Garfinkel and Spafford, Web Security and Commerce, O'Reilly 1997

Roger Clarke - many papers

Note: these notes are thinner than others in this lecture series, but the content was supplemented by more words than are included here, and by some figures from Garfinkel and Spafford for which I have no source.

Definition

"Web security is a set of procedures, practices and technologies
for protecting Web servers, Web users, and their surrounding
organisations...
against unexpected behaviour"

Garfinkel and Spafford

WWW and security attacks

Internet character and vulnerability

Internet is 2-way network

Attacks

Aspects of Security

and

All first three are sometimes lumped under "secure Web servers" by different viewpoints.

Secure Web servers

ensure continued operation of server,
no unauthorised/unexpected modification of data in store
no distribution of data to unauthorised clients

Traditional techniques

Web server specifics

Secure Communications

Garfinkel and Spafford fig 12-1 Man in the middle attack.

Garfinkel and Spafford fig 12-2 Replay attacks.

protect passwords, usernames, personal details, financial details
from being read, changed, destroyed by third parties

Physical security

Obfuscation - hiding (in content or in traffic)

Encryption (see next 4 lectures)

Secure Web clients

maintain trust of user in service,
no unexpected alteration of user programs, data,
nor of system nor continued operation

Download of active content

User responsibilities
helper applications/plugins
user response to requests

Garfinkel and Spafford fig 1-1 Buying a CD with your credit card over the Internet

Garfinkel and Spafford fig 1-3 The real threats of doing business on the Internet