book

Web Security and Commerce

by Simson Garfinkel, Gene Spafford

June 1997

Intermediate to advanced

506 pages

14h 29m

English

O'Reilly Media, Inc.

Read now

Unlock full access

The Web: Promises and Threats
Chapter-by-ChapterWhat You Should KnowWeb Software Covered by This BookWhy Another Book on Computer Security?
Web Security in a NutshellWhy Worry about Web Security?TerminologyWhat’s a “Secure Web Server” Anyway?
Securing the Web ServerSecuring Information in TransitSecuring the User’s Computer
A Typical TransactionNew Lessons from the Credit Card Example

Locating Your Web Server with Respect to Your Firewall
Browser HistoryThe Return of Block Mode<blink>AnimationHelper ApplicationsProgrammability
Social EngineeringBug ExploitationsWeb-Based Programming Languages
JavaJava the LanguageJava SafetyJava SecuritySafety is not securitySandboxSecurityManager classClass LoaderBytecode VerifierJava Security PolicySetting Java policy from Netscape Navigator 2.3Setting Java policy from Internet Explorer 3.0Setting Java policy from Netscape Navigator 4.0Setting Java policy from Internet Explorer 4.0Java Security ProblemsJava implementation errorsJava design flawsThe Java DNS policy disputeJava Security Future
JavaScript SecurityJavaScript and Resource ManagementJavaScript and Privacy
Do Denial-of-Service Attacks Matter?Kinds of Denial-of-Service AttacksCPU and stack attacksCan’t break a running scriptSwap space attacksWindow system attacksCan Denial-of-Service Attacks Be Stopped?
Spoofing Username/Password Pop-Ups with JavaSpoofing Browser Status with JavaScriptMirror Worlds
When Good Browsers Go BadCard SharkThe Sexy Girls Pornography Viewer
Getting the Plug-InEvaluating Plug-In SecurityWhen Security Fails: Macromedia ShockwaveTactical Plug-In Attacks
Kinds of ActiveX ControlsThe <OBJECT> TagAuthenticodeInternet Exploder
Programs That Can Spend Your MoneyTelephone billing recordsElectronic funds transfersPrograms That Violate Privacy and Steal Confidential InformationA wealth of private data
Signed Code is Not Safe CodeSigned Code Can Be HijackedReconstructing After an AttackRecovering from an Attack
Trusted VendorsSeparate Execution Contexts
Log FilesThe Refer LinkLooking at the Logs
Anatomy of a CookieCookies for TrackingDisabling CookiesCookies That Protect Privacy
Violating Trade SecretsRevealing Disparaging Remarks
IdentificationThe Need for Identification TodayCredentials-Based Identification SystemsForgery-proof IDsUsing a document-based ID systemComputerized Identification TechniquesPassword-based systems: something that you knowPhysical tokens: something that you haveBiometrics: something that you areLocation: someplace where you areUsing Digital Signatures for IdentificationPhysical devices for digital signaturesVeritas: digital signatures for physical credentials
Certification AuthoritiesRevocationCertification practices statement (CPS)The X.509 v3 Certificate
Private Keys Are Not PeopleDistinguished Names Are Not PeopleThere Are Too Many Robert SmithsToday’s Digital Certificates Don’t Tell EnoughX.509 v3 Does Not Allow Selective DisclosureDigital Certificates Allow For Easy Data AggregationHow Many CAs Does Society Need?How Do You Loan a Key?Are There Better Suited Alternatives to Public Key Digital Signatures?Why Do These Questions Matter?
Is legislation necessary at all?Where should PKI legislation occur?Is licensing of certification authorities the right approach?Should legislation endorse public key cryptography, or be “technology neutral”?Should legislation endorse the X.509 paradigm?How should liability and risk be allocated in a PKI?What mechanisms should be used to allocate risk?Should digitally signed documents be considered “writings” for all legal purposes?How much evidentiary weight should a digitally signed document carry?Should governments act as CAs?
Certificates TodayDifferent Kinds of Certificates
Bootstrapping the PKI
The SSL Certificate FormatObtaining a Certificate for Your ServerCertificate renewalViewing a Site’s CertificateWhen Things Go WrongNot yet valid and expired certificatesWrong server addressNetscape Navigator 3.0’s New Certificate WizardAdding a New Site Certificate with Internet Explorer
Client CertificatesSupport for Client-Side Digital Certificates
Generating a VeriSign Digital IDInstalling Your Digital CertificateBehind the ScenesBehind the scenes with Netscape NavigatorBehind the scenes with Internet ExplorerFinding a Digital IDRevoking a Digital IDVeriSign’s Class System
Why Code Signing?Code Signing in TheoryCode Signing TodayCode Signing and U.S. Export Controls
The “Pledge”Publishing with AuthenticodeSigning a programThe Code Signing WizardVerifying Authenticode SignaturesSupport for Authenticode in Internet ExplorerControlling Authenticode in Internet Explorer
Understanding CryptographyRoots of CryptographyTerminologyA Cryptographic ExampleIs Cryptography a Military or Civilian Technology?Cryptographic Algorithms and Functions
Cryptographic StrengthAttacks on Symmetric Encryption AlgorithmsKey search (brute force) attacksCryptanalysisSystems-based attacks
Attacks on Public Key AlgorithmsFactoring attacksAlgorithmic attacksKnown versus published methods
Message Digest Algorithms at WorkUses of Message Digest FunctionsAttacks on Message Digest Functions
Cryptography and Web SecurityWhat Cryptography Can’t Do
PGPS/MIMESSLPCTS-HTTPSETCyberCashDNSSECIPsec and IPv6KerberosSSH
Cryptography and the U.S. Patent SystemThe public key patentsHistory of the public key patentsThe public key patents todayPublic key patents overseasCryptography and the U.S. Trade Secret LawTrade secrets under U.S. LawRC2, RC4, and trade secret lawCryptography and U.S. Export Control Law
What Is SSL?SSL VersionsFeaturesDigital CertificatesU.S. ExportabilitySSL ImplementationsSSL NetscapeSSLRefSSLeaySSL JavaPerformance
Browser PreferencesNavigator preferencesInternet Explorer preferencesBrowser Alerts and Indicators
Historically Unsecure Hosts
PoliciesPassword SniffingProtection against sniffingUse a token-based authentication system.Use a non-reusable password system.Use a system that relies on encryption.Security ToolsSnapshot toolsChange-detecting toolsNetwork scanning programsIntrusion detection programsFaults, Bugs, and Programming ErrorsInitial purchaseBugs and flawsLoggingBackups
Access Control StrategiesHidden URLsHost-Based RestrictionsFirewallsIdentity-Based Access Controls
Commands Before the <Limit>. . . </Limit> DirectiveCommands Within the <Limit>. . . </Limit> Block<Limit> ExamplesManually Setting Up Web Users and Passwords
The newuser Script
The Danger of ExtensibilityPrograms That Should Not Be CGIsCGIs with Unintended Side EffectsThe problem with the scriptFixing the problem
Rules for PerlRules for CRules for the UNIX Shell
Charga-Plates, Diners Club, and Credit CardsA Very Short History of CreditPayment Cards in the United StatesThe Interbank Payment Card TransactionThe charge card check digit algorithmThe charge slipCharge card feesRefunds and Charge-BacksUsing Credit Cards on the Internet
DigiCashEnrollmentPurchasingSecurity and privacyVirtual PINEnrollmentPurchasingSecurity and privacyCyberCash/CyberCoinEnrollmentPurchasingSecurity and privacySETTwo channels: one for the merchant, one for the bankSmart CardsMondex
Blocking SoftwareProblems with Blocking Software
What Is PICS?PICS ApplicationsPICS and CensorshipAccess controls become tools for censorshipCensoring the network
Intellectual PropertyCopyright LawCopyright infringementSoftware piracy and the SPAWarezPatent LawCryptography and the U.S. Patent SystemTrademark LawObtaining a trademarkTrademark violationsTrademarks and domain names
Libel and DefamationLiability for DamageIncorporation
Your Legal Options After a Break-InFiling a Criminal ComplaintLocal jurisdictionFederal jurisdictionFederal Computer Crime LawsHazards of Criminal Prosecution
If You or One of Your Employees Is a Target of an Investigation . . .The Responsibility To Report Crime
Access Devices and Copyrighted SoftwarePornography, Indecency, and ObscenityCryptographic Programs and Export Controls
Planning and PreparationLesson: Whenever you are pulling wires, pull more than you need.Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.Lesson: Use centrally located punch-down blocks or 10Base-T wiring blocks for both your computer networks and your telephone networks.Lesson: Don’t go overboard.Lesson: Plan your computer room carefully: you will have to live with its location for a long time.
Lesson: Set milestones and stick to them.Lesson: Get your facilities in order.
Working with the Phone CompanyLesson: Design your systems so that they will fail gracefully.Lesson: Know your phone company. Know its terminology, the right contact people, the phone numbers for internal organizations, and everything else you can find out.Incorporating Vineyard.NETInitial ExpansionLesson: Build sensible business partnerships.Accounting SoftwareLesson: Use your web server for as much as you can.Lesson: Have programs be table-driven as often as possible.Lesson: Tailor your products for your customers.Lesson: Build systems that are extensible, and always practice good software engineering.Lesson: Automate everything you possibly can.Publicity and PrivacyLesson: Always be friendly to the press.Lesson: Never give out your home phone number (and please don’t give out mine!).Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
Security ConcernsLesson: Don’t run programs with a history of security problems (e.g., sendmail).Lesson: Make frequent backups.Lesson: Limit logins to your servers.Lesson: Beware of TCP/IP spoofing.Lesson: Defeat packet sniffing.Lesson: Restrict logins.Lesson: Tighten up your system beyond manufacturer recommendations.Lesson: Eschew free software.Phone Configuration and Billing ProblemsCredit Cards and ACHLesson: If you have the time to write it, custom software always works better than what you can get off the shelf.Lesson: Live credit card numbers are dangerous.Lesson: Encrypt sensitive information and be careful with your decryption keys.Lesson: Log everything, and have lots of reports.Lesson: Explore a variety of payment systems.Lesson: Make it easy for your customers to save you money.Monitoring SoftwareLesson: Monitor your system.
Downloading and Installing Your Web Server
Obtaining Apache-SSLInstalling Apache-SSLInstalling Your VeriSign CertificateServer Key: To Encrypt or Not To Encrypt?Starting, Reloading, and Stopping Apache-SSL
History
Alert ProtocolChangeCipherSpec ProtocolHandshake Protocol
Sequence of Events1. ClientHello2. ServerHello3. Server Certificate4. Server Key Exchange5. Certificate Request6. Client Sends Certificate7. ClientKeyExchange8. CertificateVerify9. ChangeCipherSpec10. FinishedApplication Data
SSLeay ExamplesSSLeay ClientSSLeay ServerSSLeay CARunning the serverRunning the clientSSLeay ca.conf file
Rating Services
Labeled DocumentsRequesting PICS Labels by HTTPRequesting a Label From a Rating Service
Electronic ReferencesMailing ListsAcademic-FirewallsBest of securityBugtraqCERT-advisoryCIAC-notesComputer underground digestFirewallsFWALL-userNT-securityRISKSWWW-securityUsenet GroupsWWW PagesApplied CryptographyApache change-passwordCIACCOASTDigiCrimeFIRSTNIHPrinceton SIPRSA Data SecuritySSLeay and SSLapps FAQTelstraWWW securitySoftware ResourcesCERN HTTP daemonchrootuidCOPS (Computer Oracle and Password System)ISS (Internet Security Scanner)KerberosportmapSATANSSHSOCKSStelSwatchtcpwrapperTigerTIS Internet Firewall ToolkittrimlogTripwireUDP Packet Relayerwuarchive ftpd
Computer Crime and LawComputer-Related RisksComputer Viruses and Programmed ThreatsCryptographyGeneral Computer SecurityNetwork Technology and SecuritySecurity Products and Services InformationProgramming and System AdministrationMiscellaneous References

Content preview from Web Security and Commerce

Credit Cards, Encryption, and the Web

Protecting credit card numbers used in online transactions is the most often-cited example of the need for web security. So let’s look at the typical credit card transactions, observe what the risks are, and see how web security makes a difference.

A Typical Transaction

Consider a typical transaction on the Web: buying a CD from an online music store with your credit card (Figure 1.1).

Figure 1-1. Buying a CD with your credit card over the Internet

In this example, a teenager—call her Sonia—sits down at her dad’s computer, finds a music store on the World Wide Web, and browses the company’s catalog. Sonia finds a rare compact disc that she has been looking for desperately—say, a collection of Led Zeppelin songs as performed by Tiny Tim. She creates an order with the store’s electronic shopping cart, types in her name and shipping address, types in her dad’s credit card number, and clicks an onscreen button in her web browser display labeled BUY-IT. Sonia’s CD arrives in the mail soon thereafter. A month later, her dad gets the credit card bill in the mail. He and Sonia then have a little discussion about her allowance and the fact that she isn’t doing enough chores around the house.

Both the credit card holder (Sonia’s dad) and the merchant face risks in this transaction. For the credit card holder, two risks are obvious and well-publicized: