1 / 43

Internet / Intranet Fall 2000

Internet / Intranet Fall 2000. Class 5 Web Server Security Intro Javascript. Class 5 Agenda. Discuss Milestone 1 Discuss Homepages Discuss Log File Homework Web Security Presentations Intro JavaScript Lab Work: JavaScript Next Week: More Javascript DHTML, DOM Forms.

chandler-nelson
Download Presentation

Internet / Intranet Fall 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet / IntranetFall 2000 Class 5 Web Server Security Intro Javascript

  2. Class 5 Agenda • Discuss Milestone 1 • Discuss Homepages • Discuss Log File Homework • Web Security • Presentations • Intro JavaScript • Lab Work: • JavaScript • Next Week: • More Javascript • DHTML, DOM • Forms Brandeis University Internet/Intranet Spring 2000

  3. Practical Internet Security • Analogous to “Real-Life” Security (e.g. a Bank) • Like Software, Security Must Be Well-Designed • Implementing Security Requires Trade-Offs • Ease of Use is Affected • Business Processes are Affected • Business Culture is Affected • Affects Both Users and Employees • Security is Expensive • Time, Effort, Lost Productivity • Enforcement • Physical Security is Only Half the Story • Implementation/Enforcement is Just as Important Brandeis University Internet/Intranet Spring 2000

  4. Security Design Issues • Know the Threats You are Protecting Against • What are the Probabilities? • What is the Cost if it Happens? • Dollars • Customer/Employee Confidence • Know Your Environment • What are the Customer/User Requirements? • What are the Budget Constraints? • What is the Culture/Attitude of Those Affected? • What is the Probability That Policies Will Be Followed Enforced? Brandeis University Internet/Intranet Spring 2000

  5. Security Sermon • Security is Often Mis-Used in Technology Environments • Provides Peace of Mind • Not Necessarily Real Security • Often Avoids the Real Issues • Appeases Management • Common Security Mistakes (Analogies) • Using an Expensive/High Security Safe • But Leaving the Key/Combination Where it Can Be Stolen • Leaving the Safe Unlocked • Little Professional Enforcement/Review of Procedures • Storing a Dime in a Safe • Cost of Security Exceeds Risk of Stolen Dime • High-Tech Solution Instead of Low-Tech Common Sense • E.g. Convenience Store Having a Safe vs. Nightly Bank Deposits • Security Has Consequences on Human Perceptions • E.g. Installing a Metal Detector May Make Employees Feel Less Secure Brandeis University Internet/Intranet Spring 2000

  6. Security Tips • Thieves/Hackers Follow Easiest Path • One That Gives Them Most Value • One They Know About • The Environment is Key! • A Mercedes in a Lot Full of Chevys is Likely to Be Stolen First • The Same Mercedes in a Lot Full of Rolls Royces is Likely to Be Stolen Last • Same Mercedes in an Unsecure Garage is Safer Because Fewer Thieves Know About It • Therefore: • Know Other Likely Targets and Be Less Attractive Than They Are • Make Your Site More Difficult to Hack Than its Worth • Don’t Publicize What Doesn’t Need to Be Public Brandeis University Internet/Intranet Spring 2000

  7. Security Tips (2) • Does Not Guarantee No Hacking • But Reduces the Probability Significantly • Most Security Problems Come From Human Error, Not From Intentional Hacking • Focus on Minimizing Chance of Human Error • Identify Each Risk Separately • Solutions May Vary Widely • Security is Only as Good as Your Expertise • Professional Security Requires Professional System Administrator • Use Common Sense / Be Realistic Brandeis University Internet/Intranet Spring 2000

  8. Internet Risks • Destruction of Data • Random • Targeted • Modification of Data • Random • Targeted • Worms/Viruses • Publication of Private/Sensitive Data • Sensitve/Embarassing Information • Confidential Information • Competitive Information • Customer Information • Keys • Information That Furthers Other Risks • E.g. Credit Card Information, Museum Floor Plan • Network Disruption • Machine Crashes / Inoperable Serving Software Brandeis University Internet/Intranet Spring 2000

  9. Protecting Data • Machine Level • Physical Isolation • Physically Isolate Machines From Users • Protect From Theft / Natural Disasters • Users • System Administration Permissions • Remote Access • Single-Purpose vs. Multi-Purpose Server • Shared Hosting • Test vs. Production • Application Level • Server Configuration • Server’s Ability to Access Files / System Resources • Restrict Applications Running on Machine • Don’t Load Applications/Protocols You Don’t Need Brandeis University Internet/Intranet Spring 2000

