1 / 32

Web Security and SSL

Web Security and SSL. By Xuehua Liu Heathermarie Mona. Introduction. Introduction Web Security Secure Sockets Layer (SSL) Tips for Your Web Security Questions. Web Security : Client Side Security. Risks:

Jimmy
Télécharger la présentation

Web Security and SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Security and SSL By Xuehua Liu Heathermarie Mona

  2. Introduction • Introduction • Web Security • Secure Sockets Layer (SSL) • Tips for Your Web Security • Questions

  3. Web Security: Client Side Security • Risks: • Crashes the browser, damages the user's system, breaches the user's privacy, or merely creates an annoyance. • The misuse of personal information knowingly or unknowingly provided by the end-user.

  4. Web Security: Client Side Security • Active content, such as ActiveX controls and Java applets: • Introduces the possibility that Web browsing will introduce viruses or other malicious software into the user's system, • by web browsers providing a pathway to bypass the firewall system and enter the local area network.

  5. Web Security: Client Side Security • Even without active content: • Still introduces the possibility of releasing personal information, • the very act of browsing leaves an electronic record of the user's surfing history, from which unscrupulous individuals can reconstruct a very accurate profile of the user's tastes and habits.

  6. Web Security: Server Side Security • Risk: Allow unauthorized remote users to: • Steal confidential documents. • Execute commands on the server host machine to modify the system. • Gain information about the Web server's host machine to break into the system. • Launch denial-of-service attacks, rendering the machine temporarily unusable.

  7. Web Security: Server Side Security • Bugs in the Web server Maxims: • Buggy software opens up security holes; • Large, complex programs contain bugs; And, • Web servers are large, complex programs.

  8. Web Security: Server Side Security • Misconfiguration problems in the Web server • A poorly configured Web server can punch a hole in the most carefully designed firewall system. • Open architecture of Web servers • It allows arbitrary CGI scripts to be executed on the server's side of the connection in response to remote requests.

  9. Web Security: CGI(Common Gateway Interface) Script • Any CGI scriptinstalled at your site may contain bugs; every such bug is a potential security hole. • CGI scripts can present security holes in two ways: • They may intentionally or unintentionally leak information about the host system that will help hackers break in. • Scripts that process remote user input may be vulnerable to attacks in which the remote user tricks them into executing commands.

  10. Web Security: Security of Data in Transmission • Risk: Interception of network data sent from browser to server or vice versa via network eavesdropping. • Eavesdroppers can operate from any point on the pathway between browser and server . • Reason: The TCP/IP protocol was not designed with security in mind; hence it is vulnerable to network eavesdropping.

  11. Secure Sockets Layer (SSL) • SSL is the most used security protocol for authentication on the Web. • SSL secures data exchange between a client and a server by encrypting it.

  12. SSL Protocol • SSL runs above TCP/IP and below higher-level protocols such as HTTP or IMAP • It uses TPC/IP on behalf of the higher-level protocols and allows: • SSL-enabled server to authenticate itself to an SSL-enabled client • Client to authenticate itself to the server • Both machines to establish an encrypted connection

  13. SSL runs above TCP/IP and below high-level applications

  14. SSL protocol provides 3 main things: • End Point Authentication • The server is the actual party you wish to communicate with, not someone faking their identity. • Message Integrity • The data exchange with the server has not been modified along the way. If it is, it can be easily detected. • Confidentiality • Data is encrypted. A hacker cannot read your information by simply looking at the packets on the network.

  15. SSL Certificates • SSL relies on certificates (digital authentication cards) and keys • Certificates include: • Name if the certificate authority that issued the certificate • Name of the entity to which the certificate was issued • Entity’s public key • Time stamps that indicate the certificate’s expiration date

  16. SSL Keys • Two types of keys are used as ciphers to encrypt and decrypt data • Private keys • Issued to entities and are never given out • Public keys • Made public by distributing it widely • Both keys are necessary for authentication routines • Data encrypted with the public key cannot be decrypted with the same key: the private key must be used

  17. SSL-enabled client authenticates a server’s identity

  18. SSL-enabled server authenticates a user’s identity

  19. How SSL works • Secure Web pages feature “https” in their URL instead of the usual “http” • The browser sees the https in the URL and initiates a connection to the SSL port on the Web server • The browser and the server begin the handshake phase

  20. Handshake Phase 1. The server sends its digital certificate to the client (browser). 2. The browser accepts the server’s certificate. A collection of trusted certificate issuers, called certification authorities, comes pre-loaded in popular browsers.

  21. Handshake Phase (cont.) 3. The server and the browser negotiate which algorithms to use for encryption. They also decide on a Message Authentication Code (MAC) algorithm to use, which provides data integrity protection.

  22. Handshake Phase (cont.) 4. The browser now generates two random numbers, one for encryption, and the other for use in the MAC. The browser then encrypts each of these random numbers with the server’s public key (obtained from the certificate), and sends the result to the server.

  23. Handshake Phase (cont.) 5. Since the server holds the private key corresponding to its public key, it decrypts the random numbers successfully. Now both the client and the server have common keys. The handshake is now complete: the server is authenticated and any information exchanged between the brower and the server is protected.

  24. Data Transfer • Client and server now communicate using the SSL Record Protocol • The SSL Record Protocol defines a message format to exchange encrypted data, along with the corresponding MAC • The Record Protocol uses the algorithms from the handshake phase to encrypt the data and adds integrity protection through the MAC

  25. Data Transfer (cont.) • If a client surfs to a protected page, the server finds that page, lets the SSL Record encrypt and protect the page, and sends it to the browser • The browser decrypts the page and checks its integrity before displaying it to the user • The result is secure data transfer

  26. SSL Uses • SSL enables secure communication on an insecure network such as the Internet • Most web-based online purchases and monetary transactions are now secured by SSL • Online banking • Credit card purchases

  27. Advantages • SSL it already built into browsers. • There is no need to install extra software • The server the user wants to connect to has no significant reduction in speed. • SSL was developed with server performance in mind. • SSL can be used as an alternative for Virtual Private Network (VPN). • VPN creates a virtual pipeline from a client directly to the server. • SSL secures data transmitted through the web to the server.

  28. Disadvantages • The firewall cannot see the real content of the real content of the data, because it’s encrypted. • It is possible to hide a virus in the data transmitted. • SSL security depends almost entirely upon the client. • If the random numbers created by the client aren’t random enough, the session is subject to decryption because an attacker could “guess” the key.

  29. Tips for Your Web Security • Risks can be minimized by always using the most recent browser version and by only accepting transfers from sites you trust. • A fixed IP address is a larger security risk. • Like cable, ADSL, fixed line • A modem with a dial-up connection is better. • For users of Windows 2000, 95, 98, or Me: • First, disable NetBIOS over TCP/IP; • Second, disable the TCP/IP Bindings to Client for Microsoft Networks and File and Printer Sharing (use the NetBEUI protocol instead ); • Finally, restart your computer after the changes.

  30. Questions • What areas can go wrong concerning web security? • Client • Server • CGI Script • During Data Transmission • What 3 main things does SSL provide? • End Point Authentication • Message Integrity • Confidentiality

  31. Thank You!

  32. CGI Scripts • CGI "scripts" are just scripts which use CGI. CGI is often confused with Perl, which is a programming language, while CGI is an interface to the server from a particular program. Perl is an application of CGI, as well as MIVA, Python, PHP3, and other scripting languages. • CGI - (Common Gateway Interface) -- A set of rules that describe how a Web Server communicates with another piece of software on the same machine, and how the other piece of software (the 'CGI program') talks to the web server. Any piece of software can be a CGI program if it handles input and output according to the CGI standard. • Usually a CGI program is a small program that takes data from a web server and does something with it, like putting the content of a form into an e-mail message, or turning the data into a database query. • Example link: http://www.pshap.com/cgiex.shtml BACK

More Related