internet / intranet fall 2000 class 5 web server security intro javascript
TRANSCRIPT
Internet / Intranet
Fall 2000
Class 5Web Server Security
Intro Javascript
Brandeis University Internet/Intranet Spring 2000 2
Class 5 Agenda
Discuss Milestone 1Discuss HomepagesDiscuss Log File Homework
Web Security PresentationsIntro JavaScriptLab Work:
JavaScriptNext Week:
More JavascriptDHTML, DOM
Forms
Brandeis University Internet/Intranet Spring 2000 3
Practical Internet Security
Analogous to “Real-Life” Security (e.g. a Bank)Like Software, Security Must Be Well-DesignedImplementing Security Requires Trade-Offs
Ease of Use is AffectedBusiness Processes are AffectedBusiness Culture is AffectedAffects Both Users and EmployeesSecurity is Expensive
Time, Effort, Lost ProductivityEnforcement
Physical Security is Only Half the StoryImplementation/Enforcement is Just as Important
Brandeis University Internet/Intranet Spring 2000 4
Security Design Issues
Know the Threats You are Protecting AgainstWhat are the Probabilities?What is the Cost if it Happens?
DollarsCustomer/Employee Confidence
Know Your EnvironmentWhat are the Customer/User Requirements?What are the Budget Constraints?What is the Culture/Attitude of Those Affected?What is the Probability That Policies Will Be Followed Enforced?
Brandeis University Internet/Intranet Spring 2000 5
Security SermonSecurity is Often Mis-Used in Technology Environments
Provides Peace of MindNot Necessarily Real Security
Often Avoids the Real IssuesAppeases Management
Common Security Mistakes (Analogies)Using an Expensive/High Security Safe
But Leaving the Key/Combination Where it Can Be StolenLeaving the Safe UnlockedLittle Professional Enforcement/Review of Procedures
Storing a Dime in a SafeCost of Security Exceeds Risk of Stolen Dime
High-Tech Solution Instead of Low-Tech Common SenseE.g. Convenience Store Having a Safe vs. Nightly Bank Deposits
Security Has Consequences on Human PerceptionsE.g. Installing a Metal Detector May Make Employees Feel Less Secure
Brandeis University Internet/Intranet Spring 2000 6
Security Tips
Thieves/Hackers Follow Easiest PathOne That Gives Them Most ValueOne They Know About
The Environment is Key!A Mercedes in a Lot Full of Chevys is Likely to Be Stolen FirstThe Same Mercedes in a Lot Full of Rolls Royces is Likely to Be Stolen LastSame Mercedes in an Unsecure Garage is Safer Because Fewer Thieves Know About It
Therefore:Know Other Likely Targets and Be Less Attractive Than They AreMake Your Site More Difficult to Hack Than its WorthDon’t Publicize What Doesn’t Need to Be Public
Brandeis University Internet/Intranet Spring 2000 7
Security Tips (2)
Does Not Guarantee No HackingBut Reduces the Probability Significantly
Most Security Problems Come From Human Error, Not From Intentional Hacking
Focus on Minimizing Chance of Human Error
Identify Each Risk SeparatelySolutions May Vary Widely
Security is Only as Good as Your ExpertiseProfessional Security Requires Professional System Administrator
Use Common Sense / Be Realistic
Brandeis University Internet/Intranet Spring 2000 8
Internet RisksDestruction of Data
RandomTargeted
Modification of DataRandomTargetedWorms/Viruses
Publication of Private/Sensitive DataSensitve/Embarassing InformationConfidential Information
Competitive InformationCustomer Information
KeysInformation That Furthers Other Risks
E.g. Credit Card Information, Museum Floor PlanNetwork DisruptionMachine Crashes / Inoperable Serving Software
Brandeis University Internet/Intranet Spring 2000 9
Protecting Data
Machine LevelPhysical Isolation
Physically Isolate Machines From UsersProtect From Theft / Natural Disasters
UsersSystem Administration PermissionsRemote Access
Single-Purpose vs. Multi-Purpose ServerShared HostingTest vs. Production
Application LevelServer ConfigurationServer’s Ability to Access Files / System ResourcesRestrict Applications Running on Machine
Don’t Load Applications/Protocols You Don’t Need
Brandeis University Internet/Intranet Spring 2000 10
Protecting Data (2)Script Level
Who Can Modify Scripts?Remote Access
Script’s Ability to Access Files / System ResourcesScripts Identified by File Extension or Directory?
