Preface

Overview

During the past decade , I have been heavily involved in security issues related to TCP/IP-based networks. ^[1] The results of this work are summarized in Authentication Systems for Secure Networks [1], Secure Messaging with PGP and S/MIME [2], and ”most importantly ”the second edition of Internet and Intranet Security [3]. The three books overview and fully discuss the technologies that are available today and that can be used in TCP/ IPbased networks to provide access control and communication security services. They are mainly written for computer scientists, electrical engineers , and network practitioners with some background in computer and communication security.

Some time ago, I was asked whether one of the books could be used to educate World Wide Web (WWW) professionals (e.g., Webmasters and Web server administrators) in security matters. Unfortunately, I realized that while the books cover most technologies used to secure applications for the WWW, they are written in a language that is inappropriate for Web professionals. Note that these folks are generally familiar with network operating system issues and communication protocols, but they are neither security experts nor cryptographic specialists. They may not even be interested in architectural details and design considerations for cryptographic technologies and protocols that are widely deployed.

Having in mind the Web professional who must be educated in security matters within a relatively short period of time, I decided to write a book that may serve as a security primer. While writing the book, I realized that the result could also be used by Web users and application software developers. The resulting book, Security Technologies for the World Wide Web , was published in 2000. It overviewed and briefly discussed all major topics that are relevant for Web security. Unfortunately, and due to the dynamic nature of the field, it has become necessary to update the book and come up with a second edition after only a relatively short period of time. There are many new terms and buzzwords that need to be explained and put into perspective. Consequently, Security Technologies for the World Wide Web, Second Edition elaborates on some well-known security technologies that have already been covered in the first edition, as well as some more recent developments in the field.

First of all, it is important to note that the term ˜ ˜WWW security means different things to different people:

• For Webmasters, it means confidence that their sites won t be hacked and vandalized or used as a gateway to break into their local area networks (LANs);

• For Web users, it means the ability to browse securely through the Web, knowing that no one is looking into their communications;

• Finally, for proponents of electronic commerce applications, it means the ability to conduct commercial and financial transactions in a safe and secure way.

According to [4], Web security refers to ˜ ˜a set of procedures, practices, and technologies for protecting Web servers, Web users, and their surrounding organizations. In this book, we mainly focus on the technologies that can be used to provide security services for the WWW. Some of these technologies are covered in detail, whereas others are only briefly introduced and left for further study. For example, most security problems and corresponding exploits that make press headlines are due to bugs and flawed configurations of specific Web servers, such as Microsoft s Internet Information Server (IIS). Due to their transient nature, however, bugs and configuration flaws are not addressed in this book. There are many books mainly on computer security and hacking that address these issues. All of these books suffer the problem that they generally obsolesce faster than new editions can be produced. Also, an increasingly large number of CERT ^[2] advisories, incident notes, and vulnerability notes can be used to provide this type of information.

The reader of Security Technologies for the World Wide Web, Second Edition gets an overview of all major topics that are relevant for the WWW and its security properties. As such, the book is intended for anyone who is concerned about security on the Web, is in charge of security for a network, or manages an organization that uses the WWW as a platform for providing information. It can be used for lectures, courses, and tutorials. It can also be used for self-study or serve as a handy reference for Web professionals. Further information can also be found in other books on WWW security. Among these books, I particularly recommend [4 “6]. ^[3] There are also some books that focus entirely on one specific cryptographic security protocol (i.e., the Secure Sockets Layer or Transport Layer Security protocol) that is widely deployed on the WWW [7, 8]. These books are recommended reading but are more narrow in scope than Security Technologies for the World Wide Web . Finally, there is also a frequently asked questions (FAQ) document available on the Web. ^[4]

While it is not intended that this book be read linearly from front to back, the material has been arranged so that doing so has some merit. In particular, Security Technologies for the World Wide Web, Second Edition has been organized in 15 chapters, summarized as follows :

• In Chapter 1, we introduce the topic and elaborate on the Internet, the WWW, vulnerabilities, threats, and countermeasures, as well as a model that can be used to discuss various aspects of security.

• In Chapter 2, we elaborate on the security features of the Hypertext Transfer Protocol (HTTP). Most importantly, we address the user authentication and authorization schemes provided by HTTP and some implementations thereof.

• In Chapter 3, we explain and address the implications of proxy servers and firewalls for Web-based applications.

• In Chapter 4, we introduce cryptographic techniques that are employed by many security technologies for the WWW. These techniques will be used in subsequent chapters.

