11. Validate your controls through extensive code review and testing. Don't expect that just because something is open source that this has happened. Don't just take security "best practices" as the truth.<p>To principle 11, this year we were once again reminded why regurgitating security advice without looking into the actual implementation can be a problem. For years security and privacy advocates told users to use proxies in combination with HTTPS to protect their privacy and security, yet it turns out that this advice as applied to iOS and macOS allowed full middling of HTTPS connections by any bad actor with access to the users network. For all other operating systems, as covered in the CERT advisory, it lead to the ability to phish for authentication credentials:<p><a href="http://www.falseconnect.com/" rel="nofollow">http://www.falseconnect.com/</a>
The ten principles are a key principle (number 1), and the nine principles that follow (according to the post):<p>1. Do not rely on the law to protect systems or users.
2. Prepare policy commentary for quick response to crisis.
3. Only keep the user data that you currently need.
4. Give users full control over their data.
5. Allow pseudonymity and anonymity.
6. Encrypt data in transit and at rest.
7. Invest in cryptographic R&D to replace non-cryptographic systems.
8. Eliminate single points of security failure, even against coercion.
9. Favor open source and enable user freedom.
10. Practice transparency: share best practices, stand for ethics, and report abuse.
> Sandboxing, modularization, vulnerability surface reduction, and least privilege are already established as best practices for improving software security.<p>And yet Tor Browser Bundle still uses Firefox, which is going to get sandboxing Real Soon Now (8 years after Chrome released with it). Just two weeks ago, we heard about another FBI malware discovered in the wild exploiting a Firefox 0-day to deanonymize Tor users; who knows how long it was used before being discovered, or what other exploits may be lurking out there.<p>To be fair, I'm not sure whether the Chromium sandbox protects against 'mere' IP address disclosure, but still...
On "give users full control over their data." What about if a third party could use that user's account to gain access to their data? What are best practices around that?