WWW – why is it not yet secure enough?

Posted: September 21, 2011 in Background Information

A bit of gyan (knowledge)

The internet is maturing at an extremely fast rate day-by-day, and the world-wide-web (www)  has become a central hub for information available worldwide. Nowadays, communication between the far ends of the world has become trivial. The dot-com boom happened in the mid-1990’s and companies have started depending hugely on the internet since then. This has paved way to a huge number of possibilities, along with risks. Companies and customers and retailers can buy and sell online and e-commerce has become substantially important because of this.

What I’ve found is that however fast technology grows, people’s minds don’t change. No matter how secure you tend to keep your transaction between the client and server, e-commerce’s growth has not increased very much because of the constant fear in people’s minds – “How can I trust this fellow when I cannot even see him? What if I pay online but don’t get my package?”. A typical example is the huge number of credit card frauds over the decades, which has just increased the fear in people’s minds.

Each time a vulnerability is discovered on a particular website, it has been exploited and has incurred huge losses for the company hosting that website. Time and again, people have tried to keep websites as secure as possible. Theoretically, algorithms (used in security) have been proven to be secure (till date) and yet, attackers have always found ways and means to breach security.

In my opinion, it is just plain ignorance of the designer to ignore the security aspects to make his work easier. Though development of technology is rapidly increasing and we learn new things everyday, secure coding practices are not learnt in the process. This in turn leads to security holes in the implementation of software, which are then exploited by attackers causing huge losses to companies.

Let’s try to answer some simple questions:

  • How do you host webpages over the world-wide-web?
    • In most cases, web pages are accessed using the http(s) or (s)ftp protocols. If a person wants to host a website over the world-wide-web, (s)he has to first register his/her domain name. This means that the domain name will get mapped to a particular IP address which is reachable from anywhere in the world (called as ‘public ip’). Next, the person has to enable the website to be accessible from the machine having the assigned IP address, which is generally done using a web server to host his/her website. Now, the website is available to anyone who either knows the public IP or the registered domain name.
  • What programming language can be used while implementing the same?
    • There are a huge number of scripting languages available, which designers can use to create websites. Examples are PHP, JSP, ASP, etc. Programming constructs differ in each language, but end up doing the same things. There is also CGI (common gateway interface) where you can use scripting languages such as Python, Perl, Ruby, etc. to do the same job.
  • What should one do to make my web application secure?
    • This question cannot be answered in one paragraph. Anyway, I’ll try listing a few:
      • Firstly, it requires a good knowledge of the exact working of the code which designers write. Talking with an example, it means that knowing that “strcpy()” function copies one string to another is not enough, but rather the programmer needs to know how exactly it copies and why it is made so.
      • Secondly, the programmer who implements the software needs to have deep knowledge about secure coding practices – what, why and how. Secure coding practices try to ensure that there are minimal security holes in software being designed, thus ensuring safety, security and stability of software. Other factors such as reliability, integrity tag along if these conditions are met.

Now, based on the three questions answered above, we can come to a standpoint as to what factors determine how secure a website is. In decreasing order of importance and difficulty:

  1. Knowledge of the programmer.
  2. Network layout being used.
  3. Configurations being used in software.

We know that the only way to access a website hosted on a public IP is through the internet. Without the internet, the world-wide-web becomes a big joke. When we look at how the internet is designed, we see that networking plays a huge role. Hence, the protocols being implemented during transfer of data have to be secure. No matter how secure the application is, if the networking protocols being implemented are insecure, security is threatened. This is one basic fact that all web designers have to understand. Most of the devices used in the internet today, use the 5 layer hybrid protocol stack. This protocol stack is known to be insecure, and is prone to MITM attacks (DNS cache poisoning, ARP spoofing, IP spoofing, etc.)

Management of a website is normally done through configuration settings. These configuration settings determine how users of the website can access data and with what level of permissions. These configuration settings for the website can be divided into two parts – configurations of web server and the configurations of the user who is accessing the website. Configurations of the web server mean those configurations which affect all users accessing the website, whereas user-specific configurations apply to single users accessing the website. An example of a web-server configuration is the “Directory Listing” option, where a user can list the contents of a directory accessible through the website, without a webpage displaying it. An example of a user-specific configuration is the access control being specified to each user, controlled by an ACL (Access Control List). Programming languages sometimes influence how these user-specific configurations are specified.

Can we make the world-wide-web ‘entirely’ secure?

A simple answer would be “Entirely secure?! I don’t think so!”. But there are a lot of factors to consider while answering this question. Let’s look at some of them.

Firstly, the programmer implementing the software has a good knowledge of secure coding practices. He/she has to know exactly how the code is being implemented and how secure it is. This is where programming languages play an important role. Some programming languages provide very high-level programming constructs to make the job easier for the programmer, but this actually blinds the programmer from the inner implementation of the constructs and how secure they are. Thus security does not only rely on how the the programmer codes, but also how the code is being implemented by the compiler/interpreter of that particular programming language. The programmer has to take care of this, carefully considering the programming language that is being used and how it is actually being implemented.

There isn’t much that can be done about the security level of the entire protocol stack. This is because if we have to modify the protocols in the protocol stack to make it secure (below the application layer), then we would have to change the firmware in every hub, switch, router and computer all around the world. For a long time, people have been changing the protocols at the application layer to secure ones (such as SSL), trying to prevent MITM attacks at the application layer. But then we have to understand that whatever is done on the application layer is specific only to that layer. The security mechanisms used in the application layer are totally blind to attacks happening at the lower layers. Thus, if we actually would have to make the network layout totally secure, that wouldn’t be possible. But what we can do is to provide more encryption mechanisms at the application layer, hoping for the best. So from the network point of view, the world-wide-web is still insecure and will continue to be until the entire protocol stack can be made secure.

In most of today’s websites, vulnerabilities arise due to insecure configurations being used. The programmer is lazy, thus leaving insecure configurations on the website, paving way for information leak and potential exploits. Though this is relatively easier to handle when compared to the other factors, it is important when it comes to security of a website.

What now?

The very need of security arises because of the fact – all of us are not responsible citizens. There would be no need for policemen if there were no thieves. But this is definitely not achievable, because changing hardware and software is a lot easier than changing people! There is a reason that I’ve said that “knowledge of the programmer” is more important and harder to achieve than “making the network layout secure”. What I mean is that it is easier to change all the hubs, switches, routers and computers all over the world to achieve security, than to strive to achieve that every programmer has to have the knowledge of secure coding practices! 😀

During my under-graduation, a professor had once said “It is a never-ending race between designers, attackers and security experts”. Designers keep developing technology, while attackers keep finding security holes in the implementation of that technology, and security experts try to come up with workarounds to patch these holes. This seems to be true, not only with computers, but with any technology used in this world!

We have to do best with what we have. We know that there are attackers prowling in the wild, looking for vulnerable websites to deface, or probably steal data from. So it is our responsibility to secure our data, no matter what. We have talked about some of the factors influencing security, so we will have to look deeper into the same and try to come up with an effective, yet secure implementation.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s