File LevelWho Can Download Files?Who Can Upload Files?Exposed Directories
Communication LevelIP Address RestrictionsPassword RequirementsEncryption
Metaphysical LevelMoralsThe Law
Brandeis University Internet/Intranet Spring 2000 11
Access Control Techniques
“Passive” TechniquesDon’t Publish URL’sAlways Have Default Pages – Avoid Directory BrowsingComplex Page/Directory Names
Active TechniquesChange Page/Directory Names OftenServer Filters on IP Address, Domain NameRequiring a Name / PasswordUse Non-Standard Ports
Secure (Encrypted) TransmissionsFirewalls (Proxy Servers)
Isolate LAN From General Internet
Brandeis University Internet/Intranet Spring 2000 12
All Techniques Have Some NegativesPassive Techniques, Non-Standard Ports
If User Guesses Correctly, They Have Full System AccessRequires Publishers to Voluntarily Follow StandardsBest for Non-Critical Security
Security Breach Does Not Disable SystemSite Unlikely to Attract Hackers
IP Address / Domain Name FiltersRequires Significant Effort to AdministerUsers Can’t Move Around EasilySerious Hackers Can Defeat via SpoofingBest For Local Intranet
Site Unlikely to Attract Serious Hackers
EncryptionSignificant Overhead
FirewallsLimits Internet Access of Those Within the Firewall
Brandeis University Internet/Intranet Spring 2000 13
Name / Password Security
Requires All Parties to Maintain Secure Passwords
Inconveniences UsersDifficult to EnforceOne Violation Can Compromise Entire Plan
Passed in Plain Text as Part of the URLSerious Hackers Can Intercept It
Analogous to to credit card receipts in the trash
Web Servers Allow Unlimited Tries (Stateless)
Best Solution is a Combination of Techniques
Brandeis University Internet/Intranet Spring 2000 14
Firewall Details
Proxy ServerGatekeeper Between a LAN and the InternetActs as a Local DNSUser Requests a URL
Proxy Server Finds the Equivalent File on the LAN
FirewallPacket-Level-Filter
Restrict Data at the Packet Level e.g. Don’t Allow FTP
Circuit FiltersAlso Takes Into Account the Source and Destination of a PacketMaintains Some History Information
Application-Level FiltersIntercepts Transmissions and Analyzes Them to See if They Make Sense
Requires Knowledge of the Application to be Effective
Brandeis University Internet/Intranet Spring 2000 15
Encryption Basic Encryption – Privacy / Confidentiality
“Scramble” a Document So Third Party Can’t Read ItWhat Level of Scrambling is Required?
Not Easily Reable By Human EyeSimple Replacement AlgorithmBase64
Extremely Difficult, But Possible to CrackE.g. passwords, “zip” encryption
“Impossible” to Crack
Authentication (Signature)Can Be Assured That Document is From RecipientCan Be Assured That Document Was Not Tampered With
Non-Repudiation (Contract)Can Also Be Assured That Document Was Received IntactNeither Can Tamper With Document
Data IntegrityAssurance That Document Was Not Corrupted
Brandeis University Internet/Intranet Spring 2000 16
Encryption Technologies
Symmetric Key EncryptionSame Key Used For Encrypting / DecryptingBoth Parties Use Same KeyAnalogy: Standard Door
Asymmetric Key Encryption (Public Key)Each Party Has a Different Private KeyThird Key (Public Key) Required for Encryption/Decryption
Key Held By Trusted Third-Party
Analogy: Safe Deposit BoxMessage Digest Algorithms
Encrypted “Hash” Functions Used For Digital Signatures
Brandeis University Internet/Intranet Spring 2000 17
Methods of Defeating Encryption
Brute ForceTrying All Possibilities
“Psychic” (For Human Generated Keys Only)Person Has to Be Able to Memorize Key
Brute Force: Prioritized by Easily Memorized Keys
Cipher AttackView The Encrypted Data and Work Back
Analogy: Cryptogram Puzzles
Cryptanalysis Science of Breaking Algorithms
Exploit Mathematical Weaknesses in the Algorithm
Brandeis University Internet/Intranet Spring 2000 18
