A budding Greek CompSec scholar <macman @
compulink .
gr> queried the
List about how to approach the study of WWW security. Chris
<CHRIS .
NICHOLS @
EY .
COM> interrupted an eeeexxxtended and tedious discussion
of hacker morality to respond to Macman with helpful and appropropriate
advice:
>Go out onto the WWW and find the shareware paper called "WWW Security FAQ"
>written by Lincoln Stein. It is an excellent starting point for www security.
>Dr. Stein has also published a more detailed book on www security as well.
Unfortunately, I think Mr. Stein has been a little lax updating the
FAQ over the past year or so. (Still, a good place to start.) Macman also
asked:
>>Is it necessary to study on both NT and Unix Security 'issues?
>To answer your original question: yes. Although Web servers introduce
>unique security considerations to your network, the base operating system that
>the server is running on must be considered as well. Many web server admins
>choose to create a very basic or stripped down operating system for their
>servers in an effort to reduce unnecessary exposures. For example, why
>run nfs
>or ftp on your server if they are not necessary.
You might also want to check out the W3 security page at:
http://artworks.apana.org.au/hypertext/WWW/Security/Overview.html
Rutgers University, here in the US, has a WWW Security page, but it
too has become dated. Visit Rutgers just to subscribe to its www-security
mail list.
http://www-ns.rutgers.edu/www-security/index.html
You can get a transcript of Ed Fenton and Gary McGraw on HotWired
discussing recent browser threats by sending a blank e-mail with the
subject line "Get Security Chat" to: <IPS @
olympus .
net>
The IETF HTTP Working Group also has an interesting page at:
http://www.ics.uci.edu/pub/ietf/http/ but I'd also check out HTTP-oriented
rfcs and draft standards at http://internic.org The RFC for extending basic
HTML authentication with Digest Authentication has, as I recall, a nice
overview of authentication issues in the HTML protocol.
Standard HTML authentication/authorization varies from weak to less
so, although savvy sites have begun integrating strong (i.e., two factor:
"something known," and "something held") authentication into webservers,
using either one-time password (OTP) tokens like SecurIDs or PKC
smartcards, which remove your public-key pair from the browser and put them
in your pocket or purse (or somewhere even more secure) where they belong.
My two favorite aspects of the web security matrix are the
availablity of strong cryptography for confidentiality, integrity, and
digital signatures and the need for strong user authentication to enable
webserver access controls.
These days, it seems clear that strong user authentication for HTTP
(and all other services) will depend on smartcards and an elaborate
X509/RSA public-key cert infrastructure. PKI is a worthy and consuming
subject for study. Don't confuse the PKC used as the anchor for an
encrypted SSL pipe with the "certified" PKC needed to document the binding
of a public-key with an corporate or user identity. They're different,
despite confusing vendor fluff.
The politics of crypto itself are byzantine (and thus, may appeal
to the Greek mind;-) but there are a many of informed websites where you
can track the machinations of the various intelligence agencies as they
seek to restrict the availability of strong crypto to the crooks and
terrorists and others willing to go outside the law to obtain
privacy-enhancing technology. Steer clear of the crazies on both the right
and the left -- and it's still a bizarre and entertaining show.
Particularly for those of you outside the big Post-Industrial
vendor states, access to strong and effective crypto is a big issue. The
spooks (probably yours, as well as mine) seem determined to keep any
computer apps licensed for export to the rest of the world weak and
"espionage-enabled." Until the private-sector cost of GAK catches up with
us; or the international market rebels -- or unless the propensity of spies
in the '90s to earn their keep by stealing commercial and industrial
secrets from their nominal allies ties the Wassenaar Arrangement (look it
up) in a knot -- little of that will change.
For more info, try an AltaVista search, and seek out
crypto-oriented English-language sites in Finland, Netherlands, and
Australia. The SSH development group in Finland may be a good place to
start. Also check out http://www.brokat.de/xpresso/indexe.htm (English and
German) and C2's SafePassage -- two of the first international market
reactions to the bogus and weak crypto now shipped in US-made web servers.)
Suerte,
_Vin
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.
* Vin McLellan + The Privacy Guild + <vin @
shore .
net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
References:
|
|
