71

On a banking website I see that they have disabled right-click. Does that make the site any more secure? Is it a good general practice?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
18bytes
  • 885
  • 1
  • 10
  • 12
  • 8
    Disabling right click doesn't prevent a person from using web developer toolkits. These can and will allow the person to alter html, javascript and css code. Meaning the person will still be able to download your images and fool your client side security. – HTDutchy Feb 21 '13 at 10:24
  • 77
    Sure it does, it makes more site more hated thus more hackable – Mite Mitreski Feb 21 '13 at 10:28
  • 13
    I'd like to point out that regardless of whether or not this practice affects the **physical security** of a site it does contribute to the **perceived security** of the site from the general populace. – Chris Kerekes Feb 21 '13 at 14:27
  • 7
    @ChrisKerekes I've never heard this claim, I'm curious to know if there's some article or such you can site that talks about affecting the `perceived security of the site from the general populace`? – SpellingD Feb 21 '13 at 17:17
  • 1
    When my local HSBC branch was bought out by FirstNiagara, the online system switched to some service at openbank.com. I have since closed my accounts because I simply do not trust FirstNiagara with my money. [Here's what you get when you right click](http://screencast.com/t/Gn9UqdCG4). – zzzzBov Feb 21 '13 at 18:20
  • 3
    @SpellingD, [The Psychology of Security](http://www.schneier.com/essay-155.html) is article from Bruce Schneier, author of a number of encryption and security books published by Wiley. Disclaimer: I have not read the article in it's entirety. – Chris Kerekes Feb 21 '13 at 19:16
  • 1
    @ChrisKerekes Thanks for taking the time to link the article! I read through the whole thing and there wasn't anything in it about right-clicking and how that affects one's sense of security. Perhaps it was in some other article. Rather, with the information presented in what you linked, I'd argue that it implies people would perceive this as *more risky* as it is `externally imposed`, `Rare`, `Intentional`, `Immediate`, `Affecting them personally`, `Entirely without redeeming features`, `Uncertain`, and perhaps `New and unfamiliar`. Information taken from Table 1 in the link. – SpellingD Feb 21 '13 at 22:19
  • Just my $.02: When a website disables anything, I consider it a personal challenge (although it's not ever very difficult) to circumvent their "Security Measures" (lol). – DondeEstaMiCulo Feb 22 '13 at 00:38
  • @SpellingD, The article in question lists 5 perceptions, possibly differing from reality, that affect how individuals assess risk. The fourth perception is `How effective the countermeasure is at mitigating the risk`.In the context of a banking site, the risk is having my account compromised. While I may disagree that this risk with externally imposed, I neither claimed that financial loss nor identity theft were downplayed. Instead **my argument was that an average user may misjudge the effectiveness of disabling right-clicking**. – Chris Kerekes Feb 22 '13 at 17:52
  • Kindly can you provide a link to that bank? I see this behavior much common on fashion and media website. Probably a protection measure for copyrights infringements. – Saladin Mar 07 '13 at 08:39
  • Ironically Indian CERT-In (Indian Computer Emergency Response Team) website uses the same tactic. It is the top government organisation in charge of preventing cyber crime in India. It's really annoying. – Prince Kumar Dec 16 '16 at 14:37

10 Answers10

137

Does it make the site any more secure?

No, it doesn't alter anything other than your ability to conveniently save items from a page. Using a browser's developer mode, turning off JS, overriding this with a different script that disables that pop-up, or just grabbing data off the wire after stripping the SSL will all work.

Is it a good general practice?

This is an ache that the Internet has had to suffer from the height of GeoCities fame when folks didn't want you to "steal" their very poorly composed photos of dandelions and family pets. Dispensing all professionalism and being straight-forward as possible, I might hesitate to convict a person for smacking the responsible party of any modern site using this upside the head with a cast iron skillet. Aside from that it has generally fallen out of favor due to being a combination of ineffective and annoying. For instance, it would also make my spellchecker misbehave.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 79
    +1. It doesn't help security, and it pisses me off. – Tom O'Connor Feb 21 '13 at 08:58
  • 53
    Also, anyone who *thinks* that this somehow improves security really shouldn't be trusted with a freaking **banking** site. I'd like to know which bank this is so I can avoid ever using its internet banking functionality... – Shadur Feb 21 '13 at 10:30
  • 11
    @Shadur: Well banking websites notoriously do stupid things.. It often happens that your password must be a "PIN" which must be 4 numbers, no letters, no longer and no shorter /shrug – Andreas Bonini Feb 21 '13 at 12:33
  • 5
    +1 Just for the enduring image of the Skillet and the tell-tale "Spang" noise we all know it would make! :) – James Snell Feb 21 '13 at 13:25
  • @Shadur, avoid FirstNiagara then. – zzzzBov Feb 21 '13 at 18:22
  • 6
    Zero benefit. Anyone savvy enough to "hack" will not be thwarted by not being able to right click. It disables only the action of a right click, and not the functionality provided by right clicking."I've made it past the 1024 bit encryption, now if only I could right click on this damn image..." – eskimo Feb 22 '13 at 12:34
  • This reminds me of how Zuckerberg was convicted to have "broken in", "hacked" and "stolen" the Yearbook-photos from the universities public available sites. They also had rightclick disabled ;) ... wget and cUrl are really evil evil hacking tools, you see? :D – Gewure Aug 02 '17 at 13:52
23

