lesson 17-web components. background the world wide web was invented in 1990 by tim berners- lee to...

Lesson 17-Web Components

Background

The World Wide Web was invented in 1990 by Tim Berners-

Lee to give physicists a convenient method of exchanging

information.

What began as a physics tool in the European Laboratory for

Particle Physics (CERN) has grown into a complex system.

Background

It is now a complex system used by millions for tasks

ranging from e-commerce to e-mail, chatting, games, and

even the original intended use—file and information sharing.

Background

Before the World Wide Web, the following methods were

used to perform these tasks:

– File Transfer Protocol (FTP) to move files.

– Telnet to access other machines.

Background

A common architecture was developed by Berners-Lee.

– First, a common addressing scheme built around a Uniform

Resource Locator (URL).

– Then, linking documents with URLs through the Hypertext

Markup Language (HTML).

Objectives

Upon completion of this chapter, the students will be able

to:

– Describe the protocols such as SSL/TLS protocol suite, LDAP,

and FTP used with Web components.

– Describe Web applications, such as Web Services and plug-ins,

and explain their associated security issues.

– Describe and explain secure file transfer options.

Objectives

Upon completion of this chapter, the students will be able

to:

– Explain how directory services can be used to aid in data

retrieval.

– Describe how scripting and other Internet functions can cause

security concerns.

– Describe how using cookies maintains parameters between

Web pages.

Current Web Components and Concerns

The World Wide Web is useful due to:

– Browsers

– Web components

Current Web Components and Concerns

There are three main security tasks:

– Securing a server to deliver content to users over the Web.

– Securing the transfer of information between users and servers

over the Web.

– Securing the user's computer from attack through a Web

connection.

Protocols

Encryption

– SSL and TLS

The Web

– HTTP and HTTPS

Web Services

– Directory Services (DAP and LDAP)

File Transfer

– FTP and SFTP

Protocols

Protocols are agreed-upon rules that allow vendors to

produce hardware and software that interoperate with

hardware and software developed by other vendors.

– The specific instantiation of protocols is done through hardware

and software components.

Encryption (SSL and TLS)

Secure Socket Layer

– SSL is almost ubiquitous in e-commerce.

• All browsers and Web servers support SSL.

• Virtually, all sensitive financial traffic uses SSL to protect

information between Web servers and browsers.


The Internet Engineering Task Force (IETF) embraced SSL in

1996 through a series of RFCs and named the group

Transport Layer Security (TLS).

– SSL 3.0

• RFC 2246

– “TLS Protocol Version 1.0”

• RFC 2712

– Added Kerberos authentication

• RFCs 2817 and 2818

– Extended TLS to HTTP version 1.1 (HTTP/1.1)


Although SSL has been through several versions, TLS begins

with an equivalency to SSL 3.0.

SSL and TLS are essentially the same protocol, but not

interchangeable.


SSL/TLS is a series of functions within the OSI model.

They reside between the application layer and the TCP/IP

implementation in the transport and network layers.


TCP and SSL/TLS

– TCP sends an unauthenticated error-free stream of information

between two computers.

– SSL/TLS adds message integrity and authentication functions to

TCP through cryptographic methods.


Session description

– When two programs initiate an SSL/TLS connection, they

compare available protocols and agree on an appropriate

common cryptographic protocol.

• SSL/TLS can use separate algorithms and methods for:

– Encryption

– Authentication

– Data integrity

• Each of these is negotiated and determined before the session

starts.

SSL/TSL Encryption Options

This shows the types of

cryptographic protocols

available in Netscape

Communicator.

Cryptographic protocol options in Netscape Communicator

How SSL/TLS Works

SSL/TLS uses cryptographic protocols. Effective use of these

protocols requires that systems must agree upon a protocol.

The SSL handshake process is used to accomplish this task.

– The client requests for a secure connection and the server

responds.

• Both systems agree on a commonly held protocol (SSL v1, v2, v3, or

TLS v1).

• Commonly available cryptographic algorithms include Diffie-

Hellman and RSA.

How SSL/TLS Works

The handshake begins with the exchange to agree on

parameters.

The systems exchange certificates and keys to enable

authentication.

Certificate exchange is done via X.509 certificates.

Public key cryptography is used to establish authentication.

How SSL/TLS Works

The session continues

– Once authentication is established, the channel is secured with

symmetric key cryptographic methods and hashes, typically

RC4 or 3DES for symmetric key and MD5 or SHA-1 for hash

functions.

– The authenticity of the server and possibly the client has been

established.

– The channel is protected by encryption against eavesdropping.

How SSL/TLS Works

Session certificates

– The use of certificates is a way to have a third party act as a

notary in the electronic world.

– A certificate is merely a standard set of formatted data that

represents the authenticity of the public key associated with

the signer.

– A certificate can be trusted as a notary to a signature.

– Certificates provide a method of proving who someone is,

provided you trust the issuer.

SSL/TSL Certificates

SSl and TLS options in Netscape Communicator


Certificate options in Microsoft Internet Explorer


These are the certificate

management options.

Certificate management options dialog in Microsoft Internet Explorer

How SSL/TLS Works

SSL/TLS is designed to provide protection from man-in-the-

middle attacks.

– By authenticating the server end of the connection, SSL/TLS

prevents the hijacking of a session.

– By encrypting all of the conversations between the client and

the server, SSL/TLS prevents eavesdropping.

The Web (HTTP and HTTPS)

The Hypertext Transfer Protocol (HTTP) is the protocol for

the transfer of hypertext-linked data over the Internet.

– A URL such as http://www.example.com is decoded by the

browser.

• The http:// portion indicates that the desired method of data

transfer is via the Hypertext Transfer Protocol.


SSL/TLS hides cryptographic complexity from end users.

– This can be done by requesting a secure connection from a

Web server, instead of a non-secure connection.

• With HTTP connections, use https:// in place of http://.

– The entry of an SSL/TLS-based protocol will cause an aware

browser to negotiate with the server to establish the required

level of security.

How Do You Know You Are Secure?

HTTPS connection in Microsoft Internet Explorer


Enabling cryptographic methods transparently helps end

users to use these protocols easily.

– SSL/TLS is agnostic.

– Designed to run on top of TCP/IP, it can operate over lower-level

protocols such as X.25.

– SSL/TLS requires a reliable lower-level protocol.

• It cannot properly function over a non-reliable protocol such as the

IP User Datagram Protocol (UDP).

Web Services

Web Services is an industry term with various marketing

definitions.

– It depends upon who is trying to market what and to whom.

• Although the term has been misused often, its underlying core is an

application program accessible using open protocols.

Web Services

Web Services are defined through industry standardization.

There are a series of specifications including XML Schema

and Web Services Description Language (WSDL).

– A Web Service may be as simple as a procedure invoked on a

remote computer via common data formats and protocols.

Web Services

Web Services can be invoked with a Simple Object Access

Protocol (SOAP) request over an HTTP connection.

– This uses open standards such as XML, HTTP and Universal

Description, and Discovery and Integration (UDDI).

– A Web Service is an application accessed via a set of remote

procedure calls implemented over HTTP.

Web Services

The deployment of Web Services is in its infancy.

– The effectiveness of the security mechanisms being built into

the standards is unknown.

– Several areas that Web Services are vulnerable:

• HTTP/Web server vulnerabilities

• SOAP Structure vulnerabilities

• WSDL vulnerabilities

• Application layer vulnerabilities

Web Services

Web Services communicate over HTTP through Web servers.

Any vulnerability of the Web server can manifest itself as a

vulnerability of the Web Service.

Web Services

A risk is associated with the actual Web Service code itself.

– As Web Services are designed to increase distributed code and

usage, control over users of Web Services lessens.

• It is not safe to assume every usage will be with properly conformed

messages for a particular Web Service.

• The Web Services application programmer must develop secure

code.

SOAP

Simple Object Access Protocol (SOAP) is a method of

invoking remote procedures over the Internet.

