Skip to content

Instantly share code, notes, and snippets.

@OAlm

OAlm/eservices-lecture_6_2014_web_security_notes.md

Last active August 29, 2015 14:00
Show Gist options
  • Save OAlm/11353788 to your computer and use it in GitHub Desktop.
Save OAlm/11353788 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
eservices-lecture_6_2014_web_security_notes.md

Lecture 6 - web security (Olli Alm)

1) What bad could happen when security fails?

  • losing your credientals
  • losing sensitive data passwords, username, addresses (=database stolen from an organization)
  • losing personal, sensitive information (e.g. tell that you are on a holiday, and all goods will be stolen from your home) (to put it simply: losing money)
  • "false identity" --> using someones social security id / credit card
  • govermental / municipal information might be sensitive: e.g. information on social welfare & medical records
  • denial-of-service -attack --> service down
  • social aspects of the web: misuse of public information
  • losing your business!

2) Technology perspective, server administration

  • how to secure the information?
  • securing the data
    • data encryption: securing all the information stored in a server
    • data backups(!)
    • data replication --> performance, safety
    • security threat: insecure user interface, user interaction
      • form / input field validation
    • firewall (!): inspecting and blocking the connections to the organization network

securing the connections

  • HTTPS: HTTP secure
    • encrypting the connection
    • two parts you should know:
      1. who you are communicating with?
        • certificates, provided certificate authority (CA)
        • CA: third party for ensuring that website is known and really the one who it states to be
      2. how to communicate in secure way
        • web cryptography
        • public key infrastructure (PKI)
          • public key + private key
          • private key: your own secret
          • public key: counterpart, shared public identifier for the private key
          • SECRET MESSAGING (metaphor: public mailbox):
            1. encrypt message with public key
            2. encrypted message can be decrypted / opened ONLY with the corresponding private key
          • DIGITAL SIGNATURE (hot wax for sealing an envelope):
            • how to provide authenticity of a message?
            1. encrypt message with private key
            2. decrypt with public key
            • if decryption is possible, message was sent by the one having the (corresponding) private key

Practical applications of the public-private key -framework

  1. authentication services
  • central authentication service, CAS
  • identity provider
  1. authorization: what information is given to other parties
  • temporal access for resources, e.g. give a mashup a permission to access my instagram photos for a day
  • protocol: OAuth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment