Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security

A how to guide on Keeping your Website Safe.

By: Robert Black

What We Will Cover:

• Cookies

• Active-X controls

• Java Applets

• Ways to secure your Computer

Web sites use cookies for several different reasons:

1. To collect demographic information about who is visiting the Web site. Sites often use this information to track how often visitors come to the site and how long they remain on the site.

2. To personalize the user's experience on the Web site. Cookies can help store personal information about you so that when you return to the site you have a more personalized experience.

3. To monitor advertisements. Web sites will often use cookies to keep track of what ads it lets you see and how often you see ads.

Cookies have six parameters that can be passed to them:

• The name of the cookie. • The value of the cookie. • The expiration date of the cookie - this determines how long the

cookie will remain active in your browser. • The path the cookie is valid for - this sets the URL path the cookie

us valid in. Web pages outside of that path cannot use the cookie. • The domain the cookie is valid for - this takes the path parameter

one step further. This makes the cookie accessible to pages on any of the servers when a site uses multiple servers in a domain.

• The need for a secure connection - this indicates that the cookie can only be used under a secure server condition, such as a site using SSL.

Understanding Cookies• Cookies do not act maliciously on computer

systems. They are merely text files that can be deleted at any time - they are not plug ins nor are they programs. Cookies cannot be used to spread viruses and they cannot access your hard drive.

• This does not mean that cookies are not relevant to a user's privacy and anonymity on the Internet. Cookies cannot read your hard drive to find out information about you.

• However, any personal information that you give to a Web site, including credit card information, will most likely be stored in a cookie unless you have turned off the cookie feature in your browser. In only this way are cookies a threat to privacy. The cookie will only contain information that you freely provide to a Web site.

Active X Controls

• ActiveX was developed by Microsoft. It is supported in Microsoft's Internet Explorer, and an ActiveX plug-in is available for Netscape Navigator

Understanding Active X• ActiveX security relies entirely on human judgment. ActiveX

programs come with digital signatures from the author of the program and anybody else who chooses to endorse the program. Think of a digital signature as being like a person's signature on paper. Your browser (in theory) can look at a digital signature and see whether it is genuine, so you can know for sure who signed a program.

• Once your browser has verified the signatures, it tells you who signed the program and asks you whether or not to run it. You have two choices: either accept the program and let it do whatever it wants on your machine, or reject it completely.

• ActiveX security relies on you to make correct decisions about which programs to accept. If you accept a malicious program, you are in big trouble.

Understanding Active X• The main danger in ActiveX is that you will make the wrong decision

about whether to accept a program. One way this can happen is that some person you trust turns out not to deserve that trust. The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what this program does, but if you reject it you won't be able to see anything. So you rationalize: the odds that this particular program is hostile are very small, so why not go ahead and accept it? After all, you accepted three programs yesterday and nothing went wrong. It's just human nature to accept the program.

• Even if the risk of accepting one program is low, the risk adds up when you repeatedly accept programs. And when you do get the one bad program, there is no limit on how much damage it can do.

• The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well. Who has the self-discipline to do that?

How can I lower my risk?

• Think very carefully before accepting a digitally signed program. How competent and trustworthy is the signer?

• Use up-to-date browser versions, and install the security patches offered by your browser vendor.

• Never surf the Web on a computer that contains highly sensitive information like medical records.

Java Applets

• Java was developed by JavaSoft, a division of Sun Microsystems. Java is supported by both of the major browsers, Netscape Navigator and Microsoft Internet Explorer.

Understanding Java

• Java security relies entirely on software technology.

• Java accepts all downloaded programs and runs them within a security "sandbox". Think of the sandbox as a security fence that surrounds the program and keeps it away from your private data. As long as there are no holes in the fence, you are safe.

• Java security relies on the software implementing the sandbox to work correctly

Understanding Java• The main danger in Java comes from the complexity of the software

that implements the sandbox. Common sense says that complicated technology is more likely to break down than simple technology. Java is pretty complicated, and several breakdowns have happened in the past. If you're the average person, you don't have the time or the desire to examine Java and look for implementation errors. So you have to hope the implementers did everything right. They're smart and experienced and motivated, but that doesn't make them infallible.

• When Java security does break down, the potential consequences are just as bad as those of an ActiveX problem: a hostile program can come to your machine and access your data at will.

How can I lower my risk?

• Think very carefully before accepting a digitally signed program. How competent and trustworthy is the signer?

• Use up-to-date browser versions, and install the security patches offered by your browser vendor.

• Never surf the Web on a computer that contains highly sensitive information like medical records.

Ways to Secure your Computer:

Delete Your Cookie Folder Consistently

Delete Your Internet File Folder Consistently

Clear Your History Consistently

Credits