Web Security

Download Report

Transcript Web Security

Web Security
A how to guide on Keeping your
Website Safe.
By: Robert Black
What We Will Cover:
•
•
•
•
Cookies
Active-X controls
Java Applets
Ways to secure your Computer
Web sites use cookies for
several different reasons:
1. To collect demographic information about
who is visiting the Web site. Sites often use
this information to track how often visitors
come to the site and how long they remain
on the site.
2. To personalize the user's experience on the
Web site. Cookies can help store personal
information about you so that when you
return to the site you have a more
personalized experience.
Cookies have six parameters that
can be passed to them:
• The name of the cookie.
• The value of the cookie.
• The expiration date of the cookie - this determines how long the
cookie will remain active in your browser.
• The path the cookie is valid for - this sets the URL path the cookie
us valid in. Web pages outside of that path cannot use the cookie.
• The domain the cookie is valid for - this takes the path parameter
one step further. This makes the cookie accessible to pages on any
of the servers when a site uses multiple servers in a domain.
• The need for a secure connection - this indicates that the cookie
can only be used under a secure server condition, such as a site
using SSL.
Understanding Cookies
• Cookies do not act maliciously on computer
systems. They are merely text files that can
be deleted at any time - they are not plug ins
nor are they programs. Cookies cannot be
used to spread viruses and they cannot
access your hard drive.
• This does not mean that cookies are not
relevant to a user's privacy and anonymity on
the Internet. Cookies cannot read your hard
drive to find out information about you.
• However, any personal information that you
give to a Web site, including credit card
information, will most likely be stored in a
cookie unless you have turned off the cookie
feature in your browser. In only this way are
Active X Controls
• ActiveX was developed by Microsoft. It is
supported in Microsoft's Internet Explorer,
and an ActiveX plug-in is available for
Netscape Navigator
Understanding Active X
• ActiveX security relies entirely on human judgment. ActiveX
programs come with digital signatures from the author of the
program and anybody else who chooses to endorse the
program. Think of a digital signature as being like a person's
signature on paper. Your browser (in theory) can look at a
digital signature and see whether it is genuine, so you can
know for sure who signed a program.
• Once your browser has verified the signatures, it tells you who
signed the program and asks you whether or not to run it. You
have two choices: either accept the program and let it do
whatever it wants on your machine, or reject it completely.
• ActiveX security relies on you to make correct decisions about
which programs to accept. If you accept a malicious program,
you are in big trouble.
Understanding Active X
• The main danger in ActiveX is that you will make the wrong decision
about whether to accept a program. One way this can happen is that
some person you trust turns out not to deserve that trust. The most
dangerous situation, though, is when the program is signed by
someone you don't know anything about. You'd really like to see
what this program does, but if you reject it you won't be able to see
anything. So you rationalize: the odds that this particular program is
hostile are very small, so why not go ahead and accept it? After all,
you accepted three programs yesterday and nothing went wrong. It's
just human nature to accept the program.
• Even if the risk of accepting one program is low, the risk adds up
when you repeatedly accept programs. And when you do get the
one bad program, there is no limit on how much damage it can do.
• The only way to avoid this scenario is to refuse all programs, no
matter how fun or interesting they sound, except programs that
come from a few people you know well. Who has the self-discipline
to do that?
How can I lower my risk?
• Think very carefully before accepting a
digitally signed program. How competent
and trustworthy is the signer?
• Use up-to-date browser versions, and
install the security patches offered by your
browser vendor.
• Never surf the Web on a computer that
contains highly sensitive information like
medical records.
Java Applets
• Java was developed by JavaSoft, a
division of Sun Microsystems. Java is
supported by both of the major browsers,
Netscape Navigator and Microsoft Internet
Explorer.
Understanding Java
• Java security relies entirely on software
technology.
• Java accepts all downloaded programs and runs
them within a security "sandbox". Think of the
sandbox as a security fence that surrounds the
program and keeps it away from your private
data. As long as there are no holes in the fence,
you are safe.
• Java security relies on the software
implementing the sandbox to work correctly
Understanding Java
• The main danger in Java comes from the complexity of the software
that implements the sandbox. Common sense says that complicated
technology is more likely to break down than simple technology.
Java is pretty complicated, and several breakdowns have happened
in the past. If you're the average person, you don't have the time or
the desire to examine Java and look for implementation errors. So
you have to hope the implementers did everything right. They're
smart and experienced and motivated, but that doesn't make them
infallible.
• When Java security does break down, the potential consequences
are just as bad as those of an ActiveX problem: a hostile program
can come to your machine and access your data at will.
How can I lower my risk?
• Think very carefully before accepting a
digitally signed program. How competent
and trustworthy is the signer?
• Use up-to-date browser versions, and
install the security patches offered by your
browser vendor.
• Never surf the Web on a computer that
contains highly sensitive information like
medical records.
Ways to Secure your Computer:
Delete Your Cookie Folder Consistently
Delete Your Internet File Folder
Consistently
Clear Your History Consistently
Credits