According to Steve Gibson, there are three main things we want in a secure connection between a client and a host over the internet:
- Confidentiality of communication
- Protection against message modification
- Endpoint authentication
Confidentiality of communication means that nobody who intercepts our network traffic will be able to figure out what we are doing. According to the 2007 OWASP Top 10 Web Application Vulnerabilities, insecure communications 9th most common vulnerability. This can be fixed through encryption (either symmetric or asymmetric). If encryption is not used, anyone intercepting the traffic could easily see and understand the information that is being sent between the client and host.
Protection against message modification means that there are safeguards against accepting a message that has been altered by a hacker. For example, a hacker could potentially intercept a message requesting a payment to be sent to Paypal. They could repeat this message causing multiple payments, or even alter it to be a different amount. Hashes are a good way to protect against this. They are a somewhat like a finger print, and if the message changes at all, the hash would change.
Endpoint authentications means that you know that you are communicating with the right server. This is achieved through certificates, which I blogged about previously.
SSL (Secure Socket Layer) is a common protocol that includes all of this. Using SSL is a quick way to secure many aspects of a web application.
Resources
No comments:
Post a Comment