lesson 17-web components. background the world wide web was invented in 1990 by tim berners- lee to...
Post on 18-Dec-2015
214 views
TRANSCRIPT
Background
The World Wide Web was invented in 1990 by Tim Berners-
Lee to give physicists a convenient method of exchanging
information.
What began as a physics tool in the European Laboratory for
Particle Physics (CERN) has grown into a complex system.
Background
It is now a complex system used by millions for tasks
ranging from e-commerce to e-mail, chatting, games, and
even the original intended use—file and information sharing.
Background
Before the World Wide Web, the following methods were
used to perform these tasks:
– File Transfer Protocol (FTP) to move files.
– Telnet to access other machines.
Background
A common architecture was developed by Berners-Lee.
– First, a common addressing scheme built around a Uniform
Resource Locator (URL).
– Then, linking documents with URLs through the Hypertext
Markup Language (HTML).
Objectives
Upon completion of this chapter, the students will be able
to:
– Describe the protocols such as SSL/TLS protocol suite, LDAP,
and FTP used with Web components.
– Describe Web applications, such as Web Services and plug-ins,
and explain their associated security issues.
– Describe and explain secure file transfer options.
Objectives
Upon completion of this chapter, the students will be able
to:
– Explain how directory services can be used to aid in data
retrieval.
– Describe how scripting and other Internet functions can cause
security concerns.
– Describe how using cookies maintains parameters between
Web pages.
Current Web Components and Concerns
The World Wide Web is useful due to:
– Browsers
– Web components
Current Web Components and Concerns
There are three main security tasks:
– Securing a server to deliver content to users over the Web.
– Securing the transfer of information between users and servers
over the Web.
– Securing the user's computer from attack through a Web
connection.
Protocols
Encryption
– SSL and TLS
The Web
– HTTP and HTTPS
Web Services
– Directory Services (DAP and LDAP)
File Transfer
– FTP and SFTP
Protocols
Protocols are agreed-upon rules that allow vendors to
produce hardware and software that interoperate with
hardware and software developed by other vendors.
– The specific instantiation of protocols is done through hardware
and software components.
Encryption (SSL and TLS)
Secure Socket Layer
– SSL is almost ubiquitous in e-commerce.
• All browsers and Web servers support SSL.
• Virtually, all sensitive financial traffic uses SSL to protect
information between Web servers and browsers.
Encryption (SSL and TLS)
The Internet Engineering Task Force (IETF) embraced SSL in
1996 through a series of RFCs and named the group
Transport Layer Security (TLS).
– SSL 3.0
• RFC 2246
– “TLS Protocol Version 1.0”
• RFC 2712
– Added Kerberos authentication
• RFCs 2817 and 2818
– Extended TLS to HTTP version 1.1 (HTTP/1.1)
Encryption (SSL and TLS)
Although SSL has been through several versions, TLS begins
with an equivalency to SSL 3.0.
SSL and TLS are essentially the same protocol, but not
interchangeable.
Encryption (SSL and TLS)
SSL/TLS is a series of functions within the OSI model.
They reside between the application layer and the TCP/IP
implementation in the transport and network layers.
Encryption (SSL and TLS)
TCP and SSL/TLS
– TCP sends an unauthenticated error-free stream of information
between two computers.
– SSL/TLS adds message integrity and authentication functions to
TCP through cryptographic methods.
Encryption (SSL and TLS)
Session description
– When two programs initiate an SSL/TLS connection, they
compare available protocols and agree on an appropriate
common cryptographic protocol.
• SSL/TLS can use separate algorithms and methods for:
– Encryption
– Authentication
– Data integrity
• Each of these is negotiated and determined before the session
starts.
SSL/TSL Encryption Options
This shows the types of
cryptographic protocols
available in Netscape
Communicator.
Cryptographic protocol options in Netscape Communicator
How SSL/TLS Works
SSL/TLS uses cryptographic protocols. Effective use of these
protocols requires that systems must agree upon a protocol.
The SSL handshake process is used to accomplish this task.
– The client requests for a secure connection and the server
responds.
• Both systems agree on a commonly held protocol (SSL v1, v2, v3, or
TLS v1).
• Commonly available cryptographic algorithms include Diffie-
Hellman and RSA.
How SSL/TLS Works
The handshake begins with the exchange to agree on
parameters.
The systems exchange certificates and keys to enable
authentication.
Certificate exchange is done via X.509 certificates.
Public key cryptography is used to establish authentication.
How SSL/TLS Works
The session continues
– Once authentication is established, the channel is secured with
symmetric key cryptographic methods and hashes, typically
RC4 or 3DES for symmetric key and MD5 or SHA-1 for hash
functions.
– The authenticity of the server and possibly the client has been
established.
– The channel is protected by encryption against eavesdropping.
How SSL/TLS Works
Session certificates
– The use of certificates is a way to have a third party act as a
notary in the electronic world.
– A certificate is merely a standard set of formatted data that
represents the authenticity of the public key associated with
the signer.
– A certificate can be trusted as a notary to a signature.
– Certificates provide a method of proving who someone is,
provided you trust the issuer.
SSL/TSL Certificates
These are the certificate
management options.
Certificate management options dialog in Microsoft Internet Explorer
How SSL/TLS Works
SSL/TLS is designed to provide protection from man-in-the-
middle attacks.
– By authenticating the server end of the connection, SSL/TLS
prevents the hijacking of a session.
– By encrypting all of the conversations between the client and
the server, SSL/TLS prevents eavesdropping.
The Web (HTTP and HTTPS)
The Hypertext Transfer Protocol (HTTP) is the protocol for
the transfer of hypertext-linked data over the Internet.
– A URL such as http://www.example.com is decoded by the
browser.
• The http:// portion indicates that the desired method of data
transfer is via the Hypertext Transfer Protocol.
The Web (HTTP and HTTPS)
SSL/TLS hides cryptographic complexity from end users.
– This can be done by requesting a secure connection from a
Web server, instead of a non-secure connection.
• With HTTP connections, use https:// in place of http://.
– The entry of an SSL/TLS-based protocol will cause an aware
browser to negotiate with the server to establish the required
level of security.
The Web (HTTP and HTTPS)
Enabling cryptographic methods transparently helps end
users to use these protocols easily.
– SSL/TLS is agnostic.
– Designed to run on top of TCP/IP, it can operate over lower-level
protocols such as X.25.
– SSL/TLS requires a reliable lower-level protocol.
• It cannot properly function over a non-reliable protocol such as the
IP User Datagram Protocol (UDP).
Web Services
Web Services is an industry term with various marketing
definitions.
– It depends upon who is trying to market what and to whom.
• Although the term has been misused often, its underlying core is an
application program accessible using open protocols.
Web Services
Web Services are defined through industry standardization.
There are a series of specifications including XML Schema
and Web Services Description Language (WSDL).
– A Web Service may be as simple as a procedure invoked on a
remote computer via common data formats and protocols.
Web Services
Web Services can be invoked with a Simple Object Access
Protocol (SOAP) request over an HTTP connection.
– This uses open standards such as XML, HTTP and Universal
Description, and Discovery and Integration (UDDI).
– A Web Service is an application accessed via a set of remote
procedure calls implemented over HTTP.
Web Services
The deployment of Web Services is in its infancy.
– The effectiveness of the security mechanisms being built into
the standards is unknown.
– Several areas that Web Services are vulnerable:
• HTTP/Web server vulnerabilities
• SOAP Structure vulnerabilities
• WSDL vulnerabilities
• Application layer vulnerabilities
Web Services
Web Services communicate over HTTP through Web servers.
Any vulnerability of the Web server can manifest itself as a
vulnerability of the Web Service.
Web Services
A risk is associated with the actual Web Service code itself.
