Archive for October, 2008


Web Security, Part One

October 31, 2008

Given the state of the development of Web applications, I thought it’d be a good idea to cover some aspects of Web security…

Although the data on a server might be secured from unauthorized access, the communications pathways between the server and client systems might not. Secure Sockets Layer (SSL) is a protocol that enables communication between systems not to be encrypted. Many Websites have both secured and unsecured areas. The secured areas might provide access to a financial bank account or a database of personal information. This secured area of the Web usually requires authentication to proceed further. To increase security when switching from the unsecured public part of a Website to a secured area, SSL encryption is invoked. SSL must be supported by both the Web server and the client browser to function.
In SSL communications, a process known as a digital handshake occurs. The handshaking phase begins when the server sends a message to the client indicating a secure session must be set up. The client then sends its security information and encryption key to the server, which compares the credentials to its own to find the right match. Next, the server sends authentication information, so the client knows the Web server they’re communicating with is the correct one. This is important because it’s possible, through redirection or other methods, not to be on the Website where you originally thought you were. If you enter your username and password, you might be entering the information into a bogus Website that collects this information to perform unauthorized activity with your accounts. This handshake confirms not only are you who you say you are, but the site you are contacting is what you think it is.
When this handshaking is complete, the client and server then establish encrypted communications throughout the duration of the session. When the client moves to another session, the encrypted session is closed.
Transport Layer Security (TLS) is the next generation of the SSL protocol. TLS builds on the strong security of SSL with more enhanced encryption and authentication techniques. Unfortunately, TLS and SSL aren’t compatiible because a TLS-secured communication can’t interoperate with an SSL communication.

Hypertext Transfer Protocol (HTTP) is the protocol used by the World Wide Web. HTTP runs on the Internet’s networking protocol TCP/IP and forms the communications protocols that allow Web browsers to connect to and retrieve content from Web servers. When a user clicks on a Web hyperlink, it tries to connect with the associated Uniform Resource Locator (URL). The browser sends an HTTP request to the corresponding Web server hosting that URL. The Web server returns the content of the Website to the browser through HTTP. HTTP is a stateless protocol, meaning that, with each communication, the link between the browser and the server is created, and then it’s broken when the communication is finished.
Hypertext Transfer Protocol Secure (HTTPS) is a secure means of communicating HTTP data between a Web browser and Web server. HTTPS protects the communication channel by using SSL to provide encrypted and protected communications. When connecting to a Website that uses a secured channel, the URL begins with HTTPS instead of HTTP, such as This is typically used in banking and online shopping transactions, where the transfer of credit card and personal information must be encrypted to prevent unauthorized user from stealing the information. The ability to perform HTTPS communications is usually built into the Web server software itself and the Web page is simply created in a special directory. When a client connects to the secure site, SSL is activated between the server and the client, if the client supports it. In many Web browsers, a secure site is indicated by a small padlock icon in the application task bar.