Lesson 17-Web Components presentation

About This Presentation

Transcript and Presenter's Notes

Title: Lesson 17-Web Components

1
Lesson 17-Web Components
2
Background

The World Wide Web was invented in 1990 by Tim
Berners-Lee to give physicists a convenient
method of exchanging information.
What began as a physics tool in the European
Laboratory for Particle Physics (CERN) has grown
into a complex system.

3
Background

It is now a complex system used by millions for
tasks ranging from e-commerce to e-mail,
chatting, games, and even the original intended
usefile and information sharing.

4
Background

Before the World Wide Web, the following methods
were used to perform these tasks
File Transfer Protocol (FTP) to move files.
Telnet to access other machines.

5
Background

A common architecture was developed by
Berners-Lee.
First, a common addressing scheme built around a
Uniform Resource Locator (URL).
Then, linking documents with URLs through the
Hypertext Markup Language (HTML).

6
Objectives

Upon completion of this chapter, the students
will be able to
Describe the protocols such as SSL/TLS protocol
suite, LDAP, and FTP used with Web components.
Describe Web applications, such as Web Services
and plug-ins, and explain their associated
security issues.
Describe and explain secure file transfer options.

7
Objectives

Upon completion of this chapter, the students
will be able to
Explain how directory services can be used to aid
in data retrieval.
Describe how scripting and other Internet
functions can cause security concerns.
Describe how using cookies maintains parameters
between Web pages.

8
Current Web Components and Concerns

The World Wide Web is useful due to
Browsers
Web components

9
Current Web Components and Concerns

There are three main security tasks
Securing a server to deliver content to users
over the Web.
Securing the transfer of information between
users and servers over the Web.
Securing the user's computer from attack through
a Web connection.

10
Protocols

Encryption
SSL and TLS
The Web
HTTP and HTTPS
Web Services
Directory Services (DAP and LDAP)
File Transfer
FTP and SFTP

11
Protocols

Protocols are agreed-upon rules that allow
vendors to produce hardware and software that
interoperate with hardware and software developed
by other vendors.
The specific instantiation of protocols is done
through hardware and software components.

12
Encryption (SSL and TLS)

Secure Socket Layer
SSL is almost ubiquitous in e-commerce.
All browsers and Web servers support SSL.
Virtually, all sensitive financial traffic uses
SSL to protect information between Web servers
and browsers.

13
Encryption (SSL and TLS)

The Internet Engineering Task Force (IETF)
embraced SSL in 1996 through a series of RFCs and
named the group Transport Layer Security (TLS).
SSL 3.0
RFC 2246
TLS Protocol Version 1.0
RFC 2712
Added Kerberos authentication
RFCs 2817 and 2818
Extended TLS to HTTP version 1.1 (HTTP/1.1)

14
Encryption (SSL and TLS)

Although SSL has been through several versions,
TLS begins with an equivalency to SSL 3.0.
SSL and TLS are essentially the same protocol,
but not interchangeable.

15
Encryption (SSL and TLS)

SSL/TLS is a series of functions within the OSI
model.
They reside between the application layer and the
TCP/IP implementation in the transport and
network layers.

16
Encryption (SSL and TLS)

TCP and SSL/TLS
TCP sends an unauthenticated error-free stream of
information between two computers.
SSL/TLS adds message integrity and authentication
functions to TCP through cryptographic methods.

17
Encryption (SSL and TLS)

Session description
When two programs initiate an SSL/TLS connection,
they compare available protocols and agree on an
appropriate common cryptographic protocol.
SSL/TLS can use separate algorithms and methods
for
Encryption
Authentication
Data integrity
Each of these is negotiated and determined before
the session starts.

18
SSL/TSL Encryption Options

This shows the types of cryptographic protocols
available in Netscape Communicator.

Cryptographic protocol options in Netscape
Communicator
19
How SSL/TLS Works

SSL/TLS uses cryptographic protocols. Effective
use of these protocols requires that systems must
agree upon a protocol. The SSL handshake process
is used to accomplish this task.
The client requests for a secure connection and
the server responds.
Both systems agree on a commonly held protocol
(SSL v1, v2, v3, or TLS v1).
Commonly available cryptographic algorithms
include Diffie-Hellman and RSA.

