1
Name:Per:
CLASS: NetworkingDATE: TuesdayMay31st2011
TOPIC: Web Security
AIM:What are some Web Security issues?
H.W. # 86:
1) List some security concerns that arise while Web browsing and some measures you can take to protect your computer and yourself.
DO NOW:
Spam filtering can be performed at both the edge of the network to prohibit any span from entering or a the user’s computer. In this Do Now, you set up a spam filter in Microsoft Office Outlook.
1) Start Microsoft Office Outlook.
2) Click Actions on the Menu bar, point to Junk Email, and then click Junk Email Options. The Junk Email Options Dialog box opens.
3) Click Safe Lists Only. This allows only senders you specify to send messages to you.
4) Click the Safe Senders Tab.
5) Click Add. The Add address or domain dialog box opens. Enter one sender from whom you will accept e-mail other than yourself. Click OK to close the Add address or domain dialog box, and then click OK again to close Junk E-mail options Dialog box
6) Compose and Send an email to yourself. What happens when you try to review that message?
7) Return to the Junk E-mail options dialog box. On the Options tab, click the High option button. This disables your safe list, but still filters out most junk e-mail.
8) Click the Blocked Senders List. You use this tab to create a blacklist.
9) Click Add and enter the address of someone from whom you do not want to receive email.
10) Which approach seems better? Creating a blacklist or a safe list? Why?
11) Close all windows
PROCEDURE:
Write the AIM and DO NOW.
Get students working!
Take attendance.
Go Over HW
Collect HW
Go over the Do Now
Assignment #1:
You select many of the security settings to restrict repurposed programming, cookies, and other Web activities in your browser.
1)Go to Internet Explorer
2)Click Tools on the menu bar, and then click Internet Options.
3)Click the Advanced Tab
4)Use the vertical scroll bar to go to the last group of settings entitled Security. Check each of the settings to turn them on. Click Apply.
5)Click the General Tab
6)In the History section, click the Clear History button and then click Yes to erase the history of the sites you have visited as saved by Internet Explorer. Set the days to keep pages in history to 0.
7)Click the Security Tab.
8)Click the Internet Icon. Click the Default Level button if it is available and then click Apply. The default setting for this page is Medium
9)Click the Custom Level button to open Security Settings dialog box. Use the vertical scroll bar to scan the configuration in the Medium Security level. Which settings the Medium Security Level to you consider inadequate.
10)Click the Reset to list arrow, and then click High. Click the Reset button. If a warning box appears, click Yes.
11)Use the vertical scroll bar to scan the configuration in the High Security level. If any of these settings are not acceptable, then change the individual settings. Do not change to a lower security level. Click Ok. If a warning box appears, click Yes.
12)Click OK.
Two technologies are used to protect e-mail messages as they are being reported. These encryption schemes are Secure / Multipurpose Internet Mail Extensions and Pretty Good Privacy. Secure / Multipurpose Internet Mail Extensions (S /MIME) is a protocol that adds digital signatures and encryption to MIME messages. MIME is the official proposed standard format for extended Internet electronic mail. Because e-mail messages were originally limited to plain text, MIME was created to meet the needs of e-mail users who wanted to send binary (non-text) documents. MIME defines how to structure the body of an e-mail message. The MIME format permits e-mail to include enhanced text, graphics and audio. E-mail can include these elements in a standardized manner via MIME compliant mail systems. However MIME itself does not provide any security services. The purpose of S/MIME is to provide encryption and authentication to email message.
Some of the S/MIME features are .
- Digital Signatures – S/MIME lets you identify the sender of a message through a digital signature. Senders can sign every message automatically or only one message at a time. To sign a message, the sender must have a personal digital certificate
- S/MIME encrypts messages to help ensure that only the sender and intended recipients can read them.
Although S/MIME is considered a versatile tool for e-mail encryption and authentication, its primary weakness is that users can select the length of the encryption key (40, 64, or 128). S / MIME keys of only 40 bits can be fairly easily broken.
True or False:
1) The primary weakness of Secure / Multipurpose Internet Mail Extensions (S/MIME) is that it uses weak keys of only 1,024 bits in length.
Sample Test Question:
The TCP/IP protocol that handles outgoing mail using port 25 is
A) SMTP B) POP C) IMAP D) S/MIME E) SNMP
Another program that encrypts e-mail messages is Pretty Good Privacy (PGP). PGP functions much like S / MIME by encrypting messages using digital signatures. As an option, a user can sign an email message without encrypting it, verifying the sender but not preventing anyone from seeing the contents.
When a user encrypts an email message using PGP, PGP first compresses the message. Although data compression decreases transmission time and saves disk space, the reason for the compression is security. Most cryptanalysis attack techniques attempt to exploit patterns found in messages to crack the code. Compression reduces these patterns and enhances resistance to cryptanalysis.
PGP then creates a session key, which is a one-time only secret key. This key is a number generated from the random movements of the mouse and the keystrokes typed. The session key works with an encryption algorithm to encrypt the compressed message. After the data is encrypted, the session key is encrypted with the recipient’s key which is all transmitted to the receiver.
True or False:
1) PGP uses a one-time session key for encryption.
PGP Keys are either 128 bits 168 bits in length.
PGP uses a passphrase to encrypt the private key on the local computer. A passphrase is a longer and more secure version of a password. Typically composed of multiple words, a passphrase is more secure against dictionary attacks. A user’s key is encrypted on the disk using a hash (look up hash function at of the passphrase as the secret key. The user then uses the passphrase to decrypt and use the key. Go to Also go to
Assignment #2:
Look up PGP at
Assignment #3:
PGP is one of the primary tolls used for encrypting email.
1)Go to the Freeware PGP Web page at
2)Download PGP to your computer
3)Double-click the file you downloaded to uncompress it
4)Double-click the PGP8.exe file and follow the instructions
5)Select No, I am a new user.
6)Restart your computer.
7)Click Later
8)Click Next
9)Click Next
10)Enter a passphrase and then type it again to confirm it. The passphrase should be a sentence with multiple words and symbols. Be sure to write this passphrase down and store it in a safe place. Click Next twice
11)Click Finish.
12)Click the PGP icon. Click on the PGPKeys to open the PGPKeys window
13)Click Server
14)Click Send to and then click idap://keyserver.pgp.com. Then click OK. You have now made you key accessible to others. However they can only use this key to decrypt a message from you.
15)The final step is to retrieve a key from a classmate in order to decrypt their message. Click the PGP icon and then click PGPKeys.
16)Click Server.
17)Click Search
18)Enter the name of a classmate and then click Search. When their key is retrieved, drag it to your PGPKeys window. Leave this window open. Close the PGPKeys Search window
19)Open Microsoft Office Outlook and compose a message to a classmate but do not send it yet.
20)Select the email text. Click the PGP icon in the system tray, and then click Current Window. You have several choices. Click Encrypt and Sign. Select the Public key of the person to whom you are sending the email message. Then click OK
21)When prompted, enter your passphrase exactly as when you created your key. Then click OK.
22)The message is now encrypted and signed.
23)To read an encrypted message that you received from someone else, open the message, select the text, and then click PGP icon in the system tray. .
24)Click the Current Window and then click Decrypt and verify.
25)If prompted enter your passphrase.
Assignment #4:
In the early days of the Internet, users viewed static content such as text and pictures through a browser. As the Internet increased in popularity, the demand rose for content that can change. The dynamic content called for more sophisticated programming tools then basic HTML. One popular technology used to make dynamic content is JavaScript. Based on the programming language Java, JavaScript is a special program code embedded into an HTML document. When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto a user’s computer. The Web browser then executes that code within the browser using the Virtual Machine, which is a Java interpreter.
Although dynamic content is widely used on the Web to create dynamic pages, it can also be used by attackers. The is sometimes known as repurposed programming or using programming tools in ways more harmful than for what they were originally intended. Programming tools that can be repurposed are JavaScript, Java applets, and ActiveX controls. In addition, cookies and CGI scripts can also be maliciously used by attackers.
The security concerns of visiting a Web site that automatically downloads a program to run on the local computer are obvious. Several defense mechanisms prevent JavaScript programs from causing serious harm. First JavaScript does not support certain capabilities. For example, client-side JavaScript does not provide a mechanism to read, write, create, delete, or list files or directories on the client computer. This prevents JavaScript from deleting data or putting a virus on the user’s computer. In addition JavaScript has no networking capabilities. Besides loading URLs and sending data entered through an HTML form to a web server, a JavaScript program can’t establish a direct connection to any other computers on a network. This prevents a JavaScript program from using a local computer to launch attacks on other network computers. But other security concerns remain. JavaScript programs can capture and send user information without the user’s knowledge or authorization. For example, a JavaScript program could capture and send the user’s email address to a source or even send malicious email from the user’s own email account.