SOAP

SOAP is a framework for generalized XML messaging

between applications.

SOAP

Soap is language-neutral and platform-independent.

– The SOAP framework does no routing or security since these

are managed in the extensible nature of the basic framework.

• Layered extensions allow adding these services in a cohesive and

controlled fashion.

XML

Extensible Markup Language (XML) formats messages used

by SOAP to access and return data from Web Services.

XML

XML Schemas define communication interfaces and carry

information between Web Services.

– They invoke elements that allow a standard method that is

independent of any firm or platform.

• It is extensible.

• It is language-neutral.

Directory Services (DAP and LDAP)

A directory is a data storage mechanism like a database.

– The directory is designed and optimized for reading data,

yielding very fast search and retrieval operations.

– The types of information stored in a directory tend to be

descriptive attribute data.

– A directory offers a static view of data that can be changed

without a complex update transaction.

– The data is hierarchically described in a tree-like structure.

• A network interface for reading is typical.

Directory Services (DAP and LDAP)

The X.500 standard was created as a standard for directory

services. It enables interoperability.

– An X.500 directory is accessed through the Directory Access

Protocol (DAP).

– It is difficult to implement completely on PCs and other

constrained platforms.

• This led to the Lightweight Directory Access Protocol (LDAP), which

contains the most commonly used functionality.

• LDAP can interface with X.500 services.

• LDAP can be used over TCP with fewer computing resources than

full X.500 implementation.

SSL/TLS LDAP

LDAP is the Internet standard for directory services.

LDAP over TCP is a plaintext protocol.

This means data is over the network, which makes it

susceptible to eavesdropping.

To avoid this, data must be encrypted.

– The application of SSL/TLS service protects directory

transactions from eavesdroppers.

SSL/TLS LDAP

SSL/TLS provides several functions to LDAP services.

– SSL/TLS establishes the identity of a data source through

certificates.

– SSL/TLS provides integrity and confidentiality of the data

presented from an LDAP source.

– LDAP and SSL/TLS are separate independent protocols.

• Interoperability requires correct setup.

– Establish an SSL/TLS connection.

– Open an LDAP connection over the protected channel.

– Both the client and the server should be enabled for

SSL/TLS.

SSL/TLS LDAP

An LDAP server set up to function over an SSL/TLS

connection operates as it always has.

– The LDAP server responds to specific queries with the data

returned from a node in the search.

– The SSL/TLS functionality operates to secure the channel of

communication and is transparent to the data flow from the

user's perspective.

– SSL/TLS prevents observation of the data request and response,

ensuring confidentiality.

FTP

FTP is an application-level protocol.

– It allows operation over a wide range of lower-level protocols.

FTP is embedded in most operating systems. It provides a

method of transferring files between systems.

FTP

FTP implementations operate both ways – sending and

receiving. They enable remote file operations over a TCP/IP

connection.

– FTP clients are used to initiate transactions.

– FTP servers respond to transaction requests.

• The request can be either to upload (send data from a client to a

server) or download (send data from a server to a client).

FTP

When a user enters ftp://url in a browser address field, it

indicates that the user wishes to see the data associated

with the URL via an FTP session—the browser handles the

details.

– File transfers via FTP can be either in binary or text mode.

• In either case, transfers are plaintext across the network.

Blind FTP (Anonymous FTP)

An account must be used to allow the operating system-

level authorization function to work.

– With an FTP server, you may not able to control who gets the

information.

• A standard account called anonymous exists.

– It allows unlimited public access to the files.

– It is used to have unlimited distribution.

– On a server, access permissions can be established to allow

only downloading or only uploading or both.

Blind FTP (Anonymous FTP)

An FTP can be used to allow access to upload files to a

server.

– It is a security risk usually implemented on specialized servers

isolated from other critical functions.

• FTP should not be permitted on workstations.

• They should be disabled on servers.

SFTP

FTP operates in plaintext mode.

– An eavesdropper can observe the data being passed.

– If confidential transfer is required, Secure FTP (SFTP) should be

used.

• SFTP utilizes both Secure Shell (SSH) protocol and FTP to accomplish

this task.

SFTP

SFTP is an application program that encodes both the

commands and the data passed.

SFTP

SFTP must be on both the client and the server.

SFTP is not interoperable with standard FTP.

– The encrypted commands cannot be read by an FTP server

program.

To establish SFTP data transfers, the server must be

enabled with the SFTP program.

– Clients access the server provided they have the correct

credentials.

SFTP

SFTP operates in a similar way as FTP:

– An identification function uses a username.

– An authorization function uses a password.

There is no anonymous SFTP account by definition.

– Access is established and controlled from the server using

standard access control lists, IDs, and passwords.

c

Vulnerabilities

Protocols such as SSL/TLS provide methods for end users to

use cryptography without understanding the method.

– This yields complacency—the impression that once SSL/TLS is

enabled, the user is safe, which is not necessarily the case.

• If a Trojan program records keystrokes and sends the information to

an unauthorized user, SSL/TLS cannot prevent this security breach.

• If the user connects to an untrustworthy site, a secure connection

does not prevent the other site from running a scam.

• Using SSL/TLS and other encryption methods does not guard against

credit card information being “lost” by the receiving company.

Vulnerabilities

What and where data is protected requires understanding of

what these protocols can and cannot do.

– The SSL/TLS suite can protect data in transit, not in storage.

– It can authenticate users and servers.

• Certificate mechanisms are established and used by both parties.

– SSL/TLS provides a secure method of authentication, followed

by confidentiality in data transfers and data integrity checking.

– All of this occurs during transit, the protection ends once the

data is stored.

Vulnerabilities

Vulnerabilities

Buffer Overflows

Java and JavaScript

ActiveX

CGI

Server-Side Scripts

Cookies

Signed Applets

Browser Plug-Ins

Code-Based Vulnerabilities

Browsers perform many types of data transfer.

– Helper programs or plug-ins increase usability for some data

transfers.

– Separate application programs may be called by a browser to

handle the data being transferred.

Code-Based Vulnerabilities

Applications or plug-ins may include malicious codes that

perform actions not desired by users.

Buffer Overflows

The most common exploit to hack into software is the buffer

overflow.

– It is the result of poor programming practices.

• When any program places data into a buffer and does not validate

the input for correct length, the potential for a buffer overflow

exists.

Buffer Overflows

The concept is simple.

– A hacker writes an executable that performs an action on the

target machine and appends his code fragment to a legitimate

response to a program on the target machine.

– When the target machine reads through the too-long response,

a buffer overflow condition causes the original program to fail.

– The extra malicious code fragment is now in the machine's

memory, awaiting execution.

– If the hacker executed it correctly, the program will skip into

the hacker's code, running it before failing.

Buffer Overflows

Buffer overflows are exploitable in a wide range of

programs.

– Fifty percent of the security incidents are from buffer overflow

exploits.

Users have to keep their machines up-to-date with patches

from manufacturers.

Java and JavaScript

Java is based on the C language.

It was designed to be platform-independent.

It offers a low learning curve and a platform-independent

way of implementing programs across an enterprise.

Java and JavaScript

Java and JavaScript operate through an interpreter called a

Java Virtual Machine (JVM) on each platform that interprets

the Java code.

Java and JavaScript

The JVM enables the program functionality for the specific

platform.

– Reliance on an interpretive step leads to performance issues.

– Java is plagued by poor performance when compared to most

other languages.

Security was one of the advantages of Java.

Java and JavaScript

Java was designed to be used in trusted environments.

– When it moved to the Internet for general use, safety became

an advertised benefit.

Java and JavaScript

Safety is not security and a Java program can still cause

significant damage to a system.

– The ability to read data from a hard drive and display it on the

screen is essential for many programs.

• When the program is downloaded and run from the Internet, without

the knowledge of the user, data may be sent across the Internet to

an unauthorized user. This enables the program to spy on the user.

• Writing data to the hard drive may cause deletions if the program

does not write the data where the user expects it to.

