 |
Web Site Security |
|
Web Site Security |
This document explains Web Site security from the perspective of controlling user access and protecting content. After reading this, you should understand what level of security that you need and what Plans offer these features.
In any document related to the Web or Computing, there are likely to be terms that need to be explained. They are explained here.
A Domain Name is constructed of multiple parts, each separated by a "." (period). Using the example above and working from right to left, the right-most part ".au" is the country code. Each country has its own code, but the United States does not have to use its country code for historical reasons. The next part ".com" indicates an organisation type or user category, in this case "commercial" (some other types are; ".gov" government, ".edu" educational organisations). Again for historical reasons, these are called Top Level Domains (TLDs). The next part of the Domain Name "systems-go" is a name registered to a particular organisation or company, in this case to Systems-Go IT Solutions. The left-most part is the name of the computer or service, in this case "www". There can be other Subdomains between these last two parts.
This document covers limiting user access to the content or part of the content of a Web Site and the security required for Ecommerce. It does not cover the topic of guarding against hacks and attacks (relevant only to the service provider). Explanations of Encryption and Key Exchange are also beyond the scope of this document.
To assist with easy use of this document, it is arranged as a checklist of items to be completed, with each item being a link to the document section that describes that topic.
Security for Web Sites and Content can provide a number of features or attributes. These are best described, in order of increasing complexity, as:-
These features can be implemented alone or in combination depending upon the requirement.
Without, at this stage, considering what security features are used in each Web Site type, the common Web Site usage types are:-
Sometimes it is very obvious which security features are required by a particular application and at other times it can be a personal value judgement. Security, as a general rule is not a binary quality, but rather a continuum extending from low security to high security and along with this goes ease of use. Low security implies ease of use and the higher the security, the less is the ease of use and the greater is the administration work load. More is not therefore always better, and the level of security needs to be assessed as appropriate to the risk(s) that it is guarding against.
Even very high security is not impenetrable, but it is deemed suffcient for all commercial purposes including Internet banking, which transfers large sums of money on a daily basis around the world, over the Internet. The Internet by its nature is insecure without implementing these security measures. Internet Banking uses all three of the types of security features discussed below.
As can be understood from the description of an Intranet, that is one way of restricting access to Content. This form of access control relies completely on the network design and connectivity. This method is suitable to be applied where physical access to the network can be controlled. The technique is not necessarily limited to a single building, since network technologies can be employed to extend a LAN to distant sites either through the use of private networks or through public networks such as the Internet, but without enabling public access (Virtual Private Networks).
This feature is most often used to limit access to Content that would otherwise be available to a wider user group. Two approaches can be used:-
As you can imagine, these two techniques are applicable to different circumstances. There is less control over the dissemination of of a "global password", since there is the temptation for users to pass on the access information to other people, whereas users can be held individually accountable for anything done using a "personal issue password" and that discourages misuse or sharing. There are methods of Authentication other than passwords (such as tokens, one-time passwords, digital certificates and biometrics), but these are beyond the scope of this document.
Which technique to use depends therefore on how closely you want to control access and how much administration you want to have in configuring and disseminating passwords. Remember that a user population seldom stays static, and as users leave the organisation or are no longer entitled to access, the password has to be changed or removed as applicable. An example of use of a "global password" is to restrict access to "members only" Content, where it is not critical that the content is not available to others through the "leakage" described above. For instance an employment agency may use a "global password" to enable the current clients to use their "members only" resources, however there is a high turnover of users in this situation. As the Content is not sensitive, the "global password" approach can be used and the password changed monthly to put a time limit on the use of the resources by people who are no longer entitled to access. The new password is then re-communicated to the then current Clients. For their employees however, with access to more sensitive information, a "personal issue password" is more appropriate.
This feature provides an Encrypted connection between the user's Browser and the Web Server, thus ensuring that the information traversing the network cannot be used by anyone who may have access to monitor the network or obtain the information from systems in the middle. The technology is called SSL.
Many companies and most ISPs have a Web Proxy, which may or may not be apparent. A Web Proxy stores Content that is accesed through it for the purpose of decreasing network traffic (and thus cost) and speeding up response times. A byproduct of this is that all of the content viewed through the proxy is available to be read by those with administrative access to the system for a considerable time after it has traversed the system.
A normal Web Server does not provide a secure connection, and so all information passing between the user's Browser and the Web Server is sent over the network in Plain Text. This means that anyone in the middle with a network monitor can read or capture the information as it passes them, including UserIDs and Passwords. The term used to describe an attack using information obtained in this way is a "man-in-the-middle" attack.
The actual risk of this occurring is low, however it also has to be considered in conjunction with the value of the information to another party. It should also be realised that servers are not always where we think they are, and the traffic may traverse countries that are not friendly and / or do not subscribe to our laws. Some examples are probably the best way to illustrate the principle.
In Internet banking, your UserID and Password protect the ability to transfer money from your accounts. There are two principles here:-
The primary motivation for obtaining impropper access is to obtain financial benefit. The risk of financial loss occurring if the Access Control fails is high and therefore deserves the highest security protection. This means that the Access Control information, and particularly the "shared secret" (usually a password) must be protected by Encryption.
Ordinary web site administration is generally considered to be a low risk activity. The information uploaded to the site is usually not of a nature that disclosure would be catastrophic. Access Control is important to prevent the wrong people from changing the content on the site, however there is unlikely to be a direct financial loss and the motivation for improperly gaining access is quite different. This situation therefore is suited to a less complex and expensive security treatment (usually Encryption of the connection is not used).
Most often used in E-commerce and Internet banking, this feature ensures that the user can determine the bona fides of the site to which they may be sending sensitive or valuable information. This technique is usually only used where "value" is being transacted and the highest level of trust is required. Usually accomplished by means of a Digital Certificate, that the server is able to communicate to the user's Browser. The user can then inspect the Digital Certificate and decide whether to trust the site or not.
A Digital Certificate is encrypted and cannot be forged. It has a chain of authentication and verification that starts with an issuing authority and ends with the site in question. The Digital Certificate records both the Domain Name and the Internet Protocol Address of the Server, so that you can verify that you are communicating with the Server to whom the certificate was issued.
While it is possible for anyone to create a Digital Certificate, the trust comes about because you trust the person or organisation that has created the certificate. In the main, people only generate their own Digital Certificates for testing and internal use in an organisation. If the certificate is to be trusted in a broader public domain, then it is usually obtained from one of a few well known and trusted Certificate Issuers such as VeriSign or Thawte1, to name two of the most trusted certificate issuing organisations.
FrontPage, Frontpage Extensions, MS Word, MS Excel, MS Powerpoint and MS Office are products of Microsoft Corpoation. Netscape and Netscape Communicator are products of Netscape Corporation.
1 Systems-Go's Principal is a registered Notary of Thawte's Web of Trust.
Copyright 2002, all rights reserved by Systems-Go IT Solutions Pty Ltd. ABN 12 067 925 642.
Privacy Policy. Use of this site means that you agree to the Conditions of Use.