WWW Security - Emerging Trends

There are many emerging technologies these days, that are competing on the market of the Internet. There are www browsers, E-mail clients, Server software, Interactive web technologies, new Languages that are taliored to be used over a network, and more. All these new products are very exciting, and offer a better Internet experience, but they also pose a serious problem. Security. In this page, we'll try to shed some light on the risks in these new technologies. Of course, this mission is almost impossible. These technologies change every second day, to meet with the demands of tomorrow. Some of them live a very short life, and by the time you read this page, a new product may have come, and the ones described here may have become obsolote. But We'll try our best! 

We'll be looking at : 

  • Java - A network-oriented language
  • Javascript : A new way to create dynamic HTML pages
  • ActiveX : Another way to enhance your Web Pages
  • Certificates : Better Authentication for the Internet?
  • S/MIME : A new standard for Secure Mail.

Java

Java is the hottest name in the Internet today. In a nutshell, Java is just another Object-Oriented language, like many others. But the main power of java is that it's possible to run java on any platform (okay, Almost all platforms. A special program, called the Interpreter need to be written in order for the program to work, but once that is done, All programs will load!). That makes it ideal for the Internet. Java makes this possible by using two steps to compile a program : A first compile is done to produce what is called 'byte-code' and then the byte code is run on the Interpreter. As a consequence Java is not so efficient like C/++ or any Compiler language, but it's usually fast enough. One exciting aspect of Java is the ability to create 'applets'. An Applet is a program, but which is run within a Browser (that supports Java, of course). So you can put a Java program right inside your page, turning the HTML code into a dynamic page. 

Of course, all those great abilities, pose a serious security threat. Downloading a program from the internet to be run on your computer can be quite dangerous. The developers of Java has taken this into account. There are two types of protection : The language restrictions, and the Virtual Machine. 

Safety features built into the Java language

The guyz who wrote Java, wanted to ensure that program could only access memory in a structured, safe way. This helps make Java program robust. And also Safer. It's safer because if you allow access to the main memory, a program could easily crash the Operation system, which is a serious security risk in some enviroments. And memory access could also be used to violate the system security. 
The mechanisms that restrict a program's  memory access are : 

  • Type-safe reference casting
  • Structured memory access (no pointer arithmetic)
  • Garbage collection
  • Array bounds checking
  • Checking pointer refernces (To a 'Null' reference)

All these features are build into the Bytecode, not the high level language. That means that even if you write your program in Byte Code (There  are probably some assembler freaks that would enjoy that) you can't violate these rules. 

The Java Virtual Machine

The Java program, once it's up and running, is being confined to a Java Virtual Machine (or JVM). This JVM (Or 'Sandbox') defines the area in which the program can run, and doesn't allow it to take any action outside the JVM. What it means, is that the JVM prohibits many actions that can be dangerous, like: 

  • Accessing the Local Disk (Reading/Writing)
  • Making a connection to a host (other than the host from which the applet came)
  • Creating a new process
  • Loading a new dynamic library

The fundamental components in the JVM are : 

  • Safety features
  • The Class loader architecture
  • The Class file verifier
  • The Security manager
  • The Java API

The Class loader and the Security manager are customizables. What is means, that you customizer your JVM. You can put hard demands on security, or the other way around... Usually you don't have to worry about this, because the applets you run in your browsers already have defined JVMs (The browser defines those). 

So Java is totally safe.

Well, No. There is a way to penetrate the security barriers that the JRM maintains. A Java program may call a method from a dynamic library. This is called a Native method. 
The Native methods don't go through the Java API (That's what they are for, actually) so the security manager doesn't hold for them. All of Java's security is breached ! You can easily called a native method that can wreck havoc, like deleteing some files on the local disk or crashing the OS. 
Luckily, the security manager can prevent a program from using Native Methods. 
What it means, is that if you load a program that you don't trust (like EVERY web applet, for that matter) you can load them in a JVM that doesn't allow Native Methods. If you have a program that you do trust, you can allow it more control. So if you're carefull, you can be sure that Java is quite safe. quite. It is still possible that someone will crack the Java security. It happend before : an early version of the JVM had a bug in it, and in march,97 a Java security bug was found. It was fixed, but who can tell what will happen in the future. 

Javascript

Javascipt is another exciting way to liven up your HTML pages. Unlike Java, which is a stand alone language, Javascript can only be used from within a browser. Javascript 'program's work with browser objects, and they can be used to make dynamic HTML pages. 
Javascipt is usually used for small programs, like menus or scrolling texts. In Javascript you cannot 'hide' your source code, it is written directly into the HTML text. It's just a scripting language, like the old Macros that were once used, or the newer languages used within many popular spreadsheets, word-processors and other applications. 
So Javascipt, in it's essence, is quite safe. It is confined to the browser, it cannot do real damage to your computer. 
Or can it? 
It was found that the earlier versions of Javascript had several bugs in them , that could cause some security breaches. 
For example, it was possible for a javascipt program to load files from a user's hard disk. This was found in March/96 and was quickly fixed. Several other bugs were found, and fixed, and there are sure to be more. 
There is a guy (John Robert Loverso) that found sevearl Javascipt bugs. Netscape even gave him a 1000$ back in 1996, for one of his discoveris. And he also got a Mozilla mug (cool!). It's very intersting to see the problems in that language. 