20
How SSL/TLS Works

The handshake begins with the exchange to agree
on parameters.
The systems exchange certificates and keys to
enable authentication.
Certificate exchange is done via X.509
certificates.
Public key cryptography is used to establish
authentication.

21
How SSL/TLS Works

The session continues
Once authentication is established, the channel
is secured with symmetric key cryptographic
methods and hashes, typically RC4 or 3DES for
symmetric key and MD5 or SHA-1 for hash
functions.
The authenticity of the server and possibly the
client has been established.
The channel is protected by encryption against
eavesdropping.

22
How SSL/TLS Works

Session certificates
The use of certificates is a way to have a third
party act as a notary in the electronic world.
A certificate is merely a standard set of
formatted data that represents the authenticity
of the public key associated with the signer.
A certificate can be trusted as a notary to a
signature.
Certificates provide a method of proving who
someone is, provided you trust the issuer.

23
SSL/TSL Certificates
SSl and TLS options in Netscape Communicator
24
SSL/TSL Certificates
Certificate options in Microsoft Internet Explorer
25
SSL/TSL Certificates

These are the certificate management options.

Certificate management options dialog in
Microsoft Internet Explorer
26
How SSL/TLS Works

SSL/TLS is designed to provide protection from
man-in-the-middle attacks.
By authenticating the server end of the
connection, SSL/TLS prevents the hijacking of a
session.
By encrypting all of the conversations between
the client and the server, SSL/TLS prevents
eavesdropping.

27
The Web (HTTP and HTTPS)

The Hypertext Transfer Protocol (HTTP) is the
protocol for the transfer of hypertext-linked
data over the Internet.
A URL such as http//www.example.com is decoded
by the browser.
The http// portion indicates that the desired
method of data transfer is via the Hypertext
Transfer Protocol.

28
The Web (HTTP and HTTPS)

SSL/TLS hides cryptographic complexity from end
users.
This can be done by requesting a secure
connection from a Web server, instead of a
non-secure connection.
With HTTP connections, use https// in place of
http//.
The entry of an SSL/TLS-based protocol will cause
an aware browser to negotiate with the server to
establish the required level of security.

29
How Do You Know You Are Secure?
HTTPS connection in Microsoft Internet Explorer
30
The Web (HTTP and HTTPS)

Enabling cryptographic methods transparently
helps end users to use these protocols easily.
SSL/TLS is agnostic.
Designed to run on top of TCP/IP, it can operate
over lower-level protocols such as X.25.
SSL/TLS requires a reliable lower-level protocol.
It cannot properly function over a non-reliable
protocol such as the IP User Datagram Protocol
(UDP).

31
Web Services

Web Services is an industry term with various
marketing definitions.
It depends upon who is trying to market what and
to whom.
Although the term has been misused often, its
underlying core is an application program
accessible using open protocols.

32
Web Services

Web Services are defined through industry
standardization.
There are a series of specifications including
XML Schema and Web Services Description Language
(WSDL).
A Web Service may be as simple as a procedure
invoked on a remote computer via common data
formats and protocols.

33
Web Services

Web Services can be invoked with a Simple Object
Access Protocol (SOAP) request over an HTTP
connection.
This uses open standards such as XML, HTTP and
Universal Description, and Discovery and
Integration (UDDI).
A Web Service is an application accessed via a
set of remote procedure calls implemented over
HTTP.

34
Web Services

The deployment of Web Services is in its infancy.
The effectiveness of the security mechanisms
being built into the standards is unknown.
Several areas that Web Services are vulnerable
HTTP/Web server vulnerabilities
SOAP Structure vulnerabilities
WSDL vulnerabilities
Application layer vulnerabilities

35
Web Services

Web Services communicate over HTTP through Web
servers.
Any vulnerability of the Web server can manifest
itself as a vulnerability of the Web Service.

36
Web Services

A risk is associated with the actual Web Service
code itself.
As Web Services are designed to increase
distributed code and usage, control over users of
Web Services lessens.
It is not safe to assume every usage will be with
properly conformed messages for a particular Web
Service.
The Web Services application programmer must
develop secure code.

37
SOAP

Simple Object Access Protocol (SOAP) is a method
of invoking remote procedures over the Internet.

38
SOAP

SOAP is a framework for generalized XML messaging
between applications.

39
SOAP

Soap is language-neutral and platform-independent.
The SOAP framework does no routing or security
since these are managed in the extensible nature
of the basic framework.
Layered extensions allow adding these services in
a cohesive and controlled fashion.

40
XML

Extensible Markup Language (XML) formats messages
used by SOAP to access and return data from Web
Services.

41
XML

XML Schemas define communication interfaces and
carry information between Web Services.
They invoke elements that allow a standard method
that is independent of any firm or platform.
It is extensible.
It is language-neutral.

42
Directory Services (DAP and LDAP)

A directory is a data storage mechanism like a
database.
The directory is designed and optimized for
reading data, yielding very fast search and
retrieval operations.
The types of information stored in a directory
tend to be descriptive attribute data.
A directory offers a static view of data that can
be changed without a complex update transaction.
The data is hierarchically described in a
tree-like structure.
A network interface for reading is typical.

43
Directory Services (DAP and LDAP)

The X.500 standard was created as a standard for
directory services. It enables interoperability.
An X.500 directory is accessed through the
Directory Access Protocol (DAP).
It is difficult to implement completely on PCs
and other constrained platforms.
This led to the Lightweight Directory Access
Protocol (LDAP), which contains the most commonly
used functionality.
LDAP can interface with X.500 services.
LDAP can be used over TCP with fewer computing
resources than full X.500 implementation.

44
SSL/TLS LDAP

LDAP is the Internet standard for directory
services.
LDAP over TCP is a plaintext protocol.
This means data is over the network, which makes
it susceptible to eavesdropping.
To avoid this, data must be encrypted.
The application of SSL/TLS service protects
directory transactions from eavesdroppers.

45
SSL/TLS LDAP

SSL/TLS provides several functions to LDAP
services.
SSL/TLS establishes the identity of a data source
through certificates.
SSL/TLS provides integrity and confidentiality of
the data presented from an LDAP source.
LDAP and SSL/TLS are separate independent
protocols.
Interoperability requires correct setup.
Establish an SSL/TLS connection.
Open an LDAP connection over the protected
channel.
Both the client and the server should be enabled
for SSL/TLS.

46
SSL/TLS LDAP

An LDAP server set up to function over an SSL/TLS
connection operates as it always has.
The LDAP server responds to specific queries with
the data returned from a node in the search.
The SSL/TLS functionality operates to secure the
channel of communication and is transparent to
the data flow from the user's perspective.
SSL/TLS prevents observation of the data request
and response, ensuring confidentiality.

47
FTP

FTP is an application-level protocol.
It allows operation over a wide range of
lower-level protocols.
FTP is embedded in most operating systems. It
provides a method of transferring files between
systems.

48
FTP

FTP implementations operate both ways sending
and receiving. They enable remote file operations
over a TCP/IP connection.
FTP clients are used to initiate transactions.
FTP servers respond to transaction requests.
The request can be either to upload (send data
from a client to a server) or download (send data
from a server to a client).

49
FTP

When a user enters ftp//url in a browser address
field, it indicates that the user wishes to see
the data associated with the URL via an FTP
sessionthe browser handles the details.
File transfers via FTP can be either in binary or
text mode.
In either case, transfers are plaintext across
the network.

50
Blind FTP (Anonymous FTP)

An account must be used to allow the operating
system-level authorization function to work.
With an FTP server, you may not able to control
who gets the information.
A standard account called anonymous exists.
It allows unlimited public access to the files.
It is used to have unlimited distribution.
On a server, access permissions can be
established to allow only downloading or only
uploading or both.

51
Blind FTP (Anonymous FTP)

An FTP can be used to allow access to upload
files to a server.
It is a security risk usually implemented on
specialized servers isolated from other critical
functions.
FTP should not be permitted on workstations.
They should be disabled on servers.

52
SFTP

FTP operates in plaintext mode.
An eavesdropper can observe the data being
passed.
If confidential transfer is required, Secure FTP
(SFTP) should be used.
SFTP utilizes both Secure Shell (SSH) protocol
and FTP to accomplish this task.

53
SFTP

SFTP is an application program that encodes both
the commands and the data passed.

54
SFTP

SFTP must be on both the client and the server.
SFTP is not interoperable with standard FTP.
The encrypted commands cannot be read by an FTP
server program.
To establish SFTP data transfers, the server must
be enabled with the SFTP program.
Clients access the server provided they have the
correct credentials.

55
SFTP

SFTP operates in a similar way as FTP
An identification function uses a username.
An authorization function uses a password.
There is no anonymous SFTP account by definition.
Access is established and controlled from the
server using standard access control lists, IDs,
and passwords.

c
56
Vulnerabilities

Protocols such as SSL/TLS provide methods for end
users to use cryptography without understanding
the method.
This yields complacencythe impression that once
SSL/TLS is enabled, the user is safe, which is
not necessarily the case.
If a Trojan program records keystrokes and sends
the information to an unauthorized user, SSL/TLS
cannot prevent this security breach.
If the user connects to an untrustworthy site, a
secure connection does not prevent the other site
from running a scam.
Using SSL/TLS and other encryption methods does
not guard against credit card information being
lost by the receiving company.

57
Vulnerabilities

What and where data is protected requires
understanding of what these protocols can and
cannot do.
The SSL/TLS suite can protect data in transit,
not in storage.
It can authenticate users and servers.
Certificate mechanisms are established and used
by both parties.
SSL/TLS provides a secure method of
authentication, followed by confidentiality in
data transfers and data integrity checking.
All of this occurs during transit, the protection
ends once the data is stored.

58
Vulnerabilities

Vulnerabilities
Buffer Overflows
Java and JavaScript
ActiveX
CGI
Server-Side Scripts
Cookies
Signed Applets
Browser Plug-Ins

59
Code-Based Vulnerabilities

Browsers perform many types of data transfer.
Helper programs or plug-ins increase usability
for some data transfers.
Separate application programs may be called by a
browser to handle the data being transferred.

60
Code-Based Vulnerabilities

Applications or plug-ins may include malicious
codes that perform actions not desired by users.

61
Buffer Overflows

The most common exploit to hack into software is
the buffer overflow.
It is the result of poor programming practices.
When any program places data into a buffer and
does not validate the input for correct length,
the potential for a buffer overflow exists.

62
Buffer Overflows

The concept is simple.
A hacker writes an executable that performs an
action on the target machine and appends his code
fragment to a legitimate response to a program on
the target machine.
When the target machine reads through the
too-long response, a buffer overflow condition
causes the original program to fail.
The extra malicious code fragment is now in the
machine's memory, awaiting execution.
If the hacker executed it correctly, the program
will skip into the hacker's code, running it
before failing.

63
Buffer Overflows

Buffer overflows are exploitable in a wide range
of programs.
Fifty percent of the security incidents are from
buffer overflow exploits.
Users have to keep their machines up-to-date with
patches from manufacturers.

64
Java and JavaScript

Java is based on the C language.
It was designed to be platform-independent.
It offers a low learning curve and a
platform-independent way of implementing programs
across an enterprise.

65
Java and JavaScript

Java and JavaScript operate through an
interpreter called a Java Virtual Machine (JVM)
on each platform that interprets the Java code.

66
Java and JavaScript

The JVM enables the program functionality for the
specific platform.
Reliance on an interpretive step leads to
performance issues.
Java is plagued by poor performance when compared
to most other languages.
Security was one of the advantages of Java.

67
Java and JavaScript

Java was designed to be used in trusted
environments.
When it moved to the Internet for general use,
safety became an advertised benefit.

68
Java and JavaScript

Safety is not security and a Java program can
still cause significant damage to a system.
The ability to read data from a hard drive and
display it on the screen is essential for many
programs.
When the program is downloaded and run from the
Internet, without the knowledge of the user, data
may be sent across the Internet to an
unauthorized user. This enables the program to
spy on the user.
Writing data to the hard drive may cause
deletions if the program does not write the data
where the user expects it to.

