Should you provide authentication via a certificate to a web server?. Cookies can inform the web browser of your preferences or what “steps” you are in a session.. Cookies 462• Cookies
Trang 1All-In-One Edition Chapter 15 – Web Components
Brian E Brzezicki
Trang 2Web Components (443)
Believe it or not the web did not exist till about 1993 A few
years later (about 1995) the commercialization of the Internet began Web browsers allow us to access information in a
quick, easy and universal method
The protocol of the web is called “HTTP” Hypertext Transfer
Protocol, which transfers HTML documents as well as other file formats
Trang 3HTTP (TCP port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP
• No Encryption
• No Authentication of remote server
There are many useful web applications for example online banking Can anyone see why the top 2 issues are VERY problematic?
Trang 5How does SSL work (447)
1 Client sends SSL version and cipher settings
2 Server responds, including it’s digital certificate
3 Client verifies the server is who it says it is (NOTE
6 Client and server use seed value to generate a
master key, which will be used to encrypt the
sessions traffic
Trang 6Once this handshake is completed we have verified that the server is who he says he is AND we have exchanged keys for symmetric encryption This “handshake” is the CPU
intensive part of SSL communications NOT the actually
encryption
Trang 7Digital Certificates
Let’s take a quick look around a HTTPS connection
Go to https://www.redhat.com using Firefox
Click on the yellow lock, view certificate
What are some of the fields you see here?
Click on “Details” and Look at the Certificate Hierarchy What is this all about?
(more)
Trang 9SSL thoughts
What is mutual authentication?
Should you provide authentication via a certificate to a web server? Why or why not? What uses could this serve?
Trang 10SSL closing thoughts
SSL provides encryption and authentication
SSL uses RC4 and 3DES for symmetric encryption but can use other protocols
SSL uses MD5 or SHA for digital signature hashing
SSL was original, and embraced by the IETF in 1996, TLS v1 was equivalent to SSL v3
SSL protects against Man in the Middle Attacks (however that was just defeated)
Trang 11SSL Closing Thoughts
Sites can get an “extended” certificate which is a much
more through process and costs more money to get from
Trang 12Other Network Services
Trang 15Client side software
Trang 16Cookies
Trang 17Cookies (462)
What is a cookie?
What is it used for?
Can cookies give you viruses?
Let’s look at a cookie
Trang 19Cookies (462)
The point of cookies is to imply state to a stateless protocol Cookies can inform the web browser of your preferences or what “steps” you are in a
session Without Cookies or other dynamic input, the web would be a boring place.
There are two types of cookies (explain)
• First Party cookies
• Third party cookie
(more)
Trang 20Cookies (462)
• Cookies do NOT spread viruses, malware etc
• Cookies can be used to hold preference
• Cookies can be used to provide a “session” for a web application
• Cookies can show some type of browsing history if stolen
• You can turn off cookies in your browsers, but most websites will be useless if you do.
There are a lot of misconceptions regarding Cookies, does anyone have any questions about cookies?
Trang 21JavaScript (457)
• Developed by Netscape
• Runs on web browser to help create interactive features
• Code goes between <script> and </script> tags
• Transmit information to the Web server
• Can perform tasks outside user’s control
Trang 22Simple JavaScript code
Trang 23JavaScript security holes
• Vulnerabilities
– Monitoring Web browsing
– Bugs in browsers
• JavaScript Garbage Collector
– Reading browser preferences – yes JavaScript can do this
– Reading cookies
• Safeguards
– Patches for browsers
– Disable JavaScript in the browser
Trang 24ActiveX (459)
• Developed by Microsoft
• Links desktop apps with Web content
• Components triggered by HTML scripts
• Can do anything on the system
Trang 25ActiveX vulnerabilities and
safeguards (459)
• Vulnerabilities
– Potential for harmful code
– Attacker might gain access to passwords or confidential information
– Attacker may do bad things on your computer
• Safeguards
– Patches
– Disable ActiveX scripting
– Configure how ActiveX responds
• Enable
• Disable
• Prompt
Trang 26Java
Trang 27Java applets (457)
What is Java, what is the purpose and history of Java?
• Work on most clients
• Typically stored on Web server and downloaded to client
• Can be standalone or web based (applet)
• JAVA and JAVASCRIPT are COMPLETELY different and NOT related (the book on 457 is completely wrong on this)
Trang 28Signed and unsigned applets (465)
• Downloading code from the Internet to run on your
computer…sound dangerous? Would you let a stranger, just put a disk in your computer and run whatever programs they wanted? Software signing is very important as we move to network distributed software Microsoft version of software signing is called “Authenticode”
(more)
Trang 29Signed and Unsigned Applets (465)
• Unsigned applet
– No way to confirm code source
– No way to know if it was changed
– Sandbox model (Java)
• Signed applet
– Digital signature
– Proves applet was unaltered from source
– Avoids sandbox restrictions (java)
Trang 30Signed applets (465)
Should you ever run an unsigned active X control?
Are you safe running an unsigned Java applet?
If an applet or active X control is signed by someone, is it safe
to run?
What does signing applets provide as far as security goes?
Trang 31Browser Security
Trang 32• Don’t save passwords in your browser
• Don’t save your history
• Turn off pop-ups
• Turn off phishing filters
• You can disable cookies… though beware your browsing experience will suffer…
(more)
Trang 33Browser Security
Trang 37Browser Security (IE) (461)
• If using IE, IE has “zones” where you can set specific
browser security features on a “zone” by “zone” level
• f using IE, set your “Internet” Zone to medium-high or high (high is best)
• If using IE turn off all unsigned active X controls, better yet turn off active X altogether
(see next slide)
Trang 38IE
Trang 39Server Based software
Trang 40CGI (461)
Quick History of CGI…
• Typically two parts
Trang 41Form submission
Trang 42CGI
CGIs pass variables after the URL with & examples
http://www.server.com/login.cgi?username=brian&password=mypassword
This method is called a “GET”… why can this be bad?
Variables also can be passed outside of the URL using a
“POST”
Trang 43CGI vulnerabilities and safeguards
(461)
• Vulnerabilities
– Input from browser executed on server
• Safeguards
– IDS, access filtering, screening
– Check input before processing
– Validate script security
– Carefully test script before placing on Web
server
Trang 44Chapter 15 - Review
Q What is a cookie, what are some important things in a
cookie
Q Using SSL for a website provides what security advantages?
Q Can you use SSL to protect other network services such as IMAP?
Q What is the purpose of application signing?
Trang 45Chapter 15 - Review
Q What restrictions does Java place on unsigned applications?
Q Where does a CGI program run
Q What is a weakness of FTP?
Q What protocol port does HTTP use? HTTPS?