18. WWW Security
This chapter explores a number of security issues that arise with use of the World Wide Web. Because of the complexities of the World Wide Web, some of the issues mentioned in this chapter overlap with those in other chapters in this book, most notably Chapter 6, Cryptography , Chapter 17, TCP/IP Services , and Chapter 23, Writing Secure SUID and Network Programs .
18.1 Security and the World Wide Web
The World Wide Web is a system for exchanging information over the Internet. The Web is constructed from specially written programs called Web servers that make information available on the network. Other programs, called Web browsers , can be used to access the information that is stored in the servers and to display it on the user's screen.
The World Wide Web was originally developed as a system for physicists to exchange papers pertaining to their physics research. Using the Web enabled the physicists to short-circuit the costly and often prolonged task of publishing research findings in paper scientific journals. Short-circuiting publishers remains one of the biggest uses of the Web today, with businesses, universities, government agencies, and even individuals publishing millions of screens of information about themselves and practically everything else. Many organizations also use the Web for distributing confidential documents within their organization, and between their organization and its customers.
Another exciting use of the Web today involves putting programs behind Web pages. Programs are created with a protocol called the Common Gateway Interface ( CGI ). CGI scripts can be quite simple - for example, a counter that increments every time a person looks at the page, or a guest book that allows people to "sign in" to a site. Or they might be quite sophisticated. For example, the FedEx package-delivery service allows its customers to use the company's World Wide Web server ( http://www.fedex.com ) to trace packages. Giving customers access to its computers in this manner simultaneously saves FedEx money and gives the customers better service.
Many other companies are now exploring the use of the WWW for electronic commerce. Customers browse catalogs of goods and services, select items, and then pay for them without anything other than a forms-capable browser.
The World Wide Web is one of the most exciting uses of the Internet. But it also poses profound security challenges. In order of importance, these challenges are:
Each of these challenges requires its own response. Unfortunately, some of the solutions that are currently being employed are contradictory. For example, to minimize the risk of eavesdropping, many organizations have purchased "secure" World Wide Web servers, which implement a variety of encryption protocols. But these servers require a digitally signed certificate to operate, and that certificate must be renewed on an annual basis. Consequently, organizations that are dependent on their WWW servers are exposed to interesting denial of service attacks.