Securing Web connections

With the advent of public-key infrastructure and other secure connection

initiatives, most federal World Wide Web administrators have started working

out how to incorporate Secure Sockets Layer (SSL) and digital certificates

into their sites.

Use of such tools will keep information transmitted between the Web

server and the user's browser encrypted. It helps make for a more secure

site, especially when it comes to forms that ask users to input such information

as names, passwords and Social Security numbers.

However, often overlooked is a connection that also should be secured

with encryption: the internal connection used to revise pages on the Web

server using File Transfer Protocol.

With the growing complexity of Web sites, it has become prevalent to

use what some call pagemasters. These are people who are responsible for

maintaining a particular page or group of pages on a Web site. Delegating

work to pagemasters leaves the Webmaster free to perform daily systems administration

duties. However, pagemasters often are not located in the same room or building/state/country

as the Web server, and thus they use FTP to upload and download files.

The use of FTP is common, but did you know that it sends the user's

name and password in the clear? Anyone with a simple port sniffer will be

able to gain access to your Web server by capturing the log-ins from FTP

users.

What can be done? People still need to get files up to the server. Enter

the Secure Shell (SSH) and its utilities.

SSH is an encrypted connection to a remote host running an SSH server.

It gives you the ability to log on to a system with an encrypted session

so that everything — your name and password as well as your keystrokes — are unreadable by any sniffer.

One of the handy tools that comes with most SSH implementations is a

secure copy tool, usually called SCP. SCP will let you transfer files from

one computer to another over an encrypted connection. So whenever content

managers update Web pages, they can send the files to the Web server knowing

that their user names and passwords are relatively safe.

The Unix world has had SSH servers and clients for a while, but over

the past few years these tools have become available for the Windows and

MacOS platforms. There are free ones as well as commercial products, which

usually run about $100 for the clients.

Having an encrypted connection to your server is a good thing, but you

have to take into account any other ways people might access your system.

Using an SSH/SCP option for file transfers will greatly aid in the securing

of your server and help keep your site off the Attrition.org list of pages

that have been hacked.

—Klemmer is a senior Unix system administrator and security analyst

at the Strategic and Advanced Computing Center at Army headquarters. He

can be reached at joe.klemmer@us.army.mil.