How Encryption Works
Develop a mathematical function such that:f (a,b) = cf’ (a,c) = bBUT f’’(b,c) = a Does Not Exist
Symmetricf( message,key) = encrypted_messagef’ (encrypted_message, key) = message
Asymmetricf (my_message, your_public_key) = encrypted_messagef’ (encrypted message, your_private_key) = my_message
Signaturef (signature, my_private_key) =encrypted_signaturef’ (signature, my_public_key) = signature
Brandeis University Internet/Intranet Spring 2000 19
Internet Encryption ProtocolsPublic Key Encryption Requires Trusted Third Party
Certificate AuthorityRSA – Rivest, Shamir, Adelman
MIT Professors – Invented AlgorithmsSome are Patented
Size of Key is ImportantLonger Keys are Harder to BreakGovernment Limits to Size of Keys
Controls on Exports
PGP – Pretty Good PrivacyFreeware Encryption
DES56-bit Symmetric KeyTriple DESRC2, RC4 – Uses Shorter Keys – Can Be Used For Export
Brandeis University Internet/Intranet Spring 2000 20
Internet Encryption Protocols (2)SET
Protocol For Passing Credit Card InformationUses DES for Data, RSA for Keys and Credit Card NumberIncludes Protocols for Authorization and Validation of Credit Card
Encrypted HTTPS-HTTP (Secure HTTP) CommercenetSSL – (Secure Sockets Layer) Netscape
PPP TCP/IP Itself Cannot Be EncryptedLogin Passwords Are in Clear
PAP – (Password Authentication Protocol) Passwords Sent in ClearCHAP (Challenge Handshake Authentication Protocol)
Password Used to Create a Response That is Passed to Server
Key ManagementKeys Must Be Kept Private or Security is Lost
Keys are Too Long For Memorization
Kerberos (MIT), (ISAKMP – Internet Security Association)
Brandeis University Internet/Intranet Spring 2000 21
IP Level Security
Virtual Private Networks (VPNs)Tunneling (Encapsulation)
Encrypts Data at a Point Low in the ISO StackEncapsulates it in Another Protocol
PPTP – Point-To-Point Tunneling ProtocolWorks Over Public Networks
Only Client and Server Need to Be PPTP AwareIP Information is encrypted and carried within another IP packet
L2F – Layer 2 ForwardingRequires All Routers/Servers Between Client and Server to Support L2F
L2TP – Combination of PPTP and L2FTACACS, RADIUS
For Dial-Up Access
Brandeis University Internet/Intranet Spring 2000 22
Non-Encrypted Security
Change Passwords RegularlySecurity Breaches are “Temporary”
Increases Effort Necessary to Break InAnalogy: Changing Locks
DHCP – IP Addresses are TemporarySimilar to Changing Passwords at IP LevelIP Addresses Dynamically Assigned
Private NetworkTraffic Between Customers of ISP Does Not Pass Through “Public” Internet
ISP Keeps Routers SecureAT&T Strategy
Brandeis University Internet/Intranet Spring 2000 23
Security Key Points
Use Common Sense Above AllSecurity is Useless if it is Not Enforceable
Once Adopted Must Be Policed / Tested / EnforcedPolicing Software is Important
Automate Mundane Tasks
Security Policies Will Usually Impact Productivity
Use Them Wisely
Two Major Aspects to Security:Keys and Key Maintenance (e.g. Passwords)Encryption
Brandeis University Internet/Intranet Spring 2000 24
The Need For Client Side ScriptingPerformance
Move More Processing to ClientEspecially Items Requiring Faster Response
E.g. Field Validation
UsabilityMake HTML More “Windows-Like”
HTML Extensions (e.g. Tab Order)CSS Extensions (e.g. style=“cursor:hand”)
Dynamic Event Handling (e.g. onMouseOver)
Requires Scripting LanguageECMA Script – (European Computer Manufactuers Association)Netscape – Created Own Version: JavaScript (No Relation to Java)
Marketing Ploy: to Capitalize on Java Popularity
Microsoft – VBScriptWindows/IIS Only
Also Support JavaScript – (Called it JScript)
Brandeis University Internet/Intranet Spring 2000 25
JavaScriptDe-Facto Standard Client-Side Scripting Language
However, Other Scripting Languages are Supported by Servers. Add-Ons for Others.
Interpreted LanguageObject-Oriented“Full” Scripting Language
Core JavaScript – Standalone Scripting LanguageNo File I/O
Client-Side JavaScript – For Use in HTML PagesPrimary Use of JavaScript
Server-Side JavaScript – Perl/Java AlternativeSimilar to Other Languages
C-Like Syntactic StructureUntypedAssociative Arrays
Brandeis University Internet/Intranet Spring 2000 26
JavaScript (2)
UsabilityFairly Complex LanguageWeb OrientationEasiest to Look at and Modify Existing CodeFull, Complex Language
Many Ways to Achieve the Same Function
Versions1.0 – Base Version
Netscape Navigator 2.0, IE 3.0
1.1 – Improved Array Support, Other FeaturesNetscape Navigator 3.0
1.2 – (Current) Regular Expressions, Other FeaturesNetscape Navigator 4.0
ECMA-262 : Standardized Version of Javascript 1.2IE 4.0
Brandeis University Internet/Intranet Spring 2000 27
Client-Side JavaScript
Core JavaScript LanguageHTML EventsDocument Object Model (DOM)
Ability to Refer to the Elements of an HTML Document
Significant Differences Between Microsoft and Netscape Implementations
Especially in DOM Implementation
So, as With CSS, HTML, etc.Know Your Target Audience / Platform
What Level of Support Will You Provide For Those Not Using Your Target Platform?
Brandeis University Internet/Intranet Spring 2000 28
Dynamic HTML - Scripting
All Properties Can Be Set by ScriptsNew Dynamic Properties: Useful for Scripting
DISABLED / ENABLED Attribute (Form Fields)Display PropertyVisibility Property
Pop-Up BoxesCreation of New Windows
New Instance of Browser
Brandeis University Internet/Intranet Spring 2000 29
Invoking a ScriptScript Code Within HTMLButtons
Button Selection Invokes a ScriptEvents
Focus Eventsonfocus, onblur
Mouse Eventsonmouseover, onmouseoutonmousedown, onmouseuponclick, ondblclick, onselect
Keyboard EventsOnkeydown, onkeyup, onkeypress
Scroll EventOnscroll
Help Eventonhelp – (F1 key, not Browser Help Button)
Timer Events
Brandeis University Internet/Intranet Spring 2000 30
Document Object Model
Defines Hierarchy of ObjectsEach Has its Own Event HandlersEvent Bubbling
Which Event Handler Gets Events?
Name Space Definitions Each Object in HTML Form Can Be Addressed
E.g. Clicking Button Can Be Used to Change Text Value in a Specific Field of Another Window
A CaveatJavascript is Still a Scripting Language
Not Great For Large, Complex Programse.g. Limited Debugging
As With Perl, Powerful Features Can Also Make Bugs Difficult to Detect / Prevent
Brandeis University Internet/Intranet Spring 2000 31
Stepping Back: Basic JavaScript<SCRIPT Language=“JavaScript”><!-- Document.write (“Hello World”);--></SCRIPT>
Older Browsers Ignore Script Tag if They Don’t Support Script
However, They Will Try to Display Text Within TagsTherefore, Enclose All Script Within Tags as HTML Comments
Script Processor Will Ignore HTML Comment TagsUse // For JavaScript Comments
Newer Browsers Will Ignore All Within Tags if They Don’t Recognize the Language. JavaScript is the Default.
<NOSCRIPT> </NOSCRIPT> Tags Can Then Be Used to Specify Alternative. All in Between Ignored By Browser.Note That Specific Version of Language Can Be Specified (e.g. Javascript1.2>
Brandeis University Internet/Intranet Spring 2000 32
Javascript BasicsSimilar to C/JavaCase Sensitive
Case Conventions Not Always ObviousIn Most Cases Don’t Get Error Message,
Just Unexpected Result
== vs. = in if statement (Like C)E.g. if (a == 2) {Vs. if (a = 2 ) {
Lines end in ;In Line JavaScript: Executed Where Encountered
document.write (“<H1>Hello World</H1> \n”);document.writeln (“Hello World”);
NOTE: Output is Interpreted as HTMLDynamic Page Example
Brandeis University Internet/Intranet Spring 2000 33
Objects and PropertiesObjects
Objects are Collections of Named Data Often Called Properties or Fields
PropertiesUntyped
Can be Data, Arrays, Functions, Other ObjectsIf Property is a Function it is Called a Method
Referenced by object.propertye.g. document.myform.button
Properties Can be Dynamically Assigned to Objectsvar point = new Object();point.x = 7;point.y = 3;
Associative ArraysProperties Can Be Accessed via Associative Arrays
E.g. point[“x”]document.myform[“button”]
Brandeis University Internet/Intranet Spring 2000 34
Creating Objects
Variables Can Be Used Without Declaratione.g. myname=“evan”
However it is Preferable to Declare Them Firstvar i, j, k;Can Be Initialized on Declaration:
var i=0, j=0, k=0;
Objects and Arrays Must First Be Createdvar book = new Object();Then Can Assign Properties Without Declaration
book.chapter1 = “How To”;Book.chapter1.length = “20 pages”;
All Objects / Variables Have Default Methods/PropertiesE.g.
