Frequently Asked Questions
This section is part of the Romance.ucam.org online help system. (show contents). You can also view the entire document as a single very long page.
Safety and Security - Computer
Here are a few points about computer security. This is written for Romance.ucam.org, but it's applicable generally.
- You should choose a good, strong password. This should not be a dictionary word as these can be easily guessed (it's easy for a computer
program to test 20,000 words!) Don't reveal your password.
- Don't let others have access to your computer, especially your email account. If they do bad things, you will get the blame, because it is assumed that you did it! Our
signup-confirmation validates your identity by knowing that you are the only person who can read email sent to your address.
- Log out of the site when you are finished. If you just allow it to time-out, you may no longer appear logged-in, but the next person to use that web-browser
(for example, on a shared computer in a library or internet cafe) may be able to continue to be "you".
- We restrict the HTML tags that people can use in profiles and messages for security reasons. Remote images and external links can be misused to obtain someone's identity -
this is why they are not permitted. We aren't just being awkward!
- You should be slightly wary of opening external webpages/images whose URL is included in someone's profile or message. If the webpage
lives on a server that they control, then they could possibly log your computer's internet (IP) address, from which your identity may be derived.
- We will lock your account if you enter the wrong password 9 times consecutively. This is just like a bank will do if you repeatedly type
the wrong PIN. Contact Cupid if this happens to you.
- Your browser must accept session cookies [test]. The session-cookie looks like "PHPSESSID=pea45p10bjcb6p3221". It stores your login credentials; it is
discarded once you log out (or after ∼24 minutes if you don't log out.)
- You may wonder why some of our error messages are vague. This is to prevent information leaks. For example, if you already have an account, and you try to sign up again, on screen
you will be told that it succeeded; but by email, you will be informed that you already have an account. This prevents an attacker from finding out whether a given person has an account on
the site or not. Likewise, if someone repeatedly tries to log in with an invalid email,password pair, the account will be locked, regardless of whether it actually exists!
- HTTP transmissions are unencrypted (usually, so are emails), and could potentially be monitored by other computers on the network: this is unlikely, but you should be aware that it can happen.
Unencrypted (open) Wi-Fi networks are far easier to 'sniff' than wired networks or secure (WPA) Wi-Fi: use Wireshark to see for yourself. You should use HTTPS instead.
[Update: as of mid-2012, we exclusively use the encrypted (https://, wss://) protocols, and opportunistically encrypt outbound email (if the server can accept it).]
- Some organisations deploy SSL “HTTPS Proxy Appliances" to snoop on personal web access within their systems. If you are using a web-browser on a system that you do not administrate (such as a corporate computer), then there is a possibility
that your secure browsing actually isn't actually secret. We can't protect against this, but you can detect it. For more information, see GRC's article on SSL Fingerprints and compare what
your browser thinks is our certificate's fingerprint, with our actual fingerprint.
A rule of thumb is that, if you paid for the computer yourself, and downloaded the web-browser yourself, then you're probably OK; on the other hand users of centrally-administrated corporate computers are implicitly trusting the
honourability of their system administrator not to apply a corporate monitoring policy (aka man-in-the-middle). Some proxy services (eg Opera Mini) do this for performance reasons; they are up-front about it, and it's your choice whether to trust them.
- Some general advice for improved privacy online is given here, here, and here.
A good start is to use a Free Operating System (if you can), an Open source browser (eg Firefox), Block ads and Flash by default (Adblock-Edge, FlashBlock), Enable "Do not track", and use a privacy-respecting search-engine (eg DuckDuckGo).
- See also the section on Anonymity and Privacy.
[ ↑ contents]