69
Java and JavaScript

JavaScript is a form of Java designed to be
operated within a browser instance.
JavaScript enables features such as validation of
forms before they are submitted.
JavaScript runs within the browser the code is
executed by the browser itself.

70
Java and JavaScript

JavaScript was designed not to access files or
network resources directly, except through the
browser functions.
Enterprising programmers found many other uses
for JavaScript, such as manipulating the browser
history files, now prohibited by design.

71
Java and JavaScript Security

Each browser manufacturer has implemented
configuration settings differently.

The Certificate management options dialog box in
Netscape Communicator
72
Java and JavaScript

Java Script has not proven to be as secure as
desired.
This traces back to a similar fault in the Java
language.
Security was added later without a comprehensive
security model.
Most browsers do not have a mechanism to halt a
running script short of aborting the browser
instance.
This may not be possible if the browser has
stopped responding to commands.

73
Java and JavaScript Security
Java configuration options in Microsoft Internet
Explorer
JavaScript
74
Java and JavaScript

The number of ways JavaScript can interact with a
system is high.
With so many opportunities for malicious code,
the best advice is not to run JavaScripts or Java
applets unless the source is trusted.

75
ActiveX

ActiveX is a collection of APIs, protocols, and
programs developed by Microsoft to download and
execute code over an Internet-based channel.
The code is bundled together into an ActiveX
control with an .ocx extension.
These controls are referenced in HTML using the
ltobjectgt tag.

76
ActiveX

Microsoft developed Authenticode that uses
digital signatures.
At the right are examples of Authenticode options.

Some of the ActiveX control options in Microsoft
Internet Explorer
77
ActiveX

Windows users may determine who produced a
specific piece of code and whether or not the
code has been altered.
Safety and security are different things.
Authenticode promotes neither in reality.
Authenticode provides limited accountability at
the time of download and guarantees that the code
has not been changed since the time of signing.
Authenticode does not identify whether a piece of
code will damage a system, nor does it regulate
how the code is used.

78
CGI

The Common Gateway Interface (CGI) was a method
of having a Web server execute a program outside
the Web server process, but yet on the same
server.
It passes information via environment variables
to an independent program.
It executes the program.
It returns the results to the Web server.

79
CGI

CGI offers many advantages to Web-based programs.
The programs can be written in a number of
languages, although Perl is preferred.
These scripted programs embrace the full
functionality of a server, allowing access to
databases, UNIX commands, and other programs.
If properly coded, CGI offers no more and no less
risk than any other solution.

80
Server-Side Scripts

CGI has been replaced with newer server-side
scripting technologies such as Java, Active
Server Pages (ASP), and PHP.
They are similar to CGI they allow programs to
be run outside the Web server and return data to
the Web server for end users via a Web page.
Each of these technologies has advantages and
disadvantages. All have stronger security models
than CGI.

81
Cookies

Cookies are blocks of ASCII text passed within an
HTML stream to store data temporarily in a Web
browser instance.

82
Cookies

Cookies pass back and forth between the Web
server and the browser and act as a mechanism to
maintain state in a stateless world.
State is a term that describes the dependence on
previous actions.

83
Cookies

An HTTP session served by a Web server is
stateless.
Each request is independent of all previous
requests.
The server has no memory of previous requests.
Cookies were developed to bridge this gap.

84
Cookies

Cookies are passed along with HTML data through a
Set-Cookie message in the header portion of an
HTML transaction, or via a script in the HTML
body.

85
Cookies

A cookie is a series of name-value pairs that is
stored in the memory during a browser instance.
The specification for cookies establishes several
specific name-value pairs for defined purposes.
Additional name-value pairs may be defined at
will by a developer.

86
Cookies Name-Value Pairs

Set of name-value pairs includes
Expires specifies when the cookie expires.
If no value exists, the cookie is only good
during the current browser session and will not
remain on the hard drive.
If a value is given, the cookie will be written
to the user's machine and remain until it
expires.
Domain specifies the domain where the cookie is
used.
Cookies are memory-resident objects.
Since the user or data can cause a browser to
move between domains (for example, from
comedy.net to jokes.org) some mechanism needs to
tell the browser which cookies belong to which
domain.

