On a lot of IndieWeb sites, I noticed that profile images of webmentions get directly embedded from their original source. For example, Twitter profile images are loaded directly from Twitter servers (pbs.twimg.com) or even my profile image is directly embedded from my site. However you should consider enabling Content Security Policy (CSP) headers and only allow embedded content from trusted sites (your own domains). It could always happen that a site gets hacked and malware injected or a domain expires and some spammers register it again, that will also affect your website’s visitors.
There are some online services that use email login. This means that instead of a combination of user name and password, only the email address is entered and a login link is sent to it. Basically, this is a good option to increase security a bit. The service only needs to store a list of email addresses instead of the corresponding password (hopefully encrypted and hashed) for each user. But somehow this is also quite annoying sometimes.
You may ask yourself, how secure is the email provider you use or the mail server you operate yourself. Today I learned that there is a simple way to test this. A test platform provided by the European Commission provides a simple way to test security standards of your mail provider or mail server, that just involves receiving a mail and responding to it. It also checks some DNS settings and finally calculates scores in these three categories:
The openness of the system is often praised as one of the main reasons for Android enthusiasts. You can install apps not only from the official store (Google Play) but also from other sources. But isn’t that like running a Windows computer without a virus program? Try to teach a person who really doesn’t know anything about smartphones (except how to take photos, write messages and make phone calls) how to install an app from a source other than Google Play….