Introduction to Secure Web
(Part I)
Basic Concepts


What is web servers?
The primary function of a web server is to deliver web pages on
the request to clients. This means delivery of HTML documents
and any additional content that may be included by a document,
such as images, style sheets and scripts.
 What is a Web Browser?
 Browser, short for web browser, is a software application used
to enable computers users to locate and access web pages.
Browsers translates the basic HTML (Hypertext Mark Up
Language) code that allows us to see images, text videos and
listen to audios on websites, along with hyperlinks that let us
travel to different web pages. The browser gets in contact with
the web server and requests for information. The web server
receives the information and displays it on the computer.
What is Cookie?

A cookie is information that a Web site puts on your hard
disk so that it can remember something about you at a later
time. (More technically, it is information for future use that
is stored by the server on the client side of a client/server
communication.).
 Typically, a cookie records your preferences when using a
particular site. Using the Web's Hypertext Transfer
Protocol (HTTP), each request for a Web page is
independent of all other requests. For this reason, the Web
page server has no memory of what pages it has sent to a
user previously or anything about your previous visits.
A
cookie is a mechanism that allows the server to
store its own information about a user on the user's own
computer.
3
What is Web Security?
There are two definitions:
 From ordinary users’ viewpoints: it means the ability
to browse the web in peace (such as no virus, no
interruption)
 For advanced users: it means the ability to conduct
commercial transaction safely.
 For example, you are buying a software over the
Internet and are entering your visa number. You
don’t want this information to be tapped by
unauthorized persons.

What are the goals of web service security?
The goal of WS-Security is to enable applications
to construct secure SOAP (Simple Object Access
Protocol) message exchange.
 What are the requirements of web service
security?
• Multiple security tokens for authentication or
authorization
• Multiple trust domains
• Multiple encryption technologies
• End-to-end message-level security and not just
transport-level security
Three Parts of Web security
Browser

Web browser

The Internet

Server
Browser
Internet
2014/3/23 Data Server
Chapter 1 - Web Security
6
Three perspectives – from users’ viewpoint

The server is owned by an organization that it
owns.
 The information the server returned are free
from viruses.
 The server should not re-distribute the
information against the user to others.
• The user should not break into the server to alter the contents.
• The user should not gain access to private documents.
• The user should not crash the server to make it unavailable.
2014/3/23
Chapter 1 - Web Security
Web security – there are three
parts
Client-side security – To protect users’ privacy
and integrity of his/her computer (browser)
 Server-side security – To protect the server from
break-ins and denial-of-service (denial-ofservice is to send huge garbage information to
make it unavailable)
 Document confidentiality – To protect private
information from being disclosed to third parties.

2014/3/23
Chapter 1 - Web Security
8
Risks

Both user and webmaster will
be suffered if something has
gone wrong.
 For example, an operator might
modify a program causing a
bug to pass to the user
 Organizations are usually
concerned about confidentiality
of information.
2014/3/23
Chapter 1 - Web Security
9
to Internet Service
Provider (ISP) –
end user connecting
this diagram shows the data movement
between browser and server. The data will pass two ISPs and one regional service
provider.
Regional
service
P rovider
Browser
server
ISP
2014/3/23
Chapter 1 - Web Security
ISP
10
Risks to the end-user – there are
TWO types

Active content – might download virus from
servers. Active content tools such as Java applets,
Javascript might contain more security holes (means
insecure) than passive document such as word that
compromise the user’s privacy.
Why?

Privacy infringement – it means “loss of privacy”.
When a user access the remote sites, its activity
will be logged. (In order to protect this, HK’s ISPs keep a
three-month log that can trace the originality of the packet.
This applies to those users using an anonymous e-mail
account.)
2014/3/23
Chapter 1 - Web Security
11
Web Services Security Model Terminology
Claim - A claim is a statement that a requestor
makes (e.g. name, identity, key, group, privilege,
capability, etc).
Security Token - A security token represents a
collection of claims.
Signed Security Token - A signed security token is
a security token that is asserted and
cryptographically endorsed by a specific authority
(e.g. an X.509 certificate or a Kerberos ticket).

A security token (sometimes called an authentication
token) is a small hardware device that the owner carries to
authorize access to a network service.
Web Services Security Model Terminology

The device may be in the form of a smart card or may be embedded in
a commonly used object such as a key fob.

Key fob :a small hardware device with built-in authentication
mechanisms. Just as the keys held on an ordinary real-world key chain
or fob control access to the owner's home or car, the mechanisms in the
key fob control access to network services and information.

Security tokens provide an extra level of assurance through a method
known as two-factor authentication: the user has a personal
identification number (PIN), which authorizes them as the owner of
that particular device; the device then displays a number which
uniquely identifies the user to the service, allowing them to log in. The
identification number for each user is changed frequently, usually
every five minutes or so.

Proof-of-Possession - The proof-of-possession
information is data that is used in a proof process to
demonstrate the sender's knowledge of information
that should only be known to the claiming sender of a
security token