st=“abcdefg”;stlen = st.length;
Brandeis University Internet/Intranet Spring 2000 35
Scoping
Objects Declared Outside of a Function are GlobalObjects Declared With var Statement in a Function are Local
Objects Not Declared are Treated as GlobalsThis is the Reason All Variable Should be Declared
Local – Only Defined Within the Local FunctionGlobal – Defined Within All NOTE: A Local Variable Can Have Same Name as Global
The Local Variable Takes Precedence
Brandeis University Internet/Intranet Spring 2000 36
ArraysSome Useful Array Functions
array.concat (array1, array2, …)Concatenates Arrays
array.join (separator)Returns a String of All Elements of Array Separated by Separator
array.length – Returns the Number of Elements in the Arrayarray.pop – Remove and Return the Last Element of an Arrayarray.push – Append an Element to an Arrayarray.reverse – Reverses the Elements of An Arrayarray.shift – Removes and Returns the First Element of An Arrayarray.unshift – Insert an Element at the Beginning of an Arrayarray.slice (start,end) – Return a Portion of the Array.array.sort – Sorts an Arrayarray.splice – Inserts or Deletes Elements of an Array
Brandeis University Internet/Intranet Spring 2000 37
Miscellaneous Concatenate Strings Using +Variables are Untyped
Automatically ConvertedMay Cause Unexpected Results
e.g. v1 = 1 + 2 + “ classes” v1 contains “3 classes”
But: v1 = “I took “ + 1 +2+ “classes” v1 contains “I took 12 classes”
Arrays Identified With BracketsE.g. point[0]
Not { as with Perl
nullSpecial Value
Different Than 0
thisIdentifies Current Object
Brandeis University Internet/Intranet Spring 2000 38
Functions
Use return Statement to Return a Value from a Function
E.g. return (3);
arguments is a Special Object Available in a Function
arguments[] Holds the Argument Values Passed InArguments.length – The Number of Arguments Passed
Brandeis University Internet/Intranet Spring 2000 39
More JavaScript
Comments are // or /* */Strings concatenated with +Functions Should be Declared Before Being Used
Typically Defined in <HEAD> Section
alert – Creates a Pop-Up Message Boxprompt – Prompts User for InputButtons - <Input Type = “Button” Value=“Click Here” onclick = “functionname()”window.open – Opens a New Instance of Browser
Example
Brandeis University Internet/Intranet Spring 2000 40
More Examples
Events Example
onLoadonUnload
Environment Information Example
HTTP Header InformationCookies
Brandeis University Internet/Intranet Spring 2000 41
In-Class Exercise
Create a JavaScript version of your test page<SCRIPT LANGUAGE = “JavaScript”>myname = “Evan”;Document.writeln(“<H1>Welcome to “ + myname + “’s Homepage”</H1>”)
</SCRIPT>
Add a BUTTON to your Homepage to show this page in a new Browser WindowAdvanced: Choose the Name at Random. Set this in a function.
Brandeis University Internet/Intranet Spring 2000 42
FOR NEXT CLASS
Brandeis University Internet/Intranet Spring 2000 43
HTML Extensions for Forms“Tool Tips”
TITLE Attribute on Form Tags Label Associated With Form Entry
User Can Click On Label to Select Entry Field<LABEL FOR=“TextID”>Enter Name: </LABEL><INPUT TYPE=“Text” ID=“TextID” Name=“Tname”>
Shortcuts Alt-Character selects Entry FieldACCESSKEY=“X”
Tab OrderTABINDEX=3Negative Number Excludes Field From Tab Order
FieldSetGroups Controls Together (Outline Box)<Legend> Adds Text To Outline Box
Example