by Robert Niles
Conducting business transactions and taking orders from potential customers have played a crucial role in the evolution of the World Wide Web. Today, it isn't good enough to simply display information about your products or services. Those currently using the Web want to interact with the businesses that they are considering purchasing a product from. Potential customers want to be able to do something other than just surf the Web. They want to ask questions, buy products, and receive support.
The biggest concern a customer has is whether his personal information is going to be intercepted and possibly used for malicious purposes. Also, how can the customer and the business selling the products be sure that the customer and the business are who they say they are?
While it's difficult for the individual sitting behind the computer to ensure that, his or her private information isn't intercepted as it's traveling across the Net, there are a few things that he or she can do to ensure that his or her personal information remains personal. The computer you sit in front of is the best place for someone with ill intentions to access your private information.
Proxy servers mainly act as a gateway between a local network and the rest of the Net, limiting access to selected areas.
Most Web browsers can be configured to run through a proxy server. To do this using Netscape, follow these steps:
A window is displayed for you to enter the server and port number of a proxy (see Figure 34.1).
Figure 34.1 : Netscape allows you to enter proxies for each service