Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Perl CGl Programming: No experience required.
(Publisher: Sybex, Inc.)
Author(s): Erik Strom
ISBN: 0782121578
Publication Date: 11/01/97

Bookmark It

Search this book:
 
Previous Table of Contents Next


Windows NT uses a similar structure of permissions with three additions. NT differentiates between write authority and permission to delete a file, so delete must be specifically granted to a user. NT lets the administrator decide whether a user or group will be able to change permissions on a file or directory and take ownership of it. NT also allows the administrator to require passwords on folders that will be shared on a network. However, the operating system doesn’t discern a difference between the local network and the Internet. Figure 13.6 illustrates the permissions dialog box for a disk volume on an NT system.


Figure 13.6:  Setting permissions on a Windows NT system

Obviously, there is a great deal of flexibility in the permission structures for both UNIX and Windows NT. As an administrator, you can be as frugal or as generous as you want in deciding the access that will be granted to users on the system. The same goes for users who come in over the Web, though they are restricted already by the Web server.

Running Programs through CGI

CGI applications run independently. They are not part of the Web server and, except for the data the server sends to them, you have no control over CGI programs from the server. You can decide whether or not you will allow CGI applications at all, but that’s about it.

CGI does present a security risk. You’ve learned how to take some steps to minimize the risk, but it’s there nevertheless.

You can take further steps by simply being smart and aware. Remember that your Web site is a public place and that members of the public might be able to see anything on it. Don’t keep things on the Web server that you wouldn’t want the public to see; don’t store valuable data in a place where some little troll might be able to slither in and destroy it.

Above all, keep an eye on your Web site. It’s not just a plug-and-play toy that you turn on and walk away from. If you’re vigilant—looking at your logs regularly, being aware of what’s on your computer—you’ll see the evidence of any untoward entries and you can prevent them from happening again.

Providing a Secure Connection

Communicating over the World Wide Web is as inherently secure as communicating by telephone—that is, not at all, given a determined snooper with a pair of alligator clips and a way to get to your phone line. Technically, it is not difficult to actually monitor traffic over a Web connection. It’s difficult to not get caught doing it, but the fact remains that if you’re really concerned about privacy, the Web isn’t the place to get it.

Secure connections and communication on the World Wide Web are becoming a larger issue as the Web becomes more and more a place of commerce. Business transactions take place every day; confidential information is exchanged, including credit card numbers that could be misused by thieves.

What steps can be taken to make the Web a more secure place to do business? Because there’s a lot of money involved in this issue, it has gotten a lot of study. All of the proposed solutions involve some form of data encryption. We’ll discuss a couple of them: Netscape’s Secure Sockets Layer (SSL) and a new HTTP standard called Secure-HTTP.

Netscape invented the Secure Sockets Layer a couple of years ago to provide a safe way to transmit confidential information between a client and a Web server. SSL is not part of HTTP; it runs as a layer between TCP/IP and whatever protocol is being used at the time, which means SSL could run along with FTP or Telnet, too. The security scheme is being studied by the World Wide Web Consortium for possible status as an Internet standard.

You connect to an SSL-capable server by using https in the URL instead of http. The software on the server then communicates with the browser that it can transact an encrypted conversation. Because the HTTPS protocol runs in a different TCP/IP port than HTTP, secure and “insecure” conversations can take place simultaneously on the server. Figure 13.7 shows the Netscape dialog box used to set up SSL.


Figure 13.7:  SSL is configured in this Netscape dialog box.

Netscape’s encryption method, which employs a 40-bit key, was the subject of some controversy when someone discovered that it could be broken by turning it over to a powerful computer. The company claims that the problem was fixed—that it would take one year for a computer capable of executing 64 million instructions per second to break it. Netscape plans to offer a version of SSL that uses a 128-bit key, but the law forbids exporting it out of the United States.


TIP:  More information on SSL, including the specification and technical details, is available at Netscape’s Web site (www.netscape.com). Scroll to the bottom of the home page and click the Search link, then type SSL.

Rather than being layered atop TCP/IP, Secure-HTTP (or S-HTTP) is an attempt to improve on the HTTP standard to provide secure communications between the Web server and its clients. It is being tested by developers at this writing; their goals are to include standard encryption of data in a conversation on the Web.

If S-HTTP really does become an Internet standard, it could have exciting implications for all kinds of commerce. Banking and other financial exchanges, tax transactions, and any type of business requiring that data be exchanged in private could be done over the Internet.


TIP:  There is a good technical discussion of S-HTTP at www.homeport.org/~adam/ shttp.html.

Protecting Web Pages with Passwords

Certainly one good method of making your Web site more secure is to require that everyone entering it have a user name and a password on your system. Some commercial and members-only sites, in fact, have employed just that method. You might find it a little restrictive when you’re just getting started, though.

But there may be pages to which you wish to grant access only to certain people. Or perhaps you would like to use your Web browser’s built-in display capabilities to perform maintenance on your site, but you don’t want the average visitor to be able to get to those pages.

Using Perl and CGI, you can create a database of user names and encrypted passwords, or simply store one password to be verified when you want to call up a restricted page.


Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.