• In Chapter 5, we overview and briefly discuss the cryptographic security protocols that have been proposed and partly implemented for the Internet (and that can also be used for the WWW).

• w In Chapter 6, we focus on two transport layer security protocols, namely the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. These protocols are particularly important to secure Web-based applications.

• In Chapter 7, we address the problem of how to manage certificates and discuss the issues that surround public key infrastructures (PKIs).

• In Chapter 8, we broaden the topic addressed in Chapter 7 and discuss authentication and authorization infrastructures (AAIs).

• In Chapter 9, we overview and briefly discuss some electronic payment systems that can be used in e-commerce applications for the Internet or WWW.

• In Chapter 10, we focus on client-side security and the security implications of executable (or active) content (e.g., Java applets and ActiveX controls).

• In Chapter 11, we address server-side security and the security implications of some widely deployed server programming technologies (e.g., CGI and API scripts).

• In Chapter 12, we address the increasingly important field of privacy protection and anonymity services for the WWW.

• In Chapter 13, we overview and discuss some technologies that can be used for intellectual property protection.

• In Chapter 14, we address the politically relevant issues that surround censorship on the Internet or WWW.

• In Chapter 15, we elaborate on risk management.

• In Chapter 16, we draw conclusions and predict some future developments in the field.

Unlike the first edition, Security Technologies for the World Wide Web, Second Edition does not include a glossary. This is because in May 2000, an Internet Security Glossary was published as informational RFC 2828 (or FYI 36, respectively) [9]. This document can be used as a reference for anyone working in the field. ^[5] However, Security Technologies for the World Wide Web, Second Edition still includes a list of abbreviations and acronyms. References are included at the end of each chapter. This is also true for the various RFC documents that are relevant for WWW security. ^[6] At the end of the book, an About the Author section is included to tell you a little bit about me. Finally, there is an Index to help you find particular terms.

Some authors make a clear distinction between client-side security, server-side security, and document security, and structure their books accordingly (e.g., [4]). This book does not follow this approach but uses a functional organization instead. More precisely, the various chapters outlined above address zero, one, or even more than one of the abovementioned classes of security issues.

There has been a long tradition in the computer and network security literature of providing various kinds of checklists. Again, Security Technologies for the World Wide Web, Second Edition breaks with this tradition, mainly because security is more than checking off items on checklists. The single most important thing in security is to understand the underlying concepts and technological approaches. If you understand them, it is a simple exercise to formulate and implement your own checklist(s).

While time brings new technologies and outdates current technologies, I have attempted to focus primarily on the conceptual approaches to providing security services for the WWW. The Web is changing so rapidly that any book is out of date by the time it hits the shelves in the bookstores (that s why this book had to go into a second edition after a relatively short period of time). By the time you read this book, several of my comments will probably have moved from the future to the present, and from the present to the past, resulting in inevitable anachronisms.

Due to the nature of this book, it is necessary to mention company, product, and service names . It is, however, important to note that the presence or absence of a specific name implies neither any criticism or endorsement, nor does it imply that the corresponding company, product, or service is necessarily the best available. For a more comprehensive products overview, I particularly recommend the Computer Security Products Buyer s Guide that s compiled and published annually by the Computer Security Institute (CSI) based in San Francisco, California. ^[7]

Whenever possible, I add some uniform resource locators (URLs) as footnotes to the text. The URLs point to corresponding information pages provided on the Web. While care has been taken to ensure that the URLs are valid, due to the dynamic nature of the Web, these URLs as well as their contents may not remain valid forever. Similarly, I use screen shots to illustrate some aspects related to the graphical user interfaces (GUIs). Unlike in the first edition, I use Microsoft Internet Explorer version 5.5 and Opera version 6.0 (instead of Netscape Navigator). Keep in mind, however, that software vendors , including Microsoft and Opera Software, tend to update and modify their GUIs periodically. Therefore, chances are that the GUI you currently use looks (slightly or completely) different than the one replicated in this book.

Finally, I would like to take the opportunity to invite you as a reader of this book to let me know your opinion and thoughts. If you have something to correct or add, please let me know. If I haven t expressed myself clearly please also let me know. I appreciate and sincerely welcome any comment or suggestion, in order to update the book periodically. The best way to reach me is to send an e-mail to rolf.oppliger@esecurity.ch. You can also visit the home page ^[8] of my company eSECURITY Technologies Rolf Oppliger and drop a message there. In addition, I have also established a home page for this book. The page is located at URL http://WWW.esecurity.ch/Books/WWWsec2e.html.