– As Web Services are designed to increase distributed code and
usage, control over users of Web Services lessens.
• It is not safe to assume every usage will be with properly conformed
messages for a particular Web Service.
• The Web Services application programmer must develop secure
code.
SOAP
Simple Object Access Protocol (SOAP) is a method of
invoking remote procedures over the Internet.
SOAP
Soap is language-neutral and platform-independent.
– The SOAP framework does no routing or security since these
are managed in the extensible nature of the basic framework.
• Layered extensions allow adding these services in a cohesive and
controlled fashion.
XML
Extensible Markup Language (XML) formats messages used
by SOAP to access and return data from Web Services.
XML
XML Schemas define communication interfaces and carry
information between Web Services.
– They invoke elements that allow a standard method that is
independent of any firm or platform.
• It is extensible.
• It is language-neutral.
Directory Services (DAP and LDAP)
A directory is a data storage mechanism like a database.
– The directory is designed and optimized for reading data,
yielding very fast search and retrieval operations.
– The types of information stored in a directory tend to be
descriptive attribute data.
– A directory offers a static view of data that can be changed
without a complex update transaction.
– The data is hierarchically described in a tree-like structure.
• A network interface for reading is typical.
Directory Services (DAP and LDAP)
The X.500 standard was created as a standard for directory
services. It enables interoperability.
– An X.500 directory is accessed through the Directory Access
Protocol (DAP).
– It is difficult to implement completely on PCs and other
constrained platforms.
• This led to the Lightweight Directory Access Protocol (LDAP), which
contains the most commonly used functionality.
• LDAP can interface with X.500 services.
• LDAP can be used over TCP with fewer computing resources than
full X.500 implementation.
SSL/TLS LDAP
LDAP is the Internet standard for directory services.
LDAP over TCP is a plaintext protocol.
This means data is over the network, which makes it
susceptible to eavesdropping.
To avoid this, data must be encrypted.
– The application of SSL/TLS service protects directory
transactions from eavesdroppers.
SSL/TLS LDAP
SSL/TLS provides several functions to LDAP services.
– SSL/TLS establishes the identity of a data source through
certificates.
– SSL/TLS provides integrity and confidentiality of the data
presented from an LDAP source.
– LDAP and SSL/TLS are separate independent protocols.
• Interoperability requires correct setup.
– Establish an SSL/TLS connection.
– Open an LDAP connection over the protected channel.
– Both the client and the server should be enabled for
SSL/TLS.
SSL/TLS LDAP
An LDAP server set up to function over an SSL/TLS
connection operates as it always has.
– The LDAP server responds to specific queries with the data
returned from a node in the search.
– The SSL/TLS functionality operates to secure the channel of
communication and is transparent to the data flow from the
user's perspective.
– SSL/TLS prevents observation of the data request and response,
ensuring confidentiality.
FTP
FTP is an application-level protocol.
– It allows operation over a wide range of lower-level protocols.
FTP is embedded in most operating systems. It provides a
method of transferring files between systems.
FTP
FTP implementations operate both ways – sending and
receiving. They enable remote file operations over a TCP/IP
connection.
– FTP clients are used to initiate transactions.
– FTP servers respond to transaction requests.
• The request can be either to upload (send data from a client to a
server) or download (send data from a server to a client).
FTP
When a user enters ftp://url in a browser address field, it
indicates that the user wishes to see the data associated
with the URL via an FTP session—the browser handles the
details.
– File transfers via FTP can be either in binary or text mode.
• In either case, transfers are plaintext across the network.
Blind FTP (Anonymous FTP)
An account must be used to allow the operating system-
level authorization function to work.
– With an FTP server, you may not able to control who gets the
information.
• A standard account called anonymous exists.
– It allows unlimited public access to the files.
– It is used to have unlimited distribution.
– On a server, access permissions can be established to allow
only downloading or only uploading or both.
Blind FTP (Anonymous FTP)
An FTP can be used to allow access to upload files to a
server.