How do I protect myself from Java or Javascript programs?

Of course, the true paranoid can simply choose not to load Java and Javascript programs. Every browser (okay, most of 'em for sure) can be configured so that these programs will be ignored. 
Most people want to use these facilities of course, and they are actually in a problem. While some program exist as if to protect your computer from such threats (Take a look at Finjan software, An Israeli company that makes such programs), not every one can use them. 
What you SHOULD do, is to be informed. Every so often a Bug is found, and the browser companies quickly issue a patch for it. These patch are usually free, and small to download. Another advice is to never use Beta programs. These programs are pre-releases of new browser (or any other program for that matter). While it's very tempting to get your hands on new technology before it hits the market (especially since those are usually free) it can be dangerous. Most of the bugs that are found are fixed in the final version, and the beta version you have maybe not protected!. 
A good place to check is one of the Online magazines. Like C|Net,  for example. Stay tuned! 
There's an interesting web page, with all sorts of hostile applets. It's worth a check, but I'd make a backup before... 
 

ActiveX

ActiveX controls are software components that can run inside other applications. Actually, ActiveX is an internet-enabled version of OLE (Object linking and Embedding, Microsoft's component architecture. ActiveX is a Microsoft standard, aimed to take Java's place as providing active www pages (ActiveX can also be used in Non-Internet applications, like Wordprocessing or MIDI sequencing software). 

The ActiveX controls can perform much more than Java applets. But that has a serious effect : The Controls can take over the computer and shut it down. Malicious applets can introduce a viros or harm a PC or a network. 

Microsoft are aware of the serious security breach in ActiveX, and their startegy is to require code-signing. All controls must be certified by a 3rd party tester. But that is not enough. recently, a control named Exploder (written by Apropos Inc), which turns off a pc recieved certification from Verisign, which is such a 3rd party tester. The technology only attach the author name to the control. It does not scan for viruses or other security breaches. 

Some methods need to be found out to help solve the problem (An online virus scanner? A 'Virtual PC' like the one Java uses?) but in the mean time, Microsoft has also licensed Java to be used with it's browser. The whole direction that ActiveX will take is not clear at all. 

If you want to be sure about your security : Most experts suggest disabling ActiveX completly. It is simply not safe at the moment. The author's signature is not enough. 

Certificates

 The oldest form of security, is to ask for a password. A password is a classic 'what you know' type of security. Of course, the problem is that anyone can access your information if he knows the password. A certificate (or public-key certificate, or Digital ID)  is a 'What you know and whay you have' type of security. In order to access information you need to have a specific file in your disc, that will authenticate you. Those files are encrypted, to provice a high level of security. 

There are many standarts of certificates. The most popular one is X.509v3 (by ITU). A X.509v3 certificate holds the following information : 

  • Name and indentifiying information (organization, for example) of the certificate holder (CH)
  • The public key of the CH
  • Issuer's name : The name of the company that issued the certificate (VerSign, Netscape, etc)
  • Issuer's digital signature
  • Expiration date
  • Serial number

The issuer is an entity that attests to the identity of the holder of the certificate. The issuer is usually an external company (like VeriSign) that all it does it to verify the identity. 

Certificates are very usefull when extra security is needed. It's your Digital ID, and can be used to indentify you in cyberspace (your electronic network). The certificate proves several important services : 

  • Real-Time encryption over SSL
  • SIngle user login : You can log in once, through your browser (if it supports certificates, that is) and the browser will use that

  • login every time a certificate is needed 
  • Secure E-mail (Over S/MIME).
  • Strong authentication.

Certificates work in both ways. If you connect to some server, you can view it's certificate so you'll be sure to whom you're talking. The new browsers also have client-side certificates. So the server can know who YOU are. 
 

Secure E-Mail (S/MIME)

S/MIME is a new standard for secure E-Mail. It is an open standard (The specifications are open for all, which means many companies can issue a S/MIME compatiable E-Mail client), which is used for encrypted, signed mail. 
S/MIME has these basic features : 

  • Encryption
  • Authentication (Digital signatures)
  • Cross-Platform messaging
  • Tamper detection (it uses a secure hashing function to detect message tampering)

The main advantage of S/MIME is it's interoperability, the fact that it's an open standard, and it has a good chance of become the De-Facto standard for secure E-Mail.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred Authentication solution?