Programming Tutorials

The Web User's Perspective

By: aathishankaran Printer Friendly Format    

Although the risk of using the Web is small, it still merits some consideration. The basic question that you need to ask is," What do I have to lose?" If you use your PC purely for recreation and don't perform any financial transactions over the Web, then the answer is, "Not much." However, if you use your PC to store your diary and sensitive company documents and use the Web to make online purchases, then you may want to examine your risk more closely. 

For users, Web security begins with the browser and, for most of us, that means a Netscape or Microsoft browser. Netscape Navigator and Microsoft Internet Explorer provide a number of features that go beyond simple Web page display. Both browsers support executable content-Java and JavaScript. In addition to executable content, both browsers support plug-ins (Internet Explorer supports Navigator plug-ins and ActiveX controls, in addition to its own), cookies, Secure Sockets Layer (SSL) communication, and digital certificates. Each of these features has implications for user security, as described in the following subsections. 

Dealing with Executable Content 

When most people think of browser vulnerabilities they think of Java, JavaScript, and ActiveX. For most of us, the thought of opening a Web page and automatically having a program load and execute on their computer is a bit frightening. There is a good reason for this fear-it is a very difficult to allow executable content without leaving yourself wide open to a Trojan horse attack. 

A Trojan horse is a program that appears to provide a useful function while, in reality, it is attacking your system. The name comes from the legend of the huge wooden horse that was left as a gift at the gates of Troy. When the Trojans opened the gates of their city to bring in the horse, Greek soldiers who had been hiding inside the horse poured out and attacked the Trojans.

Each of the three major browser-programming technologies uses a different approach to protecting against Trojan horses: 

Java code executes in the Java Virtual Machine (JVM), which is part of the Java runtime system. The runtime system is designed to prevent operations that would violate the browser's security policy. 

JavaScript eliminates Trojan-horse code by not providing objects or methods that could be used to cause damage or violate the user's privacy. 

*ActiveX components do not provide any inherent protection against damage. Instead, these components are digitally signed. The signature provides a high degree of assurance that the component originated from the organization that it claims.

Navigator and Internet Explorer 4 also support signed Java applets. The signature can be used to determine whether the applet should be given extra privileges beyond those allowed by the default Navigator security policy. 

Of the three approaches, JavaScript's is the mostly secure. By not providing a mechanism for creating damage, it is able to prevent the damage from occurring. But how do we know that no object or method can be used to cause damage? The answer is extensive analysis and testing. Could something have been overlooked? Try writing a JavaScript script that could damage your system. 

Java's approach is next best when it comes to security. The Java runtime system is capable of supporting multiple security policies. For example, Java programs that are loaded from your hard disk are allowed more privileges than applets that are loaded over the network. Signed applets are given more a single tooth indicates that international security (40-bit) encryption is in use. A solid key with two teeth indicates that domestic security (12- bit) encryption is in use. 

Both international and domestic security uses the Secure Sockets Layer (551) for encryption. SSI uses public key cryptography to exchange keys that are used for private key encryption. Digital certificates are used to verify the identity of the organization with you are communicating. 

How strong is the security provided? If no encryption is used, then you should assume that whatever information you send could be intercepted. 

If international (40-bit) encryption is used, then your encrypted communication is probably secure from a hacker without many computational resources, but not from anyone else. This encryption scheme has already been broken several times. 

If domestic (128-bit) encryption is used, then you are probably secure from most eavesdroppers. However, absolute security cannot be guaranteed. SSL only protects information while it is in transit. Whatever information you send is unprotected before it is transmitted by your browser and after it is received by the server. 

Maintaining Privacy 

How private is your interaction with the Web? Not very private. Whenever you request a document from a Web server, your request is usually logged by that server. The log record doesn't identify you by name, but it does include your IP address. It you use a static IP address, then you are positively identified. If you use a dynamic IP address, then the log information could apply to other users of your Internet service provider. 

Both Navigator and Internet Explorer support cookies. When cookies were first introduced, they were the subjects of some concern. Because they can be used to maintain information about a user on the user's browser, cookies were looked at as the instrument of Big Brother. As it turns out, cookies can be used to maintain information about users-that was their original intent. It this is a problem? It depends. IF you look at cookies as a way to improve Web services, then you'll want to keep them. If you look at cookies as a means to spy on you, then your best is to periodically delete your cookies files. This will let you use cookies when you need to and will make it difficult for anyone to maintain consistent information about you. You can also make your cookie files read-only.