– It is a security risk usually implemented on specialized servers
isolated from other critical functions.
• FTP should not be permitted on workstations.
• They should be disabled on servers.
SFTP
FTP operates in plaintext mode.
– An eavesdropper can observe the data being passed.
– If confidential transfer is required, Secure FTP (SFTP) should be
used.
• SFTP utilizes both Secure Shell (SSH) protocol and FTP to accomplish
this task.
SFTP
SFTP must be on both the client and the server.
SFTP is not interoperable with standard FTP.
– The encrypted commands cannot be read by an FTP server
program.
To establish SFTP data transfers, the server must be
enabled with the SFTP program.
– Clients access the server provided they have the correct
credentials.
SFTP
SFTP operates in a similar way as FTP:
– An identification function uses a username.
– An authorization function uses a password.
There is no anonymous SFTP account by definition.
– Access is established and controlled from the server using
standard access control lists, IDs, and passwords.
c
Vulnerabilities
Protocols such as SSL/TLS provide methods for end users to
use cryptography without understanding the method.
– This yields complacency—the impression that once SSL/TLS is
enabled, the user is safe, which is not necessarily the case.
• If a Trojan program records keystrokes and sends the information to
an unauthorized user, SSL/TLS cannot prevent this security breach.
• If the user connects to an untrustworthy site, a secure connection
does not prevent the other site from running a scam.
• Using SSL/TLS and other encryption methods does not guard against
credit card information being “lost” by the receiving company.
Vulnerabilities
What and where data is protected requires understanding of
what these protocols can and cannot do.
– The SSL/TLS suite can protect data in transit, not in storage.
– It can authenticate users and servers.
• Certificate mechanisms are established and used by both parties.
– SSL/TLS provides a secure method of authentication, followed
by confidentiality in data transfers and data integrity checking.
– All of this occurs during transit, the protection ends once the
data is stored.
Vulnerabilities
Vulnerabilities
Buffer Overflows
Java and JavaScript
ActiveX
CGI
Server-Side Scripts
Cookies
Signed Applets
Browser Plug-Ins
Code-Based Vulnerabilities
Browsers perform many types of data transfer.
– Helper programs or plug-ins increase usability for some data
transfers.
– Separate application programs may be called by a browser to
handle the data being transferred.
Code-Based Vulnerabilities
Applications or plug-ins may include malicious codes that
perform actions not desired by users.
Buffer Overflows
The most common exploit to hack into software is the buffer
overflow.
– It is the result of poor programming practices.
• When any program places data into a buffer and does not validate
the input for correct length, the potential for a buffer overflow
exists.
Buffer Overflows
The concept is simple.
– A hacker writes an executable that performs an action on the
target machine and appends his code fragment to a legitimate
response to a program on the target machine.
– When the target machine reads through the too-long response,
a buffer overflow condition causes the original program to fail.
– The extra malicious code fragment is now in the machine's
memory, awaiting execution.
– If the hacker executed it correctly, the program will skip into
the hacker's code, running it before failing.
Buffer Overflows
Buffer overflows are exploitable in a wide range of
programs.
– Fifty percent of the security incidents are from buffer overflow
exploits.
Users have to keep their machines up-to-date with patches
from manufacturers.
Java and JavaScript
Java is based on the C language.
It was designed to be platform-independent.
It offers a low learning curve and a platform-independent
way of implementing programs across an enterprise.
Java and JavaScript
Java and JavaScript operate through an interpreter called a
Java Virtual Machine (JVM) on each platform that interprets
the Java code.
Java and JavaScript
The JVM enables the program functionality for the specific
platform.
– Reliance on an interpretive step leads to performance issues.
– Java is plagued by poor performance when compared to most
other languages.
Security was one of the advantages of Java.
Java and JavaScript
Java was designed to be used in trusted environments.
– When it moved to the Internet for general use, safety became
an advertised benefit.
Java and JavaScript
Safety is not security and a Java program can still cause
significant damage to a system.
