In this tutorial, you will learn the basic concepts of web security. After reading this tutorial, you will understand the essentials of Web Security, including Security Threats, Secure Naming, Secure Socket Layer (SSL), and Mobile Code Security.
Contents:
Web Security
Web security is another major topic for security, as most of the things in the world exist on the web whether it is related to banks, government, education, movies, or suspicious websites.
Web security is divided into three parts:
- How are resources named securely?
- How can we establish a connection that is secure and authenticated?
- What happens when a website sends a piece of executable code to the client?
We will discuss all these issues, but let us first understand the terminology of web security.
Security Threats
In a network, attackers attack website homepages and replace them with new home pages. Usually, attackers put some funny pages or text on the site. An attacker can also slow down a site with denial-of-service attacks, in which an attacker ties up all of the website’s resources. These are common attacks and can cost thousands of dollars.
- The attacker can hack the e-commerce website and steal all the credit card details of the customers. Then he can blackmail the site owner, request money, and if the site owner doesn’t pay him, he will post all the credit card numbers on the internet.
- Many websites like Yahoo!, CIA, NASA, and New York Times have been hacked by attackers in the past.
- These are all threats that damage websites. That’s why we need web security to prevent these types of attacks.
Secure Naming
Suppose client-1 types the URL of client-2’s website. Now, client-1 gets the webpage of client-2’s website. But is it actually the webpage of the client-2’s website? Maybe client-3 is listening to client-1. When client-1 sends a request to client-2’s webpage, client-3 captures the packets and visits client-2’s website, modifies the webpage, and sends it to client-1. So, if Client-1 enters his credit card number, Client-3 will get Client-1’s credit card information. This attack is known as DNS spoofing.
The below diagram explains the DNS spoofing.
- When the attacker was not listening to the sender’s packet, the sender gets the original IP address of the receiver from the DNS server.
- But an attacker comes and changes the IP address of the receiver from the DNS server. So, when the sender requests the website, the attacker will send the webpage to the sender with some modifications.
- Here, DNS uses the UDP port, and that’s why the DNS server cannot check who supplies the answer.
- The attacker’s fake reply is stored in the sender’s cache memory, and the original reply is rejected by the sender. Here, the cache memory contains the wrong IP address, which is known as poison cache.
Secure DNS: The DNSsec (DNS Security) project is designed to provide security to DNS servers. DNSsec is based on public-key cryptography, and each zone has a public/private key pair.
- DNSsec provides three services:
- Evidence of data where it originated
- Distribution of public keys (securely storing and retrieving public keys)
- Message transaction and request authentication (protection against spoofing attacks)
Secure Socket Layer (SSL)
SSL is used for a secure connection to a website. For example, from credit card transactions to buying products from websites, online banking, and electronic stock trading.
- SSL creates an end-to-end secure connection between two sockets that include parameters negotiated between the client and the server, authentication of the server by the client, confidential communication, and data integrity protection.
- SSL handles the work related to compression and encryption of the data. When we use HTTP with SSL, it becomes HTTPS (Secure HTTP). HTTPS operates on port 443, while HTTP uses port 80.
- SSL uses the Triple-DES algorithm for encryption of data and SHA-1 for message integrity. But this combination is slow, so it is mostly used in banking and other applications that require the highest security.
- For a simple e-commerce website, SSL uses the RC4 algorithm with a 128-bit key for encryption and the MD5 algorithm for message authentication.
The diagram below explains the data transmission using the SSL protocol.
- As shown in the figure, the data coming from the web browser is divided into two equal parts. Then compression is applied to both parts.
- MAC is generated using a hash function and appended to the compressed message. After that, the RC4 algorithm is used to compress the data and encrypt the MAC.
- Once, a fragment header is attached, it will be transmitted over the TCP connection.
Mobile Code Security
We discussed naming and connection areas of security. But executable code is another area of web security. Web pages today contain small executable programs such as Java applets, ActiveX controls, and JavaScript. Running these codes on mobile is a security risk. Various methods are used to solve these problems.
Java Applet Security: Java applets are programs written in the Java language and compiled into a machine language called the Java Virtual Machine (JVM). Applets are inserted into the JVM interpreter and an interpreter examines them before executing them.
ActiveX: ActiveX controls x86 binary programs that can be embedded in web pages. Microsoft chose code signaling to make security decisions.
Browser Extensions: Browser extensions, add-ons, and plug-ins extend the limited functionality of a web browser. For example, browser extensions provide a way to manage passwords and easily interact with web pages.
Key Points to Remember
Here is the list of key points we need to remember about “Web Security”.
- Web security addresses how resources are named securely, how to establish secure and authenticated connections, and the handling of executable code sent by websites.
- The DNSsec (DNS Security) project is designed to provide security to DNS servers. DNSsec is based on public-key cryptography, and each zone has a public/private key pair.
- SSL creates an end-to-end secure connection between two sockets that include parameters negotiated between the client and the server, authentication of the server by the client, confidential communication, and data integrity protection.
- Web pages today contain small executable programs such as Java applets, ActiveX controls, and JavaScript. Running these codes on mobile is a security risk. Java Applet Security, ActiveX, and Browser Extensions are used to prevent security risk.