Client side security is just a smokescreen. It will prevent inexperienced people from saving the images or messing with the HTML, but one can easily disable this with a single line of injected javascript. You can mess with the HTML even without this line of JS, using Chrome Inspector.

When this trick is used to keep images "secure":

I've seen a lot of tricks used by sites to avoid images being fetched. One, of course, is trapping the right click bubble. The other is to overlay two images (or to use a CSS background-image:url()), making the first one 'inaccessible' to right click. But that will only prevent the folks that don't know much more than "right click>save image as".

Is it a good practice? Probably not. It's still very easy for people to get the image. But yeah, if you want to cull the pool of possible "thieves", I guess it's OK to do. Still, you should come to terms with the fact that once you send something to the client, it can be stolen.

When this trick is used to keep the website "secure"

Please don't do this. Your security should be on your server-side. Client side security should be in the form of CSRF/clickjacking preventions. Not in the form of "making the source code difficult to mess with". Because it always can be messed with.

Community
  • 1
Manishearth
  • 8,237
  • 5
  • 34
  • 56
  • 5
    Anyone who really wants the image is going to be able to get it unless they're *terminally* incompetent at web browsing. I'd hesitate to say disabling right click would do more than slow anyone down. – Shadur Feb 21 '13 at 10:28
  • @fgysin: I right-click>open image in new tab. Then I save. If it's not what I wanted, I Chrome-inspector the page and drag the real URL out kicking and screaming :P – Manishearth Feb 21 '13 at 16:18
  • Ah, this brings back memories of a buddy of mine in college thinking he'd made a "secure" image DRM and challenged me to break it. He was so surprised when I brought in the image the next day after having pulled the details of the image right out of the packet traffic and recomposed it in to a data file. Now it's even easier, but then I had to make my own tool. – AJ Henderson Feb 21 '13 at 18:06
  • 4
    The all-time favorite time saver... You come across an image that's displayed at full resolution on the web... You're running Windows 7... Easier than rubber-banding a lamb for wetherization purposes, we give you the Snipping tool. Instantly castrates any right-click silliness or image protection silliness in one simple drag. – Fiasco Labs Feb 22 '13 at 07:32
  • @FiascoLabs: Yeppers. Shift-PrintScrn on Ubuntu for me, but same principle. However, I like my images to be perfect without any border issues :P – Manishearth Feb 22 '13 at 07:38
20

I actually think it might compromise security by a fraction. The one who are prevented by the disabling of the button would never be able to compromise the security at all. But disabling the right click might annoy someone who can get past it to do exactly that, and by doing that breaking down a small barrier that might lead the person to continue hacking.

Another point is that "features" like this might lead a potential hacker to question the skills of the implementers of the site, which also is something that might entice hacker to "check out" the implementation.

Of course this is just psychology and have nothing to do with the actual security of the site, but still a valid point I think.

daramarak
  • 420
  • 2
  • 5
  • 10
    Maybe a stronger support to your premise is that more code = more opportunity for bugs. – Ladadadada Feb 21 '13 at 08:47
  • 9
    In fact, i would strongly question the ability of the people who think this improves security to write other secure code. – Dorus Feb 21 '13 at 10:02
  • 13
    What exactly is in a browser's context menu that can harm the security of a *banking site* (or, for that matter, any site)? I checked mine, and there's no ‘Crack banking encryption’ option. :) If your security relies on people not downloading assets from the web server, you're getting compromised thousands of times a day — there's *no* distinction between displaying and downloading. Browsers are just complex file download engines. – Alexios Feb 21 '13 at 10:40
  • 3
    @Alexios `Inspect Element` perhaps? Or `Bookmark this page`. `:)` – user Feb 21 '13 at 15:00
  • 2
    This is absolutely ridiculous. **This** is the psychological aspect: If I find that your website prevents right clicks, I'll have a greater incentive to harm it. "Hackers" who are prevented from _"continu[ing] hacking"_ by disabling the context menu, aren't able to do anything to your website anyway. – Adi Feb 21 '13 at 15:20
  • 2
    @Adnan It is more like, "this site prevents me from right clicking, I wonder why/how?" This small question might lead to investigation in the client code and suddenly- "Looks like this site is prone to sql-injections" – daramarak Feb 23 '13 at 02:39
  • @Alexios huh, I guess you need to download the Chrome H4><0r edition then. "Hack this page" totally shows up in my right click menu. – Wayne Werner May 03 '16 at 15:15
  • 1
    you indeed motivate ppl like me by disabling rightclick.. :) – Gewure Aug 02 '17 at 13:54
8

