Web Security

Edward Chow

Why web servers attract attackers?

Why web servers are vulnerable?

What is a "secure web server"?

Three Major parts of Web Security Problem:

This leads to the challenges of

Securing Web Server

Securing Information in Transit

Digital certificates eliminate some of needs for SSL (username, password sending)

Securing User's Computer

Typical Credit Card Transaction

How SSL protects on-line transaction

Threats of doing business on Internet

User's risks from the above example

Merchants' risks

DMZ Firewall


Risk Management

List of specific programs that should never use as helper applications:

Examples of Data Driven Attack

Malicious data to a normally well-behaved application to produce undesirable results.
Pretend to be an inquiry from the user's legitimate system software Solution for these social engineering attack is education. 1995 AOL  modified email interface to include message that reminded users "AOL staff will never ask for your password or billing information."

Key Generation Flaw

Netscape key generation flaw found by Ian Goldberg, David Wagner, Eric Brewer of UC Berkeley.(9/17/95)
Instead of using user's mouse motions as seeds for the random number generator, it used The Netscape certificate server later adopted the use of mouse motions to generate the seed for the random number for the private key generation.

Java Security Flaw

1996, Drew Dean, Ed Felton, and Dan Wallach of Princeton University found that by exploiting the multiple names in DNS entry, they can have the Netscape Navigator 2.0 Java Run-time allow the download from machines within the firewall. The original design goal was only allow download from the original web server where the home page was downloaded.

Javascript Bug

Early version of Javascript implementation in Navigator 2.0 allow visiting history, email address to be fill into HTML form (hidden) and then transferred out.

Harassing Mailto Hyperlink

Early version of Navigator 2.0 allows mail to be sent (to high profile site such as whitehouse.gov) without user's interaction.

As results of frequent error, US Naval Research Lab in fall 1996 recommended that Navigator not be used.  10/2/96 US Navy and Microsoft announced the Navy chose IE as its official web browser.

3/3/97 Paul Greene of Worcester Polytechnic Institute in MA, create a web page,when viewed by IE 3.0 and 3.0.1, allows any program to be run on user's machine.  The problem is that IE 3.0 and 3.0.1 felt "safe"  to open file of type .URL and .LNK.

Java Operation Cycle

Java Safety (Reliability)

This leads to fewer bugs.  But fewer bugs do not imply that the Java program is more secure.

Java Security

Java Sandbox

SecurityManager class

Class Loader

Bytecode Verifier

Make sure the bytecode are created by compiling a valid Java program?
and the downloaded program It was implemented as ad hoc checks.

Three Original Java Security Policies

Most users chose policy 2.
Reasons for the restrictions on downloaded Java applet in HotJava.
Restriction Reason
Cannot read contents of files or directories on the client computer. Protect the confidentiality of information on the user's computer.
Cannot write, rename, or delete files on the client computer. Protect the user's data from unauthorized modification.
Cannot initiate a network connection to a computer other than the computer from which the Java applet was downloaded. Prevents a downloaded applet from probing for security problems behind an organization firewall.
Cannot receive network connections. Prevents an applet from appearing to be a legitimate server on an organization's internal network.
Cannot display a window without a special "untrusted" border. Prevents applets from creating windows that appear to be system windows.
Cannot create a ClassLoader or SecurityManger. Prevents subverting the Java type checking system and disabling all Java security checks.
Cannot run system programs. Prevent running arbitrary code.

Possible Security Policies on Network Connections

Navigator 4.0 Java Policy

Java Security Problems Discovered by SIP group

Java DNS policy dispute

According to the Java security policy, download applet can only initiate connections to the same computer  fro which it is downloaded.

Java Security Feature


JavaScript Security

Example of Denial Service Attack