The Web User's Perspective

By: aathishankaran Emailed: 1598 times Printed: 2044 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

Although the risk of using the Web is small, it still merits some consideration. The basic question that you need to ask is," What do I have to lose?" If you use your PC purely for recreation and don't perform any financial transactions over the Web, then the answer is, "Not much." However, if you use your PC to store your diary and sensitive company documents and use the Web to make online purchases, then you may want to examine your risk more closely. 

For users, Web security begins with the browser and, for most of us, that means a Netscape or Microsoft browser. Netscape Navigator and Microsoft Internet Explorer provide a number of features that go beyond simple Web page display. Both browsers support executable content-Java and JavaScript. In addition to executable content, both browsers support plug-ins (Internet Explorer supports Navigator plug-ins and ActiveX controls, in addition to its own), cookies, Secure Sockets Layer (SSL) communication, and digital certificates. Each of these features has implications for user security, as described in the following subsections. 

Dealing with Executable Content 

When most people think of browser vulnerabilities they think of Java, JavaScript, and ActiveX. For most of us, the thought of opening a Web page and automatically having a program load and execute on their computer is a bit frightening. There is a good reason for this fear-it is a very difficult to allow executable content without leaving yourself wide open to a Trojan horse attack. 

A Trojan horse is a program that appears to provide a useful function while, in reality, it is attacking your system. The name comes from the legend of the huge wooden horse that was left as a gift at the gates of Troy. When the Trojans opened the gates of their city to bring in the horse, Greek soldiers who had been hiding inside the horse poured out and attacked the Trojans.

Each of the three major browser-programming technologies uses a different approach to protecting against Trojan horses: 

Java code executes in the Java Virtual Machine (JVM), which is part of the Java runtime system. The runtime system is designed to prevent operations that would violate the browser's security policy. 

JavaScript eliminates Trojan-horse code by not providing objects or methods that could be used to cause damage or violate the user's privacy. 

*ActiveX components do not provide any inherent protection against damage. Instead, these components are digitally signed. The signature provides a high degree of assurance that the component originated from the organization that it claims.

Navigator and Internet Explorer 4 also support signed Java applets. The signature can be used to determine whether the applet should be given extra privileges beyond those allowed by the default Navigator security policy. 

Of the three approaches, JavaScript's is the mostly secure. By not providing a mechanism for creating damage, it is able to prevent the damage from occurring. But how do we know that no object or method can be used to cause damage? The answer is extensive analysis and testing. Could something have been overlooked? Try writing a JavaScript script that could damage your system. 

Java's approach is next best when it comes to security. The Java runtime system is capable of supporting multiple security policies. For example, Java programs that are loaded from your hard disk are allowed more privileges than applets that are loaded over the network. Signed applets are given more a single tooth indicates that international security (40-bit) encryption is in use. A solid key with two teeth indicates that domestic security (12- bit) encryption is in use. 

Both international and domestic security uses the Secure Sockets Layer (551) for encryption. SSI uses public key cryptography to exchange keys that are used for private key encryption. Digital certificates are used to verify the identity of the organization with you are communicating. 

How strong is the security provided? If no encryption is used, then you should assume that whatever information you send could be intercepted. 

If international (40-bit) encryption is used, then your encrypted communication is probably secure from a hacker without many computational resources, but not from anyone else. This encryption scheme has already been broken several times. 

If domestic (128-bit) encryption is used, then you are probably secure from most eavesdroppers. However, absolute security cannot be guaranteed. SSL only protects information while it is in transit. Whatever information you send is unprotected before it is transmitted by your browser and after it is received by the server. 

Maintaining Privacy 

How private is your interaction with the Web? Not very private. Whenever you request a document from a Web server, your request is usually logged by that server. The log record doesn't identify you by name, but it does include your IP address. It you use a static IP address, then you are positively identified. If you use a dynamic IP address, then the log information could apply to other users of your Internet service provider. 

Both Navigator and Internet Explorer support cookies. When cookies were first introduced, they were the subjects of some concern. Because they can be used to maintain information about a user on the user's browser, cookies were looked at as the instrument of Big Brother. As it turns out, cookies can be used to maintain information about users-that was their original intent. It this is a problem? It depends. IF you look at cookies as a way to improve Web services, then you'll want to keep them. If you look at cookies as a means to spy on you, then your best is to periodically delete your cookies files. This will let you use cookies when you need to and will make it difficult for anyone to maintain consistent information about you. You can also make your cookie files read-only.

JSP Home | All JSP Tutorials | Latest JSP Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.

Bookmark and Share


Be the first one to add a comment

Your name (required):

Your email(required, will not be shown to the public):

Your sites URL (optional):

Your comments:

More Tutorials by aathishankaran
Web Security Issues
The Web User's Perspective
Server-side plug-Ins
The best way to avoid security vulnerabilities with new server
JavaScript Security
Window Object
Working with Status Bar Messages
Retrieving a Portion of a String
Referencing Windows
Math Object
Frame Object
Document Object
Closing Windows
Built-in Object in Javascript
Textarea Object

More Tutorials in JSP
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: ` Permission denied <null>:80
JSP Alert Example
JSP CheckBox Example
Uploading an Image to a Database using JSP
Uploading a file to a server using JSP
A JSP page that gets properties from a bean
The page Directive in JSP
The taglib, tag, include, attribute and the variable Directive in JSP
Declarations in JSP
Scriptlets and Expressions in JSP
Tag Libraries in JSP
The Request Object in JSP
The Response Object in JSP
The Out Object in JSP
The Session Object in JSP

More Latest News
Most Viewed Articles (in JSP )
JSP Example to connect to MS SQL database and retrieve records
JSP CheckBox Example
What are the different scopes in JSP?
JSP Alert Example
JSP Program for display Date
Comparison operators in JSP
Sending Email using JSP
Uploading a file to a server using JSP
Embedding java codes in jsp sciptlets
Example Using Initialization Parameters
Querying Data with the JSTL in JSP
Uploading an Image to a Database using JSP
A simple program using EL in JSP
The Request Object in JSP
Debugging Servlets
Most Emailed Articles (in JSP)
Sessions in JSP
Enable/Disable Scripting Elements in JSP
Embedding java codes in jsp sciptlets
A Servlet That Generates HTML
Example Using Initialization Parameters
Debugging Servlets
The Advantages of Servlets Over “Traditional” CGI
Textarea Object
The TryCatchFinally Interface in JSP
JSP Tags for SQL to connect to a database
JSP Example to connect to MS SQL database using Tomcat Connection Pool
What are the different scopes in JSP?
Writing your first JSP page
Using a DataSource from WebLogic in a JSP