Java and JavaScript

JavaScript is a form of Java designed to be operated within a

browser instance.

– JavaScript enables features such as validation of forms before

they are submitted.

– JavaScript runs within the browser; the code is executed by the

browser itself.

Java and JavaScript

JavaScript was designed not to access files or network

resources directly, except through the browser functions.

Enterprising programmers found many other uses for

JavaScript, such as manipulating the browser history files,

now prohibited by design.

Java and JavaScript Security

Each browser manufacturer

has implemented

configuration settings

differently.

The Certificate management options dialog box in Netscape

Communicator

Java and JavaScript

Java Script has not proven to be as secure as desired.

– This traces back to a similar fault in the Java language.

• Security was added later without a comprehensive security model.

– Most browsers do not have a mechanism to halt a running

script short of aborting the browser instance.

• This may not be possible if the browser has stopped responding to

commands.

Java and JavaScript Security

JavaScriptJava configuration options in Microsoft Internet Explorer

Java and JavaScript

The number of ways JavaScript can interact with a system is

high.

– With so many opportunities for malicious code, the best advice

is not to run JavaScripts or Java applets unless the source is

trusted.

ActiveX

ActiveX is a collection of APIs, protocols, and programs

developed by Microsoft to download and execute code over

an Internet-based channel.

– The code is bundled together into an ActiveX control with

an .ocx extension.

– These controls are referenced in HTML using the <object> tag.

ActiveX

Microsoft developed

Authenticode that uses

digital signatures.

At the right are examples

of Authenticode options.

Some of the ActiveX control options in Microsoft Internet Explorer

ActiveX

Windows users may determine who produced a specific

piece of code and whether or not the code has been altered.

– Safety and security are different things.

• Authenticode promotes neither in reality.

– Authenticode provides limited accountability at the time of

download and guarantees that the code has not been changed

since the time of signing.

• Authenticode does not identify whether a piece of code will damage

a system, nor does it regulate how the code is used.

CGI

The Common Gateway Interface (CGI) was a method of

having a Web server execute a program outside the Web

server process, but yet on the same server.

– It passes information via environment variables to an

independent program.

– It executes the program.

– It returns the results to the Web server.

CGI

CGI offers many advantages to Web-based programs.

– The programs can be written in a number of languages,

although Perl is preferred.

• These scripted programs embrace the full functionality of a server,

allowing access to databases, UNIX commands, and other programs.

If properly coded, CGI offers no more and no less risk than

any other solution.

Server-Side Scripts

CGI has been replaced with newer server-side scripting

technologies such as Java, Active Server Pages (ASP), and

PHP.

– They are similar to CGI – they allow programs to be run outside

the Web server and return data to the Web server for end users

via a Web page.

– Each of these technologies has advantages and disadvantages.

All have stronger security models than CGI.

Cookies

Cookies are blocks of ASCII text passed within an HTML

stream to store data temporarily in a Web browser instance.

Cookies

Cookies pass back and forth between the Web server and

the browser and act as a mechanism to maintain state in a

stateless world.

– State is a term that describes the dependence on previous

actions.

Cookies

An HTTP session served by a Web server is stateless.

– Each request is independent of all previous requests.

– The server has no memory of previous requests.

– Cookies were developed to bridge this gap.

Cookies

Cookies are passed along with HTML data through a Set-

Cookie message in the header portion of an HTML

transaction, or via a script in the HTML body.

Cookies

A cookie is a series of name-value pairs that is stored in the

memory during a browser instance.

– The specification for cookies establishes several specific name-

value pairs for defined purposes.

– Additional name-value pairs may be defined at will by a

developer.

Cookies – Name-Value Pairs

Set of name-value pairs includes:

– Expires – specifies when the cookie expires.

• If no value exists, the cookie is only good during the current browser

session and will not remain on the hard drive.

• If a value is given, the cookie will be written to the user's machine

and remain until it expires.

– Domain – specifies the domain where the cookie is used.

• Cookies are memory-resident objects.

• Since the user or data can cause a browser to move between

domains (for example, from comedy.net to jokes.org) some

mechanism needs to tell the browser which cookies belong to which

domain.

Cookies– Name-Value Pairs

Set of name-value pairs includes (continued):

– Path – resolves the applicability of the cookie into a specific

path within a domain.

• If path =/directory, the cookie will only be sent for requests within

the /directory on the given domain allowing a level of granular

control over the information being passed between the browser and

the server and limiting unnecessary data exchanges.

– Secure – The keyword [secure] in a cookie indicates that it is to

be used only in an SSL/TLS session.

• This does not indicate any other form of security.

• Cookies are stored in plaintext on the client machine.

Cookies

Cookie management is an invisible process.

– Internet Explorer and Netscape Communicator have methods

for users to examine and manipulate cookies on the client side.

Cookies

Netscape Communicator stores the cookies in a long text

file.

– Note the file location in the browser address line.

Cookies

Cookie Management in Microsoft Explorer.

– Note the separate files.

Netscape Communicator cookie file

Cookies

If users disable cookies in a browser, this information will

not be available for the Web server to use.

Cookie management in Microsoft Internet Explorer

Disabling Cookies

IETF RFC 2109 describes the HTTP state-management

system (cookies) and the several cookie functions to be

enabled in browsers, specifically:

– The ability to turn cookie usage on and off.

– An indicator as to whether cookies are in use.

– A means of specifying cookie domain values and lifetimes.

Cookie Management

This is the Netscape

browser tool to manage

cookies.

Netscape Communicator cookie Management via browser

Disabling Cookies

To surf cookie-free requires more than a simple step.

– Instructing a browser to stop accepting cookies is a setup

option available through an options menu.

• It has no effect on cookies already received and stored on the

system.

• To prevent the browser from responding to cookies already

received, the user must delete the cookies from the system.

Deleting Cookies

This is the tool to delete

cookies in Internet

Explorer.

The Microsoft Internet Explorer delete cookies

option

Signed Applets

Code signing brings the security of shrink-wrapped software

to software downloaded from the Internet.

Signed Applets

Code signing adds a digital signature and certificate to a

program file to demonstrate file integrity and authenticity.

– The certificate identifies the author.

– The digital signature contains a hash value that covers code,

certificate, and signature to prove integrity.

• This establishes the integrity of the code and publisher via a

standard browser certificate check.

Signed Applets

Use of a certificate to sign an applet or a control allows the

identity of the author to be established.

– The signing of code identifies the code's manufacturer and

guarantees that the code has not been modified since it was

signed.

Signed Applets

A signed applet can be hijacked as easily as a graphic or any

other file.

– An attacker can hijack a signed control by in-line access or

copying the file in its entirety and republishing it.

• In-lining is using an embedded control from another site with or

without the other site's permission.

• Republishing a signed control is done much like stealing a GIF or

JPEG image.

– A copy of the file is maintained on the unauthorized site

and served from there instead of from the original

location.

Signed Applets

The security concern of signed controls comes from how the

control is used.

– A hacker may be able to use a control in an unintended fashion.

• Creating a file loss or buffer overflow.

– Conditions that weaken a system and may allow

exploitation of other vulnerabilities.

– The control will still function as designed, but the issue

becomes who it is used by and how.

• These are concerns not addressed simply by signing a control or an

applet.

Browser Plug-Ins

Plug-ins are small application programs that increase a

browser's ability to handle new data types and add new

functionality.

Browser Plug-Ins

To date, plug-ins have had a good safety record.

Although a plug-in changes a browser, and how it

manipulates data, security holes have not been the norm in

this area.

Browser Plug-Ins

Not all plug-ins are safe.

– There are many plug-ins, most from small single-programmer

shops, designed for specific purposes that may or may not be

needed by most users.

– Your trust in plug-ins should be based on knowing whom you

are trusting.

lesson 17-web components. background the world wide web was invented in 1990 by tim berners- lee to...

Documents

web http

web pages

web connection

web applications

browsers web components

web servers support

current web components

world wide web