– The ability to read data from a hard drive and display it on the
screen is essential for many programs.
• When the program is downloaded and run from the Internet, without
the knowledge of the user, data may be sent across the Internet to
an unauthorized user. This enables the program to spy on the user.
• Writing data to the hard drive may cause deletions if the program
does not write the data where the user expects it to.
Java and JavaScript
JavaScript is a form of Java designed to be operated within a
browser instance.
– JavaScript enables features such as validation of forms before
they are submitted.
– JavaScript runs within the browser; the code is executed by the
browser itself.
Java and JavaScript
JavaScript was designed not to access files or network
resources directly, except through the browser functions.
Enterprising programmers found many other uses for
JavaScript, such as manipulating the browser history files,
now prohibited by design.
Java and JavaScript Security
Each browser manufacturer
has implemented
configuration settings
differently.
The Certificate management options dialog box in Netscape
Communicator
Java and JavaScript
Java Script has not proven to be as secure as desired.
– This traces back to a similar fault in the Java language.
• Security was added later without a comprehensive security model.
– Most browsers do not have a mechanism to halt a running
script short of aborting the browser instance.
• This may not be possible if the browser has stopped responding to
commands.
Java and JavaScript
The number of ways JavaScript can interact with a system is
high.
– With so many opportunities for malicious code, the best advice
is not to run JavaScripts or Java applets unless the source is
trusted.
ActiveX
ActiveX is a collection of APIs, protocols, and programs
developed by Microsoft to download and execute code over
an Internet-based channel.
– The code is bundled together into an ActiveX control with
an .ocx extension.
– These controls are referenced in HTML using the <object> tag.
ActiveX
Microsoft developed
Authenticode that uses
digital signatures.
At the right are examples
of Authenticode options.
Some of the ActiveX control options in Microsoft Internet Explorer
ActiveX
Windows users may determine who produced a specific
piece of code and whether or not the code has been altered.
– Safety and security are different things.
• Authenticode promotes neither in reality.
– Authenticode provides limited accountability at the time of
download and guarantees that the code has not been changed
since the time of signing.
• Authenticode does not identify whether a piece of code will damage
a system, nor does it regulate how the code is used.
CGI
The Common Gateway Interface (CGI) was a method of
having a Web server execute a program outside the Web
server process, but yet on the same server.
– It passes information via environment variables to an
independent program.
– It executes the program.
– It returns the results to the Web server.
CGI
CGI offers many advantages to Web-based programs.
– The programs can be written in a number of languages,
although Perl is preferred.
• These scripted programs embrace the full functionality of a server,
allowing access to databases, UNIX commands, and other programs.
If properly coded, CGI offers no more and no less risk than
any other solution.
Server-Side Scripts
CGI has been replaced with newer server-side scripting
technologies such as Java, Active Server Pages (ASP), and
PHP.
– They are similar to CGI – they allow programs to be run outside
the Web server and return data to the Web server for end users
via a Web page.
– Each of these technologies has advantages and disadvantages.
All have stronger security models than CGI.
Cookies
Cookies are blocks of ASCII text passed within an HTML
stream to store data temporarily in a Web browser instance.
Cookies
Cookies pass back and forth between the Web server and
the browser and act as a mechanism to maintain state in a
stateless world.
– State is a term that describes the dependence on previous
actions.
Cookies
An HTTP session served by a Web server is stateless.
– Each request is independent of all previous requests.
– The server has no memory of previous requests.
– Cookies were developed to bridge this gap.
Cookies
Cookies are passed along with HTML data through a Set-
Cookie message in the header portion of an HTML
transaction, or via a script in the HTML body.
Cookies
A cookie is a series of name-value pairs that is stored in the
memory during a browser instance.
– The specification for cookies establishes several specific name-
value pairs for defined purposes.
– Additional name-value pairs may be defined at will by a
developer.
Cookies – Name-Value Pairs
Set of name-value pairs includes:
– Expires – specifies when the cookie expires.
