This post is about, web security threat , challenges and its solutions.
Usually, we use HTTP protocol in the web for transport layer but recommended is
HTTPS (HTTP over SSL). One question comes in your mind, Why you required HTTP over SSL? Answer is very simple, for security, now next questions can come in your mind what sort of security you expect by enabling HTTP over SSL. HTTPS enables transport level security between client and server. It means, no one can intercept plain text data over the transport level it means Client send encrypted data to Server and server received the data and then decrypt before process. Once processing is done then again server send data encrypt the plain text data and then sent it to Client over the network that is what
HTTPS works. Of course, there is multiple steps (communication done between client and serve, I will try to explain in another post. You can visit about overview of SSL protocol
Security does not comes to you free, of course you have to pay somewhere , meaning that you have to compromise with performance and cost. As I know the thumb rule , there is no free lunch in the world. Let us understand, basic building block of security threat step by step. So, there is trade-off between security and performance, that you have to balance as per your context.
1. Scenario of Security Attacks
Let us consider a web application hosted on a server and no HTTPS ( HTTP over SSL ) enabled for the application. And a end user e.g. Bob is surfing the Web and arrives at the shopping cart application, web site, which is selling goods. For simplicity, I take a single form, let us consider a single form, shopping site displays a form in which Bob is supposed to enter the type of item and quantity, his address, and his payment card number. Bob enters this information, clicks on submit, and expects to receive the goods.
Once Bob submitted, form information flow from client to server via HTTP protocol, assuming no SSL enable. What happened?
2. Security Attack Possibilities
There could be a chances of any of the possible security attacks. These are the common day-to-day scenarios. The question is, how can we over come these scenarios. Let us first understand the different security Attack then, thinking of overcome will be simpler for you.
- Attack on Confidentiality: If no confidentiality (encryption) is used, an intruder could intercept Bob’s order and obtain his payment card information. The intruder could then make purchases at Bob’s expense.
- Attack on Integrity: If no data integrity is used, an intruder could modify Bob’s order, having him purchase ten times more items than desired.
- Attack on Availability: A competitor can flood bogus requests to bring shopping car Application (let say A2Z shopping Inc) web server down.
- Attack on Authenticity: If no server authentication is used, a fake server could display shopping car Application (A2Z shopping) famous logo when in actuality the site is maintained by crooks, who are masquerading as A2Z shopping.
The above example is related to Web application that uses HTTP, but a similar situation can occur in any type of application that uses TCP/UDP transport service.
Binding security to specific application (browser) is not a good idea. How can we achieve security with application independence? At least up to some extent, we need to think on this as Architect to achieve non-functional requirement like this.
3. Solution of Web Security
One of the solution is to enable SSL (Secure Socket Layer) on transport layer as security i.e. HTTPS (HTTP over SSL).
First of all, let us understand the purpose of SSL. Its purpose of SSL is to enhance the capability of TCP with confidentiality, data integrity, server authentication and client authentication features to protect from the security threats discussed in this post.
It was developed by Dr. Taher ElGamal, present security CTO of salesforce.com during his Netscape tenure during 1995-98.
SSL is often used to provide security to transactions that take place over HTTP. However, because SSL secures TCP, it can be employed by any application that runs over TCP. Security having application independence is the prime motivation behind SSL, meaning that, for enable SSL , application is independent, no change is the application level to enable SSL for any application.
SSL provides a simple Application Programmer Interface (API) with sockets, which is similar and analogous to TCP’s API. When an application wants to employ SSL, the application includes SSL classes/libraries.
SSL follow-on standard known as Transport Layer Security (TLS) is defined in IETF RFC-5246.
We will discuss about SSL in more details in next post.
4. Position of SSL in Transport layer
In the left you can see no
SSL enable in the
HTTPS and in the right you can see
SSL enable in the right.
The design of
SSL subLayers allows application independence. Application layer can directly interact with the
SSL Socket layer once connection established between client an server.
Your comments are welcome to improve this post. Happy Learning 🙂