CST(70)-Web Security

Security is a critical factor in the establishment and acceptance of commercial applications on the Web. For example, if you are using a hom...

Security is a critical factor in the establishment and acceptance of commercial applications on the Web. For example, if you are using a home banking service, you want to be assured that your client/server interactions are both confidential and untampered with. In addition, both you and your bank must be able to verify each other’s identity and to produce auditable records of your transactions.

Security on the web is a two-sided affair that involves both the client (the browser) and the server. They each have a role to play. Currently, most of the web security technology is focused on solving four immediate problems that are standing in the way of widespread e-Commerce.
  1.  Encryption: You don’t want to send your password, credit card number, electronic cash, and other sensitive messages in the clear (i.e., plain text).
  2.  Authentication: Both the client and the server must prove their identity to a trusted third party before they can start a secure session. On the Internet, the clients must prove their identity; so must the servers. The last thing you want is to send your credit card to a Trojan horse masquerading as the real server.
  3.  Firewalls: This is very useful to protect your Intranets from the Internet. This typically involves creating some kind of gateway (or buffer) between the Intranet and the Internet.
  4.  Non-repudiation: This means incontestable proof that a document (or message) was really originated by you and only you. This requires some forms of unforgeable electronic signature that can stand in a court of law.
Currently the Web supports two security protocols: Netscape’s Secure Socket Layer (SSL) and EIT’s Secure HTTP (S-HTTP). SSL is important because it is supported by the most popular browser on the Web: Netscape Navigator, S-HTTP is a more complete solution; it is supported by Spry Mosaic and NCSA Mosaic browsers, as well as other Mosaic clones. In many ways the SSL and S-HTTP protocols complement each other. And they both support public key encryption to encrypt data, authenticate users, and provide non-repudiation via electronic signatures. Most servers will end up supporting both protocols.

Using secure Internet sites for transactions

Many Internet sites are set up to prevent unauthorized people from seeing the information that is sent to or from those sites. These are called "secure" sites. Because Internet Explorer supports the security protocols used by secure sites, you can send information to a secure site with safety and confidence. (A protocol is a set of rules and standards that enable computers to exchange information.)

When you visit a secure Web site, it automatically sends you its certificate, and Internet Explorer displays a lock icon on the status bar. (A certificate is a statement guaranteeing the identity of a person or the security of a Web site.)

If you are about to send information (such as your credit card number) to an unsecured site, Internet Explorer can warn you that the site is not secure. If the site claims to be secure but its security credentials are suspect, Internet Explorer can warn you that the site might have been tampered with or might be misrepresenting itself.

Protecting your identity over the Internet

You can use a personal certificate to protect your identity over the Internet. A certificate is a statement guaranteeing the identity of a person or the security of a Web site. You can control the use of your own identity by having the private key that only you know on your own system. When used with mail programs, security certificates with private keys are also known as "digital IDs."

Internet Explorer uses two different types of certificates:

A "personal certificate" is a kind of guarantee that you are who you say you is. This information is used when you send personal information over the Internet to a Web site that requires a certificate verifying your identity.

A "Web site certificate" states that a specific Web site is secure and genuine. It ensures that no other Web site can assume the identity of the original secure site.

How do security certificates work?

A security certificate, whether it is a personal certificate or a Web site certificate, associates an identity with a "public key." Only the owner knows the corresponding "private key" that allows the owner to "decrypt" or make a "digital signature." When you send your certificate to other people, you are actually giving them your public key, so they can send you encrypted information, which only you can decrypt and read with your private key.

The digital signature component of a security certificate is your electronic identity card. The digital signature tells the recipient that the information actually came from you and has not been forged or tampered with.

Before you can start sending encrypted or digitally signed information, you must obtain a certificate and set up Internet Explorer to use it. When you visit a secure Web site (one that starts with "https"), the site automatically sends you their certificate.

What SSL Provides to Your Website

When you configure the Secure Web Page Service in your Java Web Server, you are configuring a web server to use SSL. This protocol combination is called "HTTPS" (HTTP with SSL).

The Secure Sockets Layer (SSL) is a general-purpose network security protocol. In its normal usage, SSL provides up to four features to your TCP connections:

1. Your web server is authenticated to its clients, so that they can tell who you "really" are. Public Key Certificates are used to do this authentication.

All requests to your web server are encrypted so that client data (such as credit card data) is kept confidential. So are the responses from your web server.

3. The data is protected against being tampered with by a third party. This is called integrity protection.

4. When appropriate, clients can authenticate themselves to your server using their own Public Key Certificates.

There are several different ways to use SSL. In particular, each of the four features above comes in several varieties, and all except integrity protection are optional.

Using a Certificate Authority

Most secure web servers authenticate themselves using a certificate provided by a trusted "Certificate Authority" (CA). The role of a CA is to provide introductions between parties who don't know each other; they authenticate addresses according to policies specified in a "Certification Practices Statement" (CPS), which are intended to support use of these certificates (with digital signatures) as evidence in court cases.

When a CA is used, a client using a web browser does not need to get a copy of the server's certificate except through using the SSL protocol.

If you want to use SSL with a CA, do the following:

1.Use the authstore utility to generate a self-signed server certificate.

2.Then generate a "Certificate Signing Request" (CSR) for that self-signed server certificate.

3.Get that CSR to your certificate authority, either through e-mail or through an on-line procedure from a certificate authority. Note that some web browsers, such as Internet Explorer, are extremely restrictive with respect to the certificate authorities, which they support. Certificate Authorities you may wish to consult include:

VeriSign Inc. ... provides "Server" Digital IDs.

4.Note that you will need to provide the CA with proof that you have the right to use the name you provide to them. They will take time to verify this proof. You may be able to get the CA to respond in about a week.

5.The CA will respond with a "PEM encoded X.509 Certificate", which looks something like this:




6. Import that with the "authstore" tool.

7. You will probably want to enable the HTTPS Service ("Secure Web Page Service") at this time.

Additional Certificate Authorities Support Support for additional Certificate Authorities (CA's) is now available. To use a CA other than the built-in VeriSign CA's:
  1. Import the root certificate of the CA using the "Import CA" button in Authstore.
  2. Import the certificate issued by that CA.

Best Online Tutorials | Source codes | Programming Languages: CST(70)-Web Security
CST(70)-Web Security
Best Online Tutorials | Source codes | Programming Languages
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content