Embed Size (px)
Citation preview
18-jan-96 2. ETH-W4 (ra) 1
security on the Web
security authentication privacy
18-jan-96 2. ETH-W4 (ra) 2
security on the Web
1. prevent attacks against Web clients and Web servers
2. guarantee private data exchange
two “types” of security:
18-jan-96 2. ETH-W4 (ra) 3
security on the Web
can you trust your browser ?
does your browser allow execution of scripts ? (i’m not talking about Java)
can you trust your helper applications ?
threats to your Web client:
18-jan-96 2. ETH-W4 (ra) 4
security on the Web
do not run the httpd as root !
make sure the script directory is well protected !
scripts must not allow uncontrolled execution of shell commands !
threats to your Web server:
18-jan-96 2. ETH-W4 (ra) 5
security on the Web
turn off server side includes !
beware security holes in httpd !
threats to your Web server (cont.):
18-jan-96 2. ETH-W4 (ra) 6
security on the Web
use a bad helper application !
enter sensitive data !
“non technical” threats:
a malicious server may attract your attention and make you
18-jan-96 2. ETH-W4 (ra) 7
authentication on the Web
identify a Web server or Web client
authenticate a buyer who submits an order
identify the author of an important document
might be useful to:
18-jan-96 2. ETH-W4 (ra) 8
privacy on the Web
sensitive data is transferred (e.g. a credit card number or a password)
might be required, if:
18-jan-96 2. ETH-W4 (ra) 9
more security on the Web
basic authentication
IP based access control
combination of the above
simple means to improve security on the Web:
18-jan-96 2. ETH-W4 (ra) 10
more security on the Web
data encryption (U.S. export restrictions apply !)
Pretty Good Privacy (PGP)
secure network layer (SSL, PCT)
more sophisticated means to improve security on the Web:
18-jan-96 2. ETH-W4 (ra) 11
more security on the Web
Kerberos based encryption
message digest (public domain !)
smart tokens (PCMCIA cards)
more sophisticated means to improve security on the Web (cont.):
18-jan-96 2. ETH-W4 (ra) 12
more security on the Web
U.S export restrictions on encryption algorithms with large keys !
different approaches (applications with security features vs secure network layer)
reliable key distribution (e.g. PGP)
open problems:
18-jan-96 2. ETH-W4 (ra) 13
more security on the Web
there WILL be more security on the Web (commercialization !)
various implementations (e.g. NetScape’s SSL, Microsoft’s PCT)
we might end up with the same problems as with HTML (chaos !)
what i expect:
18-jan-96 2. ETH-W4 (ra) 14
security on the Webfor more information, see trip report:
http://www.ra.ethz.ch/WWW/WWW4/tutorial_H.html
can be found via “ETHZ Web related information” on ezInfo homepage.
