BigNoseBird.Com's Secure Server Weaknesses Page

Return to the Secure Server Page

SECURE SERVER WEAKNESSES
BUT FIRST, SOME ASSUMPTIONS...
Just to keep things simple, we will trust that our server and browser do their jobs properly and that nobody is yet able to crack the encrypted data. As of this writing (December 3, 1999) 128 bit encryption is considered to be rather secure- and more importantly, beyond our ability to control.
We will also trust that certificate authorities such as Verisign and Thawte perform their jobs properly in investigating the company that has applied for a certificate before issuing it.
HOW CAN A SECURE SERVER BE INSECURE?
Sounds almost like we are dealing with a neurotic computer, but creating an insecure secure server is more the norm than the exception. Here are some of the more popular holes in secure server security.
IMPROPER DATA FORWARDING
This is quite a common problem on the Internet right now. I know this based on e-mail I get from people implementing our BNBFORM, all purpose mail response form on secure servers.
The problem here is twofold, but let's deal with data forwarding at this point. After the consumer fills out the form, all of the information is safely encrypted and transmitted to the server. The server then decodes the data for a script such as BNBFORM to deal with. At this point, the information is no longer encrypted, and no longer safe.
The script then e-mails the information to the form's owner as clear text. This information is then placed at risk as it is mailed from the server to person's e-mail box. During the information's transit, it can be sniffed and stolen by a person running a packet sniffer. The mail is then sent to some mail server where it sits waiting to be picked up by the owner, and the it is again transmitted in the clear as the owner downloads their e-mail.
The clear text information can also be viewed by any person with administrative privledges on any system along the way.
The only solution to this problem is to re-encode the data before it is again transmitted. BNBFORM (and most others) do not support this function due to licensing and other legal issues having to do with encryption.
IMPROPER DATA STORAGE
Probably the most serious risk regarding data storage has to do with sites that are in a Virtual Host environment. Again, using the BNBFORM as an example here are our problems.
The owner of the site uses the script's log-to-file option to store all information in case e-mail is lost or for audit purposes. This means that all of the information is stored on the system's disk in a text file.
Obviously, the administrator's of the hosting company can read what is in the file, but if the file's permissions are set incorrectly allowing public read access, so can every other user (possibly hundreds) that has access to that computer!
Quite often, virtual hosts do not have each site running using it's own owner and group ID codes. This means that the web server software runs as the same user for all the sites located on the server. Unfortunately, this also means that in a typical set-up, it is very easy for anyone with a site on the same system to grab other people's data.
DIFFICULT TO DESTROY DATA
This problem also plagues virtual host situations. One would hope that the operator of the server makes frequent backups in case there is a hardware failure. Where do the tapes go? Who has physical access to them? How long are they kept? In a sense, this is the computer equivalent of a store photocopying credit card receipts!

Find or Give Help on the BBS

Home Top E-Mail
If it looks great, it's by Christine

Some Fine Print
© 1997-2003 BigNoseBird.Com®, Inc. All rights reserved. All other trademarks are the sole property of their respective owners. The products that we recommend are only ones that we use. We have no relationship with any of the authors or their companies. We cannot assume responsibility for their ultimate performance or lack of same. We also cannot assume responsibility for either any programs provided here, or for any advice that is given since we have no control over what happens after our code or words leave this site. Always use prudent judgment in implementing any program- and always make a backup first! For further information, please read our Privacy Statement. We can be contacted at webmaster@bignosebird.com.

Website Builder

Free Webmaster Resources

Web Templates

Stock Photography

Free Javascripts

<reallybig.com>
Web Builder Network Portal

WebBuilderZone
The Largest directory of Web Building resources on the 'Net!

Reallybig Forums
Ask a question, join a discussion, start a thread.

Bignosebird
FREE CGI scripts, Web tutorials, essential HTML tricks and more!

Fontpool
1000+ Truetype fonts for PC & MAC!

Graphxkingdom
Thousands of free Icons, Clipart & Themes!

Free-Backgrounds
Hundreds of eye-popping Backgrounds & Textures

DHTMLShock
Add life to your site with these DHTML scripts!

Java-scripts.net
Cool and easy effects with cut-and-paste Javascripts!

Sitecritique.net
Friendly community where you can get a site critique - or give one!

Advertise
on the
Reallybig.com
Network

BigNoseBird Newsletter