Вы находитесь на странице: 1из 32

Web Security and SSL

By
Xuehua Liu
Heathermarie Mona
Introduction
 Introduction
 Web Security
 Secure Sockets Layer (SSL)
 Tips for Your Web Security
 Questions
Web Security: Client Side Security
 Risks:
 Crashes the browser, damages the user's system,
breaches the user's privacy, or merely creates an
annoyance.
 The misuse of personal information knowingly or
unknowingly provided by the end-user.
Web Security: Client Side Security
 Active content, such as ActiveX controls and
Java applets:
 Introduces the possibility that Web browsing will
introduce viruses or other malicious software into
the user's system,
 by web browsers providing a pathway to bypass the
firewall system and enter the local area network.
Web Security: Client Side Security
 Even without active content:
 Still introduces the possibility of releasing personal
information,
 the very act of browsing leaves an electronic record of
the user's surfing history, from which unscrupulous
individuals can reconstruct a very accurate profile of the
user's tastes and habits.
Web Security: Server Side Security
 Risk: Allow unauthorized remote users to:
 Steal confidential documents.
 Execute commands on the server host machine to
modify the system.
 Gain information about the Web server's host
machine to break into the system.
 Launch denial-of-service attacks, rendering the
machine temporarily unusable.
Web Security: Server Side Security
 Bugs in the Web server
Maxims:
 Buggy software opens up security holes;
 Large, complex programs contain bugs;

And,
 Web servers are large, complex programs.
Web Security: Server Side Security
 Misconfiguration problems in the Web server
 A poorly configured Web server can punch a hole
in the most carefully designed firewall system.
 Open architecture of Web servers
 It allows arbitrary CGI scripts to be executed on
the server's side of the connection in response to
remote requests.
Web Security:
CGI(Common Gateway Interface) Script
 Any CGI script installed at your site may contain
bugs; every such bug is a potential security hole.
 CGI scripts can present security holes in two
ways:
 They may intentionally or unintentionally leak
information about the host system that will help
hackers break in.
 Scripts that process remote user input may be
vulnerable to attacks in which the remote user tricks
them into executing commands.
Web Security:
Security of Data in Transmission
 Risk: Interception of network data sent from
browser to server or vice versa via network
eavesdropping.
 Eavesdroppers can operate from any point on the
pathway between browser and server .
 Reason: The TCP/IP protocol was not
designed with security in mind; hence it is
vulnerable to network eavesdropping.
Secure Sockets Layer (SSL)

 SSL is the most used security protocol for


authentication on the Web.

 SSL secures data exchange between a client and


a server by encrypting it.
SSL Protocol
 SSL runs above TCP/IP and below higher-level
protocols such as HTTP or IMAP
 It uses TPC/IP on behalf of the higher-level
protocols and allows:
 SSL-enabled server to authenticate itself to an SSL-
enabled client
 Client to authenticate itself to the server
 Both machines to establish an encrypted connection
SSL runs above TCP/IP and below high-
level applications
SSL protocol provides 3 main things:

 End Point Authentication


 The server is the actual party you wish to communicate with,
not someone faking their identity.
 Message Integrity
 The data exchange with the server has not been modified
along the way. If it is, it can be easily detected.
 Confidentiality
 Data is encrypted. A hacker cannot read your information by
simply looking at the packets on the network.
SSL Certificates
 SSL relies on certificates (digital authentication
cards) and keys
 Certificates include:
 Name if the certificate authority that issued the certificate
 Name of the entity to which the certificate was issued

 Entity’s public key

 Time stamps that indicate the certificate’s expiration date


SSL Keys
 Two types of keys are used as ciphers to encrypt and
decrypt data
 Private keys
 Issued to entities and are never given out
 Public keys
 Made public by distributing it widely
 Both keys are necessary for authentication routines
 Data encrypted with the public key cannot be decrypted
with the same key: the private key must be used
SSL-enabled client authenticates a server’s identity
SSL-enabled server authenticates a user’s identity
How SSL works
 Secure Web pages feature “https” in their URL
instead of the usual “http”
 The browser sees the https in the URL and
initiates a connection to the SSL port on the
Web server
 The browser and the server begin the handshake
phase
Handshake Phase
1. The server sends its digital certificate to the
client (browser).

2. The browser accepts the server’s certificate. A


collection of trusted certificate issuers, called
certification authorities, comes pre-loaded in
popular browsers.
Handshake Phase (cont.)
3. The server and the browser negotiate which
algorithms to use for encryption. They also
decide on a Message Authentication Code
(MAC) algorithm to use, which provides data
integrity protection.
Handshake Phase (cont.)
4. The browser now generates two random
numbers, one for encryption, and the other for
use in the MAC. The browser then encrypts
each of these random numbers with the server’s
public key (obtained from the certificate), and
sends the result to the server.
Handshake Phase (cont.)
5. Since the server holds the private key
corresponding to its public key, it decrypts the
random numbers successfully. Now both the
client and the server have common keys.

The handshake is now complete: the server is


authenticated and any information exchanged
between the brower and the server is protected.
Data Transfer
 Client and server now communicate using the
SSL Record Protocol
 The SSL Record Protocol defines a message
format to exchange encrypted data, along with
the corresponding MAC
 The Record Protocol uses the algorithms from
the handshake phase to encrypt the data and
adds integrity protection through the MAC
Data Transfer (cont.)
 If a client surfs to a protected page, the server
finds that page, lets the SSL Record encrypt and
protect the page, and sends it to the browser
 The browser decrypts the page and checks its
integrity before displaying it to the user
 The result is secure data transfer
SSL Uses
 SSL enables secure communication on an
insecure network such as the Internet
 Most web-based online purchases and monetary
transactions are now secured by SSL
 Online banking
 Credit card purchases
Advantages
 SSL it already built into browsers.
 There is no need to install extra software
 The server the user wants to connect to has no
significant reduction in speed.
 SSL was developed with server performance in mind.
 SSL can be used as an alternative for Virtual Private
Network (VPN).
 VPN creates a virtual pipeline from a client directly to the
server.
 SSL secures data transmitted through the web to the server.
Disadvantages
 The firewall cannot see the real content of the
real content of the data, because it’s encrypted.
 It is possible to hide a virus in the data transmitted.
 SSL security depends almost entirely upon the
client.
 If the random numbers created by the client aren’t
random enough, the session is subject to decryption
because an attacker could “guess” the key.
Tips for Your Web Security
 Risks can be minimized by always using the most
recent browser version and by only accepting transfers
from sites you trust.
 A fixed IP address is a larger security risk.
 Like cable, ADSL, fixed line
 A modem with a dial-up connection is better.

 For users of Windows 2000, 95, 98, or Me:


 First, disable NetBIOS over TCP/IP;
 Second, disable the TCP/IP Bindings to Client for
Microsoft Networks and File and Printer Sharing (use the
NetBEUI protocol instead );
 Finally, restart your computer after the changes.
Questions

 What areas can go wrong concerning web


security?
 Client
 Server
 CGI Script
 During Data Transmission

 What 3 main things does SSL provide?


 End Point Authentication
 Message Integrity
 Confidentiality
Thank You!
CGI Scripts
 CGI "scripts" are just scripts which use CGI. CGI is often
confused with Perl, which is a programming language, while CGI
is an interface to the server from a particular program. Perl is an
application of CGI, as well as MIVA, Python, PHP3, and other
scripting languages.
 CGI - (Common Gateway Interface) -- A set of rules that
describe how a Web Server communicates with another piece of
software on the same machine, and how the other piece of
software (the 'CGI program') talks to the web server. Any piece
of software can be a CGI program if it handles input and output
according to the CGI standard.
 Usually a CGI program is a small program that takes data from a
web server and does something with it, like putting the content
of a form into an e-mail message, or turning the data into a
database query.
 Example link: http://www.pshap.com/cgiex.shtml BACK