• Choose a category
• All
• Classic-Fiction

S/MIME and PGP are two of the more popular methods of providing security for e-mails. These are covered in detail in Chapter 7.

Working with the Web

When two hosts communicate across the Web, data is returned from the host using Hypertext Markup Language (HTML). HTML is nothing more than a coding scheme to allow text and pictures to be presented in a specific way in a web browser. HTML can be created any number of ways, including via manual coding and in graphical design programs. HTML files are read, interpreted by your browser, and displayed on your system. If you want to see what HTML looks like, you can set your browser to view source code—you’ll see things similar to word-processor coding for virtually every characteristic of the web page you’re viewing.

Websites are collections of these pages, which are called into your browser when you click a link or scroll through the pages. Most developers want more than the ability to display pages and pages of colored text on your computer. To make creative and sophisticated websites possible, web browsers have become more complicated, as have web servers. Current browsers include audio, visuals, animations, live chats, and almost any other feature you can imagine.

Figure 3.17 illustrates some of the content that can be delivered over the Internet via a web server.

FIGURE 3.17 A web server providing streaming video, animation, and HTML data to a client

This ability to deliver content over the Web is accomplished in one of several ways. The most common approach involves installing applications that talk through the server to your browser. The applications require additional ports to be opened through your firewall and routers. Unfortunately, doing so inherently creates security vulnerabilities.

Each port you leave open in your network increases your vulnerability. If you open the ports necessary to use the popular program NetMeeting, you’re exposing your users to additional opportunities for attack. NetMeeting has had a number of security vulnerabilities in the past, and it will probably have more in the future.

Each of the popular web services is now offered in conjunction with web-enabled programs such as Flash and Java. These services use either a socket to communicate or a program that responds to commands through the browser. If your browser can be controlled by an application, your system is at great risk of being coerced into giving attackers information you don’t want them to have. Servers are also vulnerable to this issue because they must process requests from browsers for information or data. A little research into the vulnerabilities of a proposed new service may save you a lot of time later should you become the target of an attack.

While HTML remains popular, Extensible Markup Language (XML) is quickly becoming adopted by many. Although it’s not a replacement for HTML, XML offers many capabilities that HTML does not. These include the ability to describe the information (and not just display it). By being able to describe the data, it can display it across several platforms, systems, and so forth.

The best solution for many of the vulnerabilities that exist on the Web is to implement secure web connections—the topic of our next section.

Secure Web Connections

There are two common ways to provide secure connections between a web client and a web server:

Secure Sockets Layer and Transport Layer Security Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are two common protocols used to convey information between a web client and a server. The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme. TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses