Security On The Web Essay

This essay has a total of 2689 words and 13 pages.

Security On The Web


Security on the Web, By Sina



How do you secure something that is changing faster than you can fix it? The Internet has
had security problems since it's earliest days as a pure research project. Today, after
several years and orders of magnitude of growth, it still has security problems. The
Internet is being used for a purpose for which it had never intended to be used for. It is
somewhat ironic that the early Internet was design as a prototype for a high-availability
command and control network that could resist outages resulting from an enemy attack, yet
it cannot resist college undergraduates. The problem is that the attackers are on, and
make up apart of, the network they are attacking. Designing a system that is capable of
resisting attack from within, while still growing and evolving at a rapid pace, is
probably impossible. Deep infrastructure changes are needed, and once you have achieved a
certain amount of size, the sheer inertia of the installed base may make it impossible to
apply fixes.


The challenge for the security industry is growing. With the electronic commerce spreading
over the Internet, there are new issues being developed everyday such as non-repudiation
that will need to be solved. Financial institutions will have both technical concerns,
such as the security of a credit card number or banking information, and legal concerns
for holding individuals responsible for their actions such as their purchases or sales
over the Internet. Issuance and management of encryption keys for millions of users will
pose a new type of challenge.


While some technologies have been developed, only an industry-wide effort and cooperation
can minimize risks and ensure privacy for users, data confidentiality for the financial
institutions, and non-repudiation for electronic commerce.


With the continuing growth in linking individuals and businesses over the Internet, some
social issues are starting to surface. The society may take time in adapting to the new
concept of transacting business over the Internet. Consumers may take time to trust the
network and accept it as a substitute for transacting business in person. Another class of
concerns relates to restricting access over the Internet. Preventing distribution of
pornography and other objectionable material over the Internet has already been in the
news. We can expect new social hurdles over time and hope the great benefits of the
Internet will continue to override these hurdles through new technologies and
legislations.


The World Wide Web is the single largest, most ubiquitous source of information in the
world, and it sprang up spontaneously. People use interactive Web pages to obtain stock
quotes, receive tax information from the Internal Revenue Service, check the local
weather, consult a pregnancy planner to determine ovulation dates, conduct election polls,
register for a conference, search for old friends, and the list goes on. It is only
natural that the Web's functionality, popularity, and ubiquity have made it the seemingly
ideal platform for conducting electronic commerce. People can now go online to buy CDs,
clothing, concert tickets, and stocks. Several companies, such as Digicash, Cybercash,
CarParts.com, and First Virtual, have sprung up to provide mechanisms for conducting
business on the Web. The savings in cost and the convenience of shopping via the Web are
immeasurable. Where as most successful computer systems resulted from careful, methodical
planning, followed by hard work, the Web took on a life of its own from the very
beginning. The introduction of a common protocol and a friendly graphical user interface
was all that was needed to ignite the Internet explosion. The Web's virtues are extolled
without end, but its rapid growth and universal adoption have not been without cost. In
particular, security was added as an afterthought.


New capabilities were added to satisfy the growing demand for features without carefully
considering the impact on security. As a general-purpose, scripts were introduced on both
the client and the server sides of the Web. It did not take long for the Web to move from
the scientific community to the commercial world. For then the dangers of accidental and
malicious abuse grew. At this point, the security threats became much more serious. The
incentive for malicious attackers to exploit vulnerabilities in the underlying
technologies is at an all-time high. This is indeed frightening when we consider what
attackers of computer systems have accomplished when their only incentive was fun and
personal enjoyment while boosting their egos. When business and profit are at stake, we
cannot assume anything less than the most dedicated and resourceful attackers typing their
utmost will and determination to steal, cheat, and perform mischievous attacks against
their pray (users of the Web).


When people use their computers to surf the Web, they have many expectations. They expect
to find all sorts of interesting information, they expect to have opportunities to shop
and they expect to be bombarded with all sorts of ads. Even people who do not use the Web
are in jeopardy of being intimidated by the Web. So when it comes down to the significant
importance of Web security it affects us all.


There are simple and advanced methods for ensuring browser security and protecting user
privacy. The more simple techniques are user certification schemes, which rely on digital
IDs. Netscape Communicator and Internet Explorer allow users to obtain and use personal
certificates. Currently, a certification company called Verisign offers digital Ids that
consist of a certificate of a user's identity. The Digital IDs are divided into different
types of classes of digital Ids, each represents a different level of assurance in the
identity, and each comes at an increasingly higher cost. The assurance is determined by
the effort that goes into identifying the person requesting the certificate.


Class 1 Digital IDs intended for casual Web browsing providing users with an unambiguous
name and e-mail address within Verisign's domain. A Class 1 ID provides assurance to the
server that the client is using an identity issued by Verisign but with little guarantee
about the actual person behind the ID.


Class 2 Digital IDs require third party confirmation of name, address, and other personal
information related to the user, and they are available only to residents of the United
States and Canada. The information provided to Verisign is checked against a consumer
database maintained by Equifax. To protect against insiders at Verisign issuing bogus
Digital IDs, a hardware device is used to generate the certificates.


Class 3 Digital IDs are not available. The purpose is to bind an individual to an
organization. Thus, a user in possession of such an ID, theoretically, could prove that he
or she belongs to the organization that employs him or her.


The idea behind Digital IDs is that they are entered into the browser and then are
automatically sent when users connect to sites requiring personal certificates.
Unfortunately, the only practical effect is to make impersonating users on the network
only a little bit more difficult.


Many Web sites require their users to register a name and a password. When users connect
to these sites, their browser pops up an authentication window that asks for these two
items. Usually, the browser then sends the name and password to the server allowing
retrieval of the remaining pages at the site. The authentication information can be
protected from eavesdropping and replay by using the SSL protocol.


As the number of sites requiring simple authentication grows, so does the number of
passwords that each user must maintain. In fact, users are often required to have several
different passwords for systems in their workplace, for personal accounts, for special
accounts relating to payroll and vacation, and so on. It is not uncommon for users to have
more than six sites they visit that require passwords.


Continues for 7 more pages >>