Securing Web connections
FCW's DotGov Thursday column points out weaknesses in Web connections and suggests a more secure solution
With the advent of public-key infrastructure and other secure connection
initiatives, most federal World Wide Web administrators have started working
out how to incorporate Secure Sockets Layer (SSL) and digital certificates
into their sites.
Use of such tools will keep information transmitted between the Web
server and the user's browser encrypted. It helps make for a more secure
site, especially when it comes to forms that ask users to input such information
as names, passwords and Social Security numbers.
However, often overlooked is a connection that also should be secured
with encryption: the internal connection used to revise pages on the Web
server using File Transfer Protocol.
With the growing complexity of Web sites, it has become prevalent to
use what some call pagemasters. These are people who are responsible for
maintaining a particular page or group of pages on a Web site. Delegating
work to pagemasters leaves the Webmaster free to perform daily systems administration
duties. However, pagemasters often are not located in the same room or building/state/country
as the Web server, and thus they use FTP to upload and download files.
The use of FTP is common, but did you know that it sends the user's
name and password in the clear? Anyone with a simple port sniffer will be
able to gain access to your Web server by capturing the log-ins from FTP
users.
What can be done? People still need to get files up to the server. Enter
the Secure Shell (SSH) and its utilities.
SSH is an encrypted connection to a remote host running an SSH server.
It gives you the ability to log on to a system with an encrypted session
so that everything — your name and password as well as your keystrokes — are unreadable by any sniffer.
One of the handy tools that comes with most SSH implementations is a
secure copy tool, usually called SCP. SCP will let you transfer files from
one computer to another over an encrypted connection. So whenever content
managers update Web pages, they can send the files to the Web server knowing
that their user names and passwords are relatively safe.
The Unix world has had SSH servers and clients for a while, but over
the past few years these tools have become available for the Windows and
MacOS platforms. There are free ones as well as commercial products, which
usually run about $100 for the clients.
Having an encrypted connection to your server is a good thing, but you
have to take into account any other ways people might access your system.
Using an SSH/SCP option for file transfers will greatly aid in the securing
of your server and help keep your site off the Attrition.org list of pages
that have been hacked.
—Klemmer is a senior Unix system administrator and security analyst
at the Strategic and Advanced Computing Center at Army headquarters. He
can be reached at joe.klemmer@us.army.mil.
NEXT STORY: Review: PC tablet not a cure-all