|
|
|
22 March 2002
|
|
| |
Port 80 is the standard port for websites, and it can have a lot of different security issues. These holes can allow an attacker to gain either administrative access to the website, or even the web server itself. This second paper was written to help the average administrator and developer to have a better understanding of the types of threats that exist, along with how to detect them.
[NewOrder]
8:47:44 AM  comment []
|
|
eWEEK Labs has discovered that Microsoft Corp.'s Internet Explorer Version 5.0 and higher--as well as the company's IIS Web server--has a significant security incompatibility with other major Web browsers and with the Apache Software Foundation's Apache HTTP Web server.
The incompatibility lies in how Microsoft has implemented digest access authentication, a World Wide Web Consortium standard (RFC 2617) that specifies how users can securely log in to Web servers. Digest authentication is widely acknowledged to be the best available Internet standard for this purpose. ...
... Digest authentication hasn't had a big impact so far because it is a relatively new technology: IE 5.0 and IIS 5.0 (part of Windows 2000) were the first Microsoft products to support it. Mozilla, the foundation of the Navigator browser (and possibly the Web browser used in America Online Inc.'s next client upgrade) gained digest authentication only in late December.
Sorry this has been around for a while. The RFC 2617 was published in June 1999. People had already started to implemented a long time earlier. In particular I believe that Apache had support for it back in 1996. I remember correctly Jim Gettys, who was the secretary of the HTTP 1.1 group, telling me back in 1996 that they had finished just about everything important in the draft, but Microsoft and Netscape kept battling it out on the implementation of Digest Authentication.
The moral of the story is, any web application you deploy that uses any form of user authentication should really be run on a SSL web server, this is true regardless whether it's a public or an intranet app.
8:37:33 AM comment []
|
|
Ravi Razdan has a piece on CNET about the Security of Web Services. This illustrates many of the security Problems people are having with not just Web Services, but with any application that is directly or indirectly available on the Internet:
But in their rush, an important data security issue is being ignored: Confidential information is vulnerable to malicious employees or hackers because customer data, which gets stored in applications or databases operated by the Web services provider, still exist in clear or unencrypted form....
... Most Web service providers deploy several methods to convince customers about the security of their information. These run the gamut, including multiple firewalls, intrusion detection, application and system portioning, encryption, biometrics tools, and even armed guards. In the end, however, they are all but useless since, according to the Internet Security Task Force, about 70 percent of business computer-security breaches are internal.
This is interesting because firewalls are exactly what most companies use to feel safe, but all it really takes is a unhappy employee or a user whithout their knowledge running a BackOrifice variant on their machine for a serious breach to occur. A good hacker who knows what he's doing could work out what's going on on your average CORBA based server and insert transactions into a trading system or perform SWIFT payments. However while no application can ever be made 100% secure, if we stop assuming that the firewall will protect us, it isn't all that hard to actually harden up an application. With the new standards coming into place it is made even easier, but it is our responsiblity as Application Developers to actually use them.
8:18:59 AM comment []
|
|
|
|
© Copyright
2002
Pelle Braendgaard.
Last update:
22/03/2002; 09:18:59. < |
|
|
