Web Security and Web Services

The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets. As such, the security tools and approaches discussed so far in this book are relevant to the issue of Web security. But, as pointed out in, the Web presents new challenges not generally appreciated in the context of computer and network security.

The Internet is two-way. Unlike traditional publishing environments—even electronic publishing systems involving teletext, voice response, or fax-back—the Web is vulnerable to attacks on the Web servers over the Internet

 The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted.

Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. The short history of the Web is filled with

examples of new and upgraded systems, properly installed, that are vulnerable to a variety of security attacks.

Casual and untrained (in security matters) users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures.

The Table above provides a summary of the types of security threats faced when using the Web. One way to group these threats is in terms of passive and active attacks. Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted. Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site. Another way to classify Web security threats is in terms of the location of the threat: Web server, Web browser, and network traffic between browser and server. Issues of server and browser security fall into the category of computer system security

Due to their public nature, security is vital for Web services. Security attacks can be classified as threats of information disclosure, unauthorized alteration of data, denial of use, misuse or abuse of services, and, more rarely considered, repudiation of access. Since Web services link networks with businesses, further attacks such as masquerading, stealing, or duplicating identity and conducting business under false identity, or accessing or transferring funds from or to unauthorized accounts need to be considered.

Security is vital for establishing the legal basis for businesses done over networks. Identification and authentication of business partners is the basic requirement. Integrity and authenticity of electronic documents is another. Electronic contracts must have the same binding legal status as conventional contracts. Refuse and repudiation of electronic contracts must be provable in order to be legally valid. Finally, payment and transferring funds between accounts must be safe and secure.

Security architectures in networks typically comprise several layers:

 Secure data communication: IPsec (Internet protocol security), SSL (secure socket layer), and TLS (transport layer security);

 Secured networks: VPN (virtual private networks);

 Authenticity of electronic documents and issuing individuals: digital signatures;

Secure and authenticated access: digital certificates;

Secure authentication and certification: PKI (public key infrastructure); and

 Single sign-on and digital passports .

One way to provide Web security is to use IP security (IPsec) (Figure a).The advantage of using IPsec is that it is transparent to end users and applications and provides a general-purpose solution. Furthermore, IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing.

Another relatively general-purpose solution is to implement security just above TCP (Figure b). The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS). At this level, there are two implementation choices. For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be embedded in specific packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol.

Application-specific security services are embedded within the particular application. Figure c shows examples of this architecture. The advantage of this approach is that the service can be tailored to the specific needs of a given application.