JavaScript security is handled by restrictions from within the Web Browser. Look at the security settings in your Web browser for Virtual Machine.
True or False:
1)JavaScript is a special program code that is embedded into a Hypertext Markup Language (HTML) document.
2)JavaScript security is handled by restrictions within the client operating system and not the Web Browser.
Another popular Web programming tool that can be repurposed is a Java applet. Unlike JavaScript, which is embedded in an HTML document, a Java applet is a separate program. Java applets are stored on the Web server and then downloaded onto the user’s computer along with the HTML code. Java applets can perform interactive animations, immediate calculations, or other simple tasks very quickly because the user’s request does not have to be sent back to the Web server for processing, and then returned with the answer. All of the processing is done on the local computer by the Java applet.
Java applets can also be made into hostile programs. The defense against a hostile Java applet is a sandbox. Downloaded Java applet programs are supposed to sun within a security sandbox, which is like a fence that surrounds the program and keeps it away from private data and other resources on a local computer. Unfortunately, breakdowns in the Java sandbox have occurred, allowing a hostile Java applet to access data and passwords stored on the hard drive.
You should be aware of two types of Java applets and their relation to sandboxes. An unsigned Java applet is a program that does not come from a trusted source. A signed Java applet ahs a digital signature that proves the program is from a trusted source and has not been altered. Unsigned Java applets run in the sandbox and are restricted regarding what they can do, while signed Java applets are not restricted. Unsigned Java applets that attempt to do something outside of the sandbox automatically generate a warning message to the user. However these messages may not always be clearly understood.
The primary defense against Java applets is using the appropriate settings of the Web Browser.
Fill-Ins:
1 Unlike JavaScript, which is embedded in an HTML document, a(n)is a separate program that is downloaded onto the user’s computer when he visits a Web site.
2 Java applets run in what is called a(n) , which serves as a security fence surrounding the program and keeps it away from private data and other resources on a local computer.
ActiveX controls
An ActiveX control is similar to a Java applet in that it can perform many of the same functions. Unlike Java applets, however, ActiveX controls do not run in the sandbox, but have full access to the Windows operating system. Anything a user can do on a computer, an ActiveX control can do, such as delete files or format a hard drive. To control this free-reign risk, Microsoft developed a registration system so that browsers can identify and authenticate an ActiveX control before downloading it. ActiveX controls can be signed or unsigned. A signed control provides a high degree of verification that the control was produced by the signer and has not been modified. However, signing does not guarantee the trustworthiness of the signer but only provides assurance that the control originated from the signer.
Another difference between Java applets and ActiveX controls is that Java applets can be written to run on all platforms, whereas ActiveX controls are currently limited to Windows environments.
ActiveX poses a number of security concerns:
- The user’s decision to allow the installation of an ActiveX control is based on the source of the ActiveX control. And not on the ActiveX control itself. The person who signed the control may not have properly assessed the control’s safety. The problems with any signature scheme like the one used with ActiveX controls are that safe controls can come from untrusted sources and unsafe controls can come from trusted sources.
- A control is registered only once per computer. If a computer is shared by multiple users, any user can download a control, making it available to all users on the machine. This means that a malicious ActiveX control can affect all users of that computer.
- Nearly all ActiveX control security mechanisms are set in Internet Explorer. However, ActiveX controls do not rely exclusively on Internet Explorer and can be installed and executed independently. Third-party applications that use ActiveX technology may not provide the security mechanisms available on Internet Explorer.
- Many of the security mechanisms provided by Internet Explorer are all-or-nothing settings, forcing a user to choose between functionality and security. For instance, you can’t run a single “unsafe for scripting” control without enabling all “unsafe for scripting” controls.
- When an ActiveX control is executed, it usually executes with the privileges of the current user. You can’t externally restrict the privileges of a control.
- Because ActiveX controls can be invoked remotely through a Web page, each control presents a channel into a network that an attacker could exploit.
- Because each ActiveX control decides when it can be run and what it can do, it is impossible for users to accurately determine the behavior of a control.
ActiveX controls are managed through Internet Explorer. It is recommended that ActiveX controls be set to the most restricted level.
A cookie is a computer file that contains user-specific information. The need for cookies is based on Hypertext Transfer Protocol (HTTP). The rules of HTTP make it impossible for a Web site to track whether a user has visited that site. Any information that was entered on a previous visit, such as a name and address is lost. Instead of the Web server asking the user for this information each time he visits that site, the Web server can store that personal information in a file on the local computer. This file is called a cookie. The contents of a cookie may look as follows: