need to get that the intrinsic value of the world wide web is when non-technical folks (like my parents) are able to buy tickets, shop for stuff, play games on FB without worrying about their money getting stolen, malware eating their photos and losing their cat pictures.



  • An open mind
  • Sense of humour
  • Laugh on cue
  • Give feedback
  • Ask a lot of questions


  • Take any notes
  • Sit back quietly
  • Not share your opinions

Speaker bio

I used to freelance as a Web Application Security Consultant. Now I run my Application Security Company with special focus on Web and Mobile.

I help companies become secure by helping them understand approaches to security for the platform, security best practices and most importantly spreading the message that being secure is much cheaper than being insecure.

Among other things I am the co-founder+Community Manager for "null - The Open Security Community" and OWASP Bangalore

Website | @makash | Linkedin | Slideshare




  • Akash Mahajan (@makash) Proposer 7 years ago

    Agree or disagree with what I am saying? Get on twitter and lets discuss about insecure design

    My twitter id is @makash

  • Jitendra Vyas (@jitendravyas) 7 years ago

    This is something different and Interesting. Would like to attend +1

  • Akash Mahajan (@makash) Proposer 7 years ago

    Hopefully this will get selected in the final 14.

  • Akash Mahajan (@makash) Proposer 7 years ago

    Here is a snippet from the blog of Dan Kaminsky talking about security UI

    This was instead a fairly searing critique about Security UI. Moxie introduced (to me
    anyway) the concept of Positive vs. Negative Feedback. Negative Feedback systems
    occur when the browser detects an out-and-out failure in the cryptography, and
    posits an error to the user. In response to the New Zealand bank data, in which 199
    of 200 users ignored a negative prompt, browsers have been getting crazier and
    crazier about forcing users to jump through hoops in order to bypass a certificate
    error. The new negative errors are at the point where it is in fact easier to “balk” —
    to stop a web transaction, and move onto something else.

    Dan Kaminsky

    This is basically a technical post about how sslstrip works and how it is exploiting the human element. Note the part about positve and negative feedback.

    • Jitendra Vyas (@jitendravyas) 7 years ago

      But It seems it’s more about back-end and server stuff rather then user experience. It’s not a problem of end-user it’s problem of website owner.

      • Akash Mahajan (@makash) Proposer 7 years ago

        So the point I am going to make is that the entire user experience depends on the server side which depends on the underlying protocol. Especially when one want to build something secure.

  • Akash Mahajan (@makash) Proposer 7 years ago (edited 7 years ago)

    Uploaded slides to

    There was generous feedback on the talk and the discussions it generated. I hope that all that feedback will find its place here and we can keep talking about all of this.

    Especially expecting @jackerhack and @surdattack to share their views.

Login to leave a comment