  10. Protecting Data (2) • Script Level • Who Can Modify Scripts? • Remote Access • Script’s Ability to Access Files / System Resources • Scripts Identified by File Extension or Directory? • File Level • Who Can Download Files? • Who Can Upload Files? • Exposed Directories • Communication Level • IP Address Restrictions • Password Requirements • Encryption • Metaphysical Level • Morals • The Law Brandeis University Internet/Intranet Spring 2000

  11. Access Control Techniques • “Passive” Techniques • Don’t Publish URL’s • Always Have Default Pages – Avoid Directory Browsing • Complex Page/Directory Names • Active Techniques • Change Page/Directory Names Often • Server Filters on IP Address, Domain Name • Requiring a Name / Password • Use Non-Standard Ports • Secure (Encrypted) Transmissions • Firewalls (Proxy Servers) • Isolate LAN From General Internet Brandeis University Internet/Intranet Spring 2000

  12. All Techniques Have Some Negatives • Passive Techniques, Non-Standard Ports • If User Guesses Correctly, They Have Full System Access • Requires Publishers to Voluntarily Follow Standards • Best for Non-Critical Security • Security Breach Does Not Disable System • Site Unlikely to Attract Hackers • IP Address / Domain Name Filters • Requires Significant Effort to Administer • Users Can’t Move Around Easily • Serious Hackers Can Defeat via Spoofing • Best For Local Intranet • Site Unlikely to Attract Serious Hackers • Encryption • Significant Overhead • Firewalls • Limits Internet Access of Those Within the Firewall Brandeis University Internet/Intranet Spring 2000

  13. Name / Password Security • Requires All Parties to Maintain Secure Passwords • Inconveniences Users • Difficult to Enforce • One Violation Can Compromise Entire Plan • Passed in Plain Text as Part of the URL • Serious Hackers Can Intercept It • Analogous to to credit card receipts in the trash • Web Servers Allow Unlimited Tries (Stateless) • Best Solution is a Combination of Techniques Brandeis University Internet/Intranet Spring 2000

  14. Firewall Details • Proxy Server • Gatekeeper Between a LAN and the Internet • Acts as a Local DNS • User Requests a URL • Proxy Server Finds the Equivalent File on the LAN • Firewall • Packet-Level-Filter • Restrict Data at the Packet Level e.g. Don’t Allow FTP • Circuit Filters • Also Takes Into Account the Source and Destination of a Packet • Maintains Some History Information • Application-Level Filters • Intercepts Transmissions and Analyzes Them to See if They Make Sense • Requires Knowledge of the Application to be Effective Brandeis University Internet/Intranet Spring 2000

  15. Encryption • Basic Encryption – Privacy / Confidentiality • “Scramble” a Document So Third Party Can’t Read It • What Level of Scrambling is Required? • Not Easily Reable By Human Eye • Simple Replacement Algorithm • Base64 • Extremely Difficult, But Possible to Crack • E.g. passwords, “zip” encryption • “Impossible” to Crack • Authentication (Signature) • Can Be Assured That Document is From Recipient • Can Be Assured That Document Was Not Tampered With • Non-Repudiation (Contract) • Can Also Be Assured That Document Was Received Intact • Neither Can Tamper With Document • Data Integrity • Assurance That Document Was Not Corrupted Brandeis University Internet/Intranet Spring 2000

  16. Encryption Technologies • Symmetric Key Encryption • Same Key Used For Encrypting / Decrypting • Both Parties Use Same Key • Analogy: Standard Door • Asymmetric Key Encryption (Public Key) • Each Party Has a Different Private Key • Third Key (Public Key) Required for Encryption/Decryption • Key Held By Trusted Third-Party • Analogy: Safe Deposit Box • Message Digest Algorithms • Encrypted “Hash” Functions Used For Digital Signatures Brandeis University Internet/Intranet Spring 2000

  17. Methods of Defeating Encryption • Brute Force • Trying All Possibilities • “Psychic” (For Human Generated Keys Only) • Person Has to Be Able to Memorize Key • Brute Force: Prioritized by Easily Memorized Keys • Cipher Attack • View The Encrypted Data and Work Back • Analogy: Cryptogram Puzzles • Cryptanalysis • Science of Breaking Algorithms • Exploit Mathematical Weaknesses in the Algorithm Brandeis University Internet/Intranet Spring 2000

  18. How Encryption Works • Develop a mathematical function such that: • f (a,b) = c • f’ (a,c) = b • BUT f’’(b,c) = a Does Not Exist • Symmetric • f( message,key) = encrypted_message • f’ (encrypted_message, key) = message • Asymmetric • f (my_message, your_public_key) = encrypted_message • f’ (encrypted message, your_private_key) = my_message • Signature • f (signature, my_private_key) =encrypted_signature • f’ (signature, my_public_key) = signature Brandeis University Internet/Intranet Spring 2000

  19. Internet Encryption Protocols • Public Key Encryption Requires Trusted Third Party • Certificate Authority • RSA – Rivest, Shamir, Adelman • MIT Professors – Invented Algorithms • Some are Patented • Size of Key is Important • Longer Keys are Harder to Break • Government Limits to Size of Keys • Controls on Exports • PGP – Pretty Good Privacy • Freeware Encryption • DES • 56-bit Symmetric Key • Triple DES • RC2, RC4 – Uses Shorter Keys – Can Be Used For Export Brandeis University Internet/Intranet Spring 2000

  20. Internet Encryption Protocols (2) • SET • Protocol For Passing Credit Card Information • Uses DES for Data, RSA for Keys and Credit Card Number • Includes Protocols for Authorization and Validation of Credit Card • Encrypted HTTP • S-HTTP (Secure HTTP) Commercenet • SSL – (Secure Sockets Layer) Netscape • PPP • TCP/IP Itself Cannot Be Encrypted • Login Passwords Are in Clear • PAP – (Password Authentication Protocol) Passwords Sent in Clear • CHAP (Challenge Handshake Authentication Protocol) • Password Used to Create a Response That is Passed to Server • Key Management • Keys Must Be Kept Private or Security is Lost • Keys are Too Long For Memorization • Kerberos (MIT), (ISAKMP – Internet Security Association) Brandeis University Internet/Intranet Spring 2000

  21. IP Level Security • Virtual Private Networks (VPNs) • Tunneling (Encapsulation) • Encrypts Data at a Point Low in the ISO Stack • Encapsulates it in Another Protocol • PPTP – Point-To-Point Tunneling Protocol • Works Over Public Networks • Only Client and Server Need to Be PPTP Aware • IP Information is encrypted and carried within another IP packet • L2F – Layer 2 Forwarding • Requires All Routers/Servers Between Client and Server to Support L2F • L2TP – Combination of PPTP and L2F • TACACS, RADIUS • For Dial-Up Access Brandeis University Internet/Intranet Spring 2000

  22. Non-Encrypted Security • Change Passwords Regularly • Security Breaches are “Temporary” • Increases Effort Necessary to Break In • Analogy: Changing Locks • DHCP – IP Addresses are Temporary • Similar to Changing Passwords at IP Level • IP Addresses Dynamically Assigned • Private Network • Traffic Between Customers of ISP Does Not Pass Through “Public” Internet • ISP Keeps Routers Secure • AT&T Strategy Brandeis University Internet/Intranet Spring 2000

  23. Security Key Points • Use Common Sense Above All • Security is Useless if it is Not Enforceable • Once Adopted Must Be Policed / Tested / Enforced • Policing Software is Important • Automate Mundane Tasks • Security Policies Will Usually Impact Productivity • Use Them Wisely • Two Major Aspects to Security: • Keys and Key Maintenance (e.g. Passwords) • Encryption Brandeis University Internet/Intranet Spring 2000

  24. The Need For Client Side Scripting • Performance • Move More Processing to Client • Especially Items Requiring Faster Response • E.g. Field Validation • Usability • Make HTML More “Windows-Like” • HTML Extensions (e.g. Tab Order) • CSS Extensions (e.g. style=“cursor:hand”) • Dynamic Event Handling (e.g. onMouseOver) • Requires Scripting Language • ECMA Script – (European Computer Manufactuers Association) • Netscape – Created Own Version: JavaScript (No Relation to Java) • Marketing Ploy: to Capitalize on Java Popularity • Microsoft – VBScript • Windows/IIS Only • Also Support JavaScript – (Called it JScript) Brandeis University Internet/Intranet Spring 2000

  25. JavaScript • De-Facto Standard Client-Side Scripting Language • However, Other Scripting Languages are Supported by Servers. Add-Ons for Others. • Interpreted Language • Object-Oriented • “Full” Scripting Language • Core JavaScript – Standalone Scripting Language • No File I/O • Client-Side JavaScript – For Use in HTML Pages • Primary Use of JavaScript • Server-Side JavaScript – Perl/Java Alternative • Similar to Other Languages • C-Like Syntactic Structure • Untyped • Associative Arrays Brandeis University Internet/Intranet Spring 2000

  26. JavaScript (2) • Usability • Fairly Complex Language • Web Orientation • Easiest to Look at and Modify Existing Code • Full, Complex Language • Many Ways to Achieve the Same Function • Versions • 1.0 – Base Version • Netscape Navigator 2.0, IE 3.0 • 1.1 – Improved Array Support, Other Features • Netscape Navigator 3.0 • 1.2 – (Current) Regular Expressions, Other Features • Netscape Navigator 4.0 • ECMA-262 : Standardized Version of Javascript 1.2 • IE 4.0 Brandeis University Internet/Intranet Spring 2000

  27. Client-Side JavaScript • Core JavaScript Language • HTML Events • Document Object Model (DOM) • Ability to Refer to the Elements of an HTML Document • Significant Differences Between Microsoft and Netscape Implementations • Especially in DOM Implementation • So, as With CSS, HTML, etc. • Know Your Target Audience / Platform • What Level of Support Will You Provide For Those Not Using Your Target Platform? Brandeis University Internet/Intranet Spring 2000

  28. Dynamic HTML - Scripting • All Properties Can Be Set by Scripts • New Dynamic Properties: Useful for Scripting • DISABLED / ENABLED Attribute (Form Fields) • Display Property • Visibility Property • Pop-Up Boxes • Creation of New Windows • New Instance of Browser Brandeis University Internet/Intranet Spring 2000

  29. Invoking a Script • Script Code Within HTML • Buttons • Button Selection Invokes a Script • Events • Focus Events • onfocus, onblur • Mouse Events • onmouseover, onmouseout • onmousedown, onmouseup • onclick, ondblclick, onselect • Keyboard Events • Onkeydown, onkeyup, onkeypress • Scroll Event • Onscroll • Help Event • onhelp – (F1 key, not Browser Help Button) • Timer Events Brandeis University Internet/Intranet Spring 2000

  30. Document Object Model • Defines Hierarchy of Objects • Each Has its Own Event Handlers • Event Bubbling • Which Event Handler Gets Events? • Name Space Definitions • Each Object in HTML Form Can Be Addressed • E.g. Clicking Button Can Be Used to Change Text Value in a Specific Field of Another Window • A Caveat • Javascript is Still a Scripting Language • Not Great For Large, Complex Programs • e.g. Limited Debugging • As With Perl, Powerful Features Can Also Make Bugs Difficult to Detect / Prevent Brandeis University Internet/Intranet Spring 2000

  31. Stepping Back: Basic JavaScript <SCRIPT Language=“JavaScript”> <!-- Document.write (“Hello World”); --> </SCRIPT> • Older Browsers Ignore Script Tag if They Don’t Support Script • However, They Will Try to Display Text Within Tags • Therefore, Enclose All Script Within Tags as HTML Comments • Script Processor Will Ignore HTML Comment Tags • Use // For JavaScript Comments • Newer Browsers Will Ignore All Within Tags if They Don’t Recognize the Language. JavaScript is the Default. • <NOSCRIPT> </NOSCRIPT> Tags Can Then Be Used to Specify Alternative. All in Between Ignored By Browser. • Note That Specific Version of Language Can Be Specified (e.g. Javascript1.2> Brandeis University Internet/Intranet Spring 2000

  32. Javascript Basics • Similar to C/Java • Case Sensitive • Case Conventions Not Always Obvious • In Most Cases Don’t Get Error Message, • Just Unexpected Result • == vs. = in if statement (Like C) • E.g. if (a == 2) { • Vs. if (a = 2 ) { • Lines end in ; • In Line JavaScript: Executed Where Encountered • document.write (“<H1>Hello World</H1> \n”); • document.writeln (“Hello World”); • NOTE: Output is Interpreted as HTML • Dynamic Page Example Brandeis University Internet/Intranet Spring 2000

  33. Objects and Properties • Objects • Objects are Collections of Named Data • Often Called Properties or Fields • Properties • Untyped • Can be Data, Arrays, Functions, Other Objects • If Property is a Function it is Called a Method • Referenced by object.property • e.g. document.myform.button • Properties Can be Dynamically Assigned to Objects • var point = new Object(); • point.x = 7; • point.y = 3; • Associative Arrays • Properties Can Be Accessed via Associative Arrays • E.g. point[“x”] • document.myform[“button”] Brandeis University Internet/Intranet Spring 2000

  34. Creating Objects • Variables Can Be Used Without Declaration • e.g. myname=“evan” • However it is Preferable to Declare Them First • var i, j, k; • Can Be Initialized on Declaration: • var i=0, j=0, k=0; • Objects and Arrays Must First Be Created • var book = new Object(); • Then Can Assign Properties Without Declaration • book.chapter1 = “How To”; • Book.chapter1.length = “20 pages”; • All Objects / Variables Have Default Methods/Properties • E.g. • st=“abcdefg”; • stlen = st.length; Brandeis University Internet/Intranet Spring 2000

  35. Scoping • Objects Declared Outside of a Function are Global • Objects Declared With var Statement in a Function are Local • Objects Not Declared are Treated as Globals • This is the Reason All Variable Should be Declared • Local – Only Defined Within the Local Function • Global – Defined Within All • NOTE: A Local Variable Can Have Same Name as Global • The Local Variable Takes Precedence Brandeis University Internet/Intranet Spring 2000

  36. Arrays • Some Useful Array Functions • array.concat (array1, array2, …) • Concatenates Arrays • array.join (separator) • Returns a String of All Elements of Array Separated by Separator • array.length – Returns the Number of Elements in the Array • array.pop – Remove and Return the Last Element of an Array • array.push – Append an Element to an Array • array.reverse – Reverses the Elements of An Array • array.shift – Removes and Returns the First Element of An Array • array.unshift – Insert an Element at the Beginning of an Array • array.slice (start,end) – Return a Portion of the Array. • array.sort – Sorts an Array • array.splice – Inserts or Deletes Elements of an Array Brandeis University Internet/Intranet Spring 2000

  37. Miscellaneous • Concatenate Strings Using + • Variables are Untyped • Automatically Converted • May Cause Unexpected Results e.g. v1 = 1 + 2 + “ classes” v1 contains “3 classes” But: v1 = “I took “ + 1 +2+ “classes” v1 contains “I took 12 classes” • Arrays Identified With Brackets • E.g. point[0] • Not { as with Perl • null • Special Value • Different Than 0 • this • Identifies Current Object Brandeis University Internet/Intranet Spring 2000

  38. Functions • Use return Statement to Return a Value from a Function • E.g. return (3); • arguments is a Special Object Available in a Function • arguments[] Holds the Argument Values Passed In • Arguments.length – The Number of Arguments Passed Brandeis University Internet/Intranet Spring 2000

  39. More JavaScript • Comments are // or /* */ • Strings concatenated with + • Functions Should be Declared Before Being Used • Typically Defined in <HEAD> Section • alert – Creates a Pop-Up Message Box • prompt – Prompts User for Input • Buttons - <Input Type = “Button” Value=“Click Here” onclick = “functionname()” • window.open – Opens a New Instance of Browser Example Brandeis University Internet/Intranet Spring 2000

  40. More Examples • Events Example • onLoad • onUnload • Environment Information Example • HTTP Header Information • Cookies Brandeis University Internet/Intranet Spring 2000

  41. In-Class Exercise • Create a JavaScript version of your test page • <SCRIPT LANGUAGE = “JavaScript”> • myname = “Evan”; • Document.writeln(“<H1>Welcome to “ + myname + “’s Homepage”</H1>”) </SCRIPT> • Add a BUTTON to your Homepage to show this page in a new Browser Window • Advanced: Choose the Name at Random. Set this in a function. Brandeis University Internet/Intranet Spring 2000

  42. FOR NEXT CLASS Brandeis University Internet/Intranet Spring 2000

  43. HTML Extensions for Forms • “Tool Tips” • TITLE Attribute on Form Tags • Label Associated With Form Entry • User Can Click On Label to Select Entry Field • <LABEL FOR=“TextID”>Enter Name: </LABEL> • <INPUT TYPE=“Text” ID=“TextID” Name=“Tname”> • Shortcuts • Alt-Character selects Entry Field • ACCESSKEY=“X” • Tab Order • TABINDEX=3 • Negative Number Excludes Field From Tab Order • FieldSet • Groups Controls Together (Outline Box) • <Legend> Adds Text To Outline Box Example Brandeis University Internet/Intranet Spring 2000

More Related