Security On The Web

Security On The Web

How do you secure something that is changing
faster than you can fix it? The Internet has had security problems since
itís earliest days as a pure research project. Today, after several years
and orders of magnitude of growth, it still has security problems. The

Internet is being used for a purpose for which it had never intended to
be used for. It is somewhat ironic that the early Internet was design as
a prototype for a high-availability command and control network that could
resist outages resulting from an enemy attack, yet it cannot resist college
undergraduates. The problem is that the attackers are on, and make up apart
of, the network they are attacking. Designing a system that is capable
of resisting attack from within, while still growing and evolving at a
rapid pace, is probably impossible. Deep infrastructure changes are needed,
and once you have achieved a certain amount of size, the sheer inertia
of the installed base may make it impossible to apply fixes.

The challenge for the security industry
is growing. With the electronic commerce spreading over the Internet, there
are new issues being developed everyday such as non-repudiation that will
need to be solved. Financial institutions will have both technical concerns,
such as the security of a credit card number or banking information, and
legal concerns for holding individuals responsible for their actions such
as their purchases or sales over the Internet. Issuance and management
of encryption keys for millions of users will pose a new type of challenge.

While some technologies have been developed,
only an industry-wide effort and cooperation can minimize risks and ensure
privacy for users, data confidentiality for the financial institutions,
and non-repudiation for electronic commerce.

With the continuing growth in linking
individuals and businesses over the Internet, some social issues are starting
to surface. The society may take time in adapting to the new concept of
transacting business over the Internet. Consumers may take time to trust
the network and accept it as a substitute for transacting business in person.

Another class of concerns relates to restricting access over the Internet.

Preventing distribution of pornography and other objectionable material
over the Internet has already been in the news. We can expect new social
hurdles over time and hope the great benefits of the Internet will continue
to override these hurdles through new technologies and legislations.

The World Wide Web is the single largest,
most ubiquitous source of information in the world, and it sprang up spontaneously.

People use interactive Web pages to obtain stock quotes, receive tax information
from the Internal Revenue Service, check the local weather, consult a pregnancy
planner to determine ovulation dates, conduct election polls, register
for a conference, search for old friends, and the list goes on. It is only
natural that the Webís functionality, popularity, and ubiquity have made
it the seemingly ideal platform for conducting electronic commerce. People
can now go online to buy CDs, clothing, concert tickets, and stocks. Several
companies, such as Digicash, Cybercash, CarParts.com, and First Virtual,
have sprung up to provide mechanisms for conducting business on the Web.

The savings in cost and the convenience of shopping via the Web are immeasurable.

Where as most successful computer systems resulted from careful, methodical
planning, followed by hard work, the Web took on a life of its own from
the very beginning. The introduction of a common protocol and a friendly
graphical user interface was all that was needed to ignite the Internet
explosion. The Webís virtues are extolled without end, but its rapid growth
and universal adoption have not been without cost. In particular, security
was added as an afterthought.

New capabilities were added to satisfy
the growing demand for features without carefully considering the impact
on security. As a general-purpose, scripts were introduced on both the
client and the server sides of the Web. It did not take long for the Web
to move from the scientific community to the commercial world. For then
the dangers of accidental and malicious abuse grew. At this point, the
security threats became much more serious. The incentive for malicious
attackers to exploit vulnerabilities in the underlying technologies is
at an all-time high. This is indeed frightening when we consider what attackers
of computer systems have accomplished when their only incentive was fun
and personal enjoyment while boosting their egos. When business and profit
are at stake, we cannot assume anything less than the most dedicated and
resourceful attackers typing their utmost will and determination to steal,
cheat, and perform mischievous attacks against their pray (users of