• If no value exists, the cookie is only good during the current browser
session and will not remain on the hard drive.
• If a value is given, the cookie will be written to the user's machine
and remain until it expires.
– Domain – specifies the domain where the cookie is used.
• Cookies are memory-resident objects.
• Since the user or data can cause a browser to move between
domains (for example, from comedy.net to jokes.org) some
mechanism needs to tell the browser which cookies belong to which
domain.
Cookies– Name-Value Pairs
Set of name-value pairs includes (continued):
– Path – resolves the applicability of the cookie into a specific
path within a domain.
• If path =/directory, the cookie will only be sent for requests within
the /directory on the given domain allowing a level of granular
control over the information being passed between the browser and
the server and limiting unnecessary data exchanges.
– Secure – The keyword [secure] in a cookie indicates that it is to
be used only in an SSL/TLS session.
• This does not indicate any other form of security.
• Cookies are stored in plaintext on the client machine.
Cookies
Cookie management is an invisible process.
– Internet Explorer and Netscape Communicator have methods
for users to examine and manipulate cookies on the client side.
Cookies
Netscape Communicator stores the cookies in a long text
file.
– Note the file location in the browser address line.
Cookies
Cookie Management in Microsoft Explorer.
– Note the separate files.
Netscape Communicator cookie file
Cookies
If users disable cookies in a browser, this information will
not be available for the Web server to use.
Cookie management in Microsoft Internet Explorer
Disabling Cookies
IETF RFC 2109 describes the HTTP state-management
system (cookies) and the several cookie functions to be
enabled in browsers, specifically:
– The ability to turn cookie usage on and off.
– An indicator as to whether cookies are in use.
– A means of specifying cookie domain values and lifetimes.
Cookie Management
This is the Netscape
browser tool to manage
cookies.
Netscape Communicator cookie Management via browser
Disabling Cookies
To surf cookie-free requires more than a simple step.
– Instructing a browser to stop accepting cookies is a setup
option available through an options menu.
• It has no effect on cookies already received and stored on the
system.
• To prevent the browser from responding to cookies already
received, the user must delete the cookies from the system.
Deleting Cookies
This is the tool to delete
cookies in Internet
Explorer.
The Microsoft Internet Explorer delete cookies
option
Signed Applets
Code signing brings the security of shrink-wrapped software
to software downloaded from the Internet.
Signed Applets
Code signing adds a digital signature and certificate to a
program file to demonstrate file integrity and authenticity.
– The certificate identifies the author.
– The digital signature contains a hash value that covers code,
certificate, and signature to prove integrity.
• This establishes the integrity of the code and publisher via a
standard browser certificate check.
Signed Applets
Use of a certificate to sign an applet or a control allows the
identity of the author to be established.
– The signing of code identifies the code's manufacturer and
guarantees that the code has not been modified since it was
signed.
Signed Applets
A signed applet can be hijacked as easily as a graphic or any
other file.
– An attacker can hijack a signed control by in-line access or
copying the file in its entirety and republishing it.
• In-lining is using an embedded control from another site with or
without the other site's permission.
• Republishing a signed control is done much like stealing a GIF or
JPEG image.
– A copy of the file is maintained on the unauthorized site
and served from there instead of from the original
location.
Signed Applets
The security concern of signed controls comes from how the
control is used.
– A hacker may be able to use a control in an unintended fashion.
• Creating a file loss or buffer overflow.
– Conditions that weaken a system and may allow
exploitation of other vulnerabilities.
– The control will still function as designed, but the issue
becomes who it is used by and how.
• These are concerns not addressed simply by signing a control or an
applet.
Browser Plug-Ins
Plug-ins are small application programs that increase a
browser's ability to handle new data types and add new
functionality.
Browser Plug-Ins
To date, plug-ins have had a good safety record.
Although a plug-in changes a browser, and how it
manipulates data, security holes have not been the norm in
this area.