Privacy

[Previous] [Next]

A major threat facing all Web browser users is invasion of privacy; your privacy can be violated by malicious users snooping browser-to-Web-server communications. For example, by default the communication channel from the browser to the server is not encrypted, which might enable malevolent users to "sniff" the channel and possibly gain access to credit card information, passwords, confidential data (such as personal medical records), and the like as it travels across the Internet. The simplest way to defend against this threat is to use a secured channel using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. This must be configured at the Web server, not at the client, because it is the server's responsibility to determine whether the information being transferred to the client is to be encrypted.

NOTE
Even though a Web site might require SSL/TLS only for handling sensitive information, such as passwords or credit card numbers, you can opt to use SSL/TLS for all aspects of the Web server's operations simply by entering HTTPS rather than HTTP as the protocol. Note, however, that this will not work for Web servers that do not support SSL/TLS.

IP Data and Postcards

Think of Internet traffic, which is composed of IP packets (that is, units of information transmitted from sender to destination network and station), as postcards. Postcards travel from a source to a destination, sometimes through multiple intermediaries, and they can be read by anyone along the way.

You'll know if you're using SSL/TLS because Internet Explorer will display a bright yellow lock at the bottom of the screen. You can also check the strength of the encryption key by positioning the mouse pointer over the lock; a ToolTip will appear and display the information, as shown in Figure 4-2. Double-clicking on the lock displays the Web server's SSL/TLS certificate.

Figure 4-2. Looking at the SSL/TLS encryption strength in Internet Explorer.

SSL/TLS is explained in this chapter in "SSL/TLS and Certificates," in Chapter 5, "Internet Information Services Security Overview," and in Chapter 9, "Practical Privacy, Integrity, Auditing, and Nonrepudiation."

WARNING

You might not see the lock icon if you are invoking Internet Explorer technology from something other than the Internet Explorer process. So be careful not to transfer confidential data over the Web unless you have no doubt that the channel is secured.

In addition, you might not see the lock in Internet Explorer when HTML frames are used, because parts of the frameset might be using HTTP and other parts might be using HTTPS. In this case, the padlock is not shown even though the data is protected by SSL/TLS. However, if you right-click a frame and choose Properties from the context menu, you'll see that the page is using SSL/TLS.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net