87
Cookies Name-Value Pairs

Set of name-value pairs includes (continued)
Path resolves the applicability of the cookie
into a specific path within a domain.
If path /directory, the cookie will only be sent
for requests within the /directory on the given
domain allowing a level of granular control over
the information being passed between the browser
and the server and limiting unnecessary data
exchanges.
Secure The keyword secure in a cookie
indicates that it is to be used only in an
SSL/TLS session.
This does not indicate any other form of
security.
Cookies are stored in plaintext on the client
machine.

88
Cookies

Cookie management is an invisible process.
Internet Explorer and Netscape Communicator have
methods for users to examine and manipulate
cookies on the client side.

89
Cookies

Netscape Communicator stores the cookies in a
long text file.
Note the file location in the browser address
line.

90
Cookies

Cookie Management in Microsoft Explorer.
Note the separate files.

Netscape Communicator cookie file
91
Cookies

If users disable cookies in a browser, this
information will not be available for the Web
server to use.

Cookie management in Microsoft Internet Explorer
92
Disabling Cookies

IETF RFC 2109 describes the HTTP state-management
system (cookies) and the several cookie functions
to be enabled in browsers, specifically
The ability to turn cookie usage on and off.
An indicator as to whether cookies are in use.
A means of specifying cookie domain values and
lifetimes.

93
Cookie Management

This is the Netscape browser tool to manage
cookies.

Netscape Communicator cookie Management via
browser
94
Disabling Cookies

To surf cookie-free requires more than a simple
step.
Instructing a browser to stop accepting cookies
is a setup option available through an options
menu.
It has no effect on cookies already received and
stored on the system.
To prevent the browser from responding to cookies
already received, the user must delete the
cookies from the system.

95
Deleting Cookies

This is the tool to delete cookies in Internet
Explorer.

The Microsoft Internet Explorer delete cookies
option
96
Signed Applets

Code signing brings the security of
shrink-wrapped software to software downloaded
from the Internet.

97
Signed Applets

Code signing adds a digital signature and
certificate to a program file to demonstrate file
integrity and authenticity.
The certificate identifies the author.
The digital signature contains a hash value that
covers code, certificate, and signature to prove
integrity.
This establishes the integrity of the code and
publisher via a standard browser certificate
check.

98
Signed Applets

Use of a certificate to sign an applet or a
control allows the identity of the author to be
established.
The signing of code identifies the code's
manufacturer and guarantees that the code has not
been modified since it was signed.

99
Signed Applets

A signed applet can be hijacked as easily as a
graphic or any other file.
An attacker can hijack a signed control by
in-line access or copying the file in its
entirety and republishing it.
In-lining is using an embedded control from
another site with or without the other site's
permission.
Republishing a signed control is done much like
stealing a GIF or JPEG image.
A copy of the file is maintained on the
unauthorized site and served from there instead
of from the original location.

100
Signed Applets

The security concern of signed controls comes
from how the control is used.
A hacker may be able to use a control in an
unintended fashion.
Creating a file loss or buffer overflow.
Conditions that weaken a system and may allow
exploitation of other vulnerabilities.
The control will still function as designed, but
the issue becomes who it is used by and how.
These are concerns not addressed simply by
signing a control or an applet.

101
Browser Plug-Ins

Plug-ins are small application programs that
increase a browser's ability to handle new data
types and add new functionality.

102
Browser Plug-Ins

To date, plug-ins have had a good safety record.
Although a plug-in changes a browser, and how it
manipulates data, security holes have not been
the norm in this area.

103
Browser Plug-Ins

Not all plug-ins are safe.
There are many plug-ins, most from small
single-programmer shops, designed for specific
purposes that may or may not be needed by most
users.
Your trust in plug-ins should be based on knowing
whom you are trusting.

Write a Comment

User Comments (0)

About PowerShow.com

Lesson 17-Web Components PowerPoint PPT Presentation