On a banking website I see that they have disabled right-click. Does that make the site any more secure?

No. Out of the top of my head:

  • you can use greasemonkey to remove their right-click functionality on page load.

  • you can save the web page, then open it in your favorite editor.

  • you can get the webpage again, using wget (or any other client that gets the page without reading any javascript).

  • you can inspect the code and contents of the page by using any web-developer extension to your browser.

Is it a good general practice?

It limits the capabilities of your browser on their website. As far as I can think of, the only thing they achieve is a poorer user experience on their website (you cannot use the full capabilities of your browser with their website) and (if we're looking at very naive website owners / managers / other people responsible) a dangerous illusion of security.

utnapistim
  • 181
  • 4
4

Surprisingly often web sites foolishly aren't designed to cope with clicks on "Back" or "Forward" browser buttons. For instance, some banking or e-commerce web sites may commit a transaction twice if you hit "Back". In such cases, there may be a case for trying to disable right-click (where these options are included).

Gruber
  • 1,084
  • 1
  • 8
  • 19
  • +1 - I somehow missed your answer until right after I posted something very similar. I suspect this is the case, though obviously there are saner ways of doing preventing back/forward navigation from double committing a transaction. – dr jimbob Feb 21 '13 at 16:44
2

Disabling right-click has no impact on security; its completely trivial to get around, though it alone doesn't open up any security holes.

Giving the banking web site the benefit of the doubt -- there possibly could be a non-security effect that they intended from disabling right click. They may want to prevent users from accidentally doing unintended actions on the banking website.

For example, you may be familiar with websites that say only "press submit once" to prevent the form being double submitted. If you press submit twice, then you may initiate a money transfer twice which was not what you intended. Granted, there are much saner ways of accomplishing this (giving each action a unique ID before its submitted, only processing a request once), etc.

Or maybe they have set up the site that if you load a page, visit another page, and press the back button in your browser to go to the original page (versus navigating through their website), the previously visited page will no longer work (e.g., there's a token that expired once you visited a new page). Maybe they feared you would navigate away from a site, and an attacker could then use the computer after you press back a couple of times and get to your banking information. (Again, not the sanest method of accomplishing this goal, versus say a session timeout after 5 minutes of inactivity and encouraging people to logout and not use public computers).

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
1

No, if you need secure things,,,don't trust any client side things.

As an example if you do only client side validations in a website which needs more security, you gonna be fail. Do both validations, server and clients.

And main things is - providing security means its not securing the stuffs. It increase the time to break in the system. By disabling right click it can be increased the breaking time by second or two ;)

user827918
  • 246
  • 1
  • 5
0

The only conceivable benefit I could think this could offer would be if they are expecting the casual user to do something stupid that would require a right click. I am not aware of any attack vectors where right clicking on something would cause an exploit to be able to occur though, so I don't see any valid security explanation for this behavior. Perhaps they don't want the user to copy and paste some information and hope the user doesn't know about ctrl-c and ctrl-v?

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
0

It is probably intended to make life more difficult for phishing attacks. The idea would be that an attacker needs to create a convincing fake page, and to do so he will naturally try to save images from the real web page, so making it marginally harder to get to the image must be a good thing, right?

Obviously it is completely ineffective and contributes only negative usability, but I'm assuming that's the thinking as I've seen sec products claim that protecting against downloading public web assets has some kind of worth against phishing.

bobince
  • 12,494
  • 1
  • 26
  • 42
0

Yes, “disabling” right click does have an impact on security.

“Disabling” right click entices users like me into turning off JavaScript. So all the other — rather poor — security measures implemented in JavaScript get shut down as well.

That is what I call counter-productive security.

[“Disabling” right click is not really disabling right click. It is trying to disable right click, and it just makes right click more difficult. Some Web browsers even have the option to just ignore this absurd annoyance.]

Nicolas Barbulesco
  • 148
  • 5