Wednesday, July 07, 2004

Web Security

Basic security principles include:

  • Availability
  • Integrity
  • Authentication
  • Confidentiality
  • Non-repudiation

Secure Sockets Layer (SSL), a web encryption technology originally developed by Netscape, provides basic web security. All HTTP traffic over SSL (https) is encrypted (in both directions). Beneficial consequences include:

  • Confidentiality: The contents of messages are unreadable by 3rd-party observers
  • Integrity: The contents of messages can not be altered or tampered with in transit
  • Authentication: The sender and receiver are assured of each other's identity

Most browsers ship with SSL certificates installed. On the server, SSL modules (e.g., openSSL) and certificates (from Verisign, e.g.) must be installed. A crypto card can alleviate server bottlenecks.

The SSL network layer lies between IP and HTTP on the protocol stack. Versions include SSL v2.0 and SSL v3.0. Transport Layer Security (TLS) is an extension of SSL proposed by the Internet Engineering Task Force (IETF). TLS v1.0 is roughly equivalent to SSL v3.0. When an SSL connection is established, a client and server negotiate the best combination of cryptographic techniques.

To avoid security issues, the following are recommended:

  • Store only hashed passwords in the database
  • Submit the login page over SSL, otherwise the password is passed in the clear and may be sniffed
  • Make passwords difficult to guess and install intruder alarms that detect random or systematic guessing of passwords
  • Avoid sensitive data in URLs (i.e., GET requests) since URLs are logged
  • To avoid GET requests (the result of redirects), return an HTML form with an onload handler that automatically POSTs the hidden fields in the form

A session ID (like a password) must be protected. To prevent session hijacking, a session-based application must run over SSL. If the session mechanism uses cookies:

  • Set the secure attribute on the cookie, otherwise it will be passed over insecure (non-SSL) connections
  • Avoid setting a timeout on the cookie, even a short timeout, since browsers might then write the cookie to disk

Set session timeouts (on the server) as short as possible. Like passwords, make the session ID difficult to guess and install intruder alarms that detect random or systematic guessing of session IDs.

Do not use IP addresses in an attempt to prevent session hijacking (since it doesn't work and only raises support issues). Remember: Logging out is a user's single best defense against session hijacking.