I touched on this topic in my "Cryptography Overview" post, but I thought that I should go into more detail since "insecure communications" ranks at number 9 on OWASP's top 10.
What does "Insecure Communications" mean?
In order for a web application to work properly, messages must often be sent between the application server and the client (user). It is also very common for messages to be sent between the application sever and other servers. When the data in these messages are sensitive (user names, passwords, social security numbers, credit card numbers, etc.), the method of communication must be secured. If it is not secured, a third party could easily "listen in" on the communications and extract the sensitive data from them.
Who is vulnerable?
Any web application that transmits sensitive data is at risk.
How can it be prevented?
The most common method of securing communications is though the use of SSL (Secure Socket Layers). This transmission method creates an encrypted connection between two parties. The data are encrypted on one end, sent, and decrypted on the other end. Anyone who "listens in" on the communications will find the encrypted data meaningless.
SSL should be used whenever sensitive data are being transmitted. For example, user login pages need to use SSL to prevent a username and password from being intercepted. Also, it is very important for ecommerce websites to use SSL when a person's name, address, and credit card number are collected. The Payment Card Industry Security Standards Council requires that SSL or an equivalent are used for any transmission of credit card information. You can check that SSL is being used on a website by checking the URL at the top of your browser. If it starts with "https://", then your connection is secured with SSL.
It is important to recognize that even the web applications that implement SSL are still at risk. Hackers can abuse applications that can be forced out of SSL or that fall back on insecure communications when a secure connection cannot be established.
Resources
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment