Friday, July 9, 2010
Security of Websites
Security is a very important issue and many Web sites, even those sites operated by large businesses, are not secure.
System security
It is important to ensure that your system is secure, and reduce the chance that hackers can break into your Web server and alter pages.System security is a strong responsibility, especially if you operate your own Web server.
Information security
Some Web sites may store sensitive information, such as the personal details (and perhaps even credit card numbers) of users. You should analyse the information stored and work out which information must be kept secure.As the operator of such a site, you have a responsibility to keep this information safe.
Encryption
Web sites use encryption to keep information secure in transit. Modern encryption works using a 'public key' scheme. If done properly, this encryption is not reasonably broken, but you need to pay careful attention to the points when unencrypted information is available.
which makes it difficult for other people to intercept information, can be an important aid to security. However, encrypted Web connections (indicated by a padlock icon in the browser) do not ensure that information is held securely.
Using firewalls
'Firewall' software prevents access to your server except via specific 'ports'. Though firewall software can be helpful in reducing security risks, it is not an overall solution because you are still vulnerable to attacks that might occur via your Web server or other ports that you really have to allow.
Software security
Another system security issue is the actual software that makes up the system. This software may have bugs and security holes that permit access even without a password. System software should be kept current with security patches and updates.
Software flaws
Web servers are complicated programs and frequently contain bugs which may, under certain conditions, allow hackers access to your system even if they cannot get a password.
If you use a Web hosting provider, then it is their responsibility to ensure that software is kept updated (but you should check they actually do this). If you run your own server then you must be very careful to secure it.
Credit card details
Credit card details always need to be treated with the utmost care. There are many examples of sites which have lost large numbers of credit cards; the cards are then used for fraud. In a famous example, the site 'CD Universe' had hundreds of thousands of credit card details stolen; these details were posted to the Internet.
Secure site information
Some sites may include information on their own behalf, not for users, but which is nevertheless security-critical. For example, a company Web site might contain financial information about the company which should not be visible outside the company.
Public key encryption
Public key encryption achieves the same type of security as described, although not in exactly the same manner. The message is not actually sent back and forth three times.
Instead, both parties (the sender and recipient) have a pair of mathematical codes known as keys; a private key which must be kept secret and cannot be transferred, and a public key which can be made public.
When a message is encrypted using a combination of the sender's private key and the recipient's public key, it can only be decrypted using the recipient's private key and the sender's public key. (Some complicated maths which I'm not going to explain makes this happen, so just trust me.)
So, if the recipient sends their public key to the sender, the sender can then encrypt the message using their private key, and send it - along with the sender's public key - to the recipient. The message is secure because it cannot be decrypted without the recipient's private key which was not transferred.
Viruses
Viruses spread mostly due to poor security practices (such as people opening email attachments). However, if you are running out-of-date email software you could be infected by an incoming virus even without opening an attachment.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment