Web Security Threats
The web provides the following Web Security Threats which make web security a must:
- The Internet is two way. Even unimportant systems like electronic publishing systems, voice response, or fax-back are vulnerable to attacks on the Web servers over the Internet.
- The Web is increasingly serving as a platform for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted.
- Although Web browsers, web servers are very easy to use and manage and web content is easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws and hence is more vulnerable to a variety of security attacks.
- A Web server can be exploited to gain access to data and systems not part of the Web itself but connected to the server at the local site.
- Casual and untrained users common clients for Web-based services. Such users are not always aware of the security risks.
Web Traffic Security Approaches: Web Security Threats
- Figure illustrates that one way to provide Web security is to use IP security (IPsec).
- The advantage of using IPsec is that it is transparent to end users and applications and provides a general purpose solution.
- Furthermore, IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing.
- Another relatively general-purpose solution is to implement security just above TCP.
- The foremost example of this approach the Secure Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS).
- At this level, there are two implementation choices.
- For full generality, SSL (or TLS) could provide as part of the underlying protocol suite and therefore be transparent to applications.
- Alternatively, SSL can embed in specific packages.
- For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol.
- Application-specific security services embedded within the particular application.
- The figure shows examples of this architecture.
- The advantage of this approach is that the service can tailor to the specific needs of a given application.