1. What would you consider a security warning sign when you are using a website?
- Not using HTTPS for pages that should be secure.
- Pages that use expired certificates.
- Weird password limitations that indicate underlying weaknesses in the storage and verification implementation. (e.g. max 8 characters, not allowing characters such as double-quote, etc.)
- Sites that e-mail me my full membership information, including the full password.
- Sites that allow me to recover my password instead of resetting it to a new password
- High-profile, fraud-sensitive services (e.g. banking, government, online store accounts such as PSN or Steam) that do not employ a form of two-factor authentication
- Websites which offer to store credit card details
2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?
- Not having an up-to-date browser.
- Not having an up-to-date operating system.
- Opening up additional attack vectors by installing third party browser plugins that are known to regularly have security issues, e.g. Flash and Java.
- Not using an ad blocking tool and opening yourself up to drive-by assaults from badly curated ad networks.
- Not using a whitelist-based script blocking tool.
- Browsing with an account that has administrative permissions.
3. What would make you think that a web site is likely a safe place for your sensitive data?
Mind-altering substances or intoxicating levels of alchohol. Failing that; a hard enough impact with a blunt object to incur brain damage.
The web is never a safe place for storing sensitive data of any kind, even with well-established tech companies like Google or Apple. (Case in point: the recent leak revealing the existence of the PRISM program.) Before storing or sending personal data anywhere you should always carefully consider whether it's worth it. In some cases though (e.g. government, educational institutions, employer, etc. ), it may be unavoidable and you should focus on supplying only the minimum.
4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?
User convenience. Other than that; it's actually a pretty good idea.
5. what do you think is the easiest way to manage passwords?
Post-it notes. However, as has been said: easiest != best. Best is probably memorizing a two-phrase master password to grab others off of a key chain software, explicitly without an option for password recovery or password recovery hints. For emergencies have two physical notes, one for each phrase, stored in separate safes.
6. Do you think about the general state of security and the internet?
It's a bloody freaking mess from the technical as well as the non-technical side.Technical exploits like XSS, CRSF or SQL injection refuse to die out, generally due to continued developer incompetence or unhealthy budget slashes coming down from management. With all the wet-behind-the-ears, gullible non-technical types cruising around on the web it's not going to get better any time soon either. Social engineering (such as phishing) is a 'rising star' that large government awareness campaigns continue to be unable to curb.
7. Is there anything that you think users should know?
Always treat the internet as hostile. Always second guess intentions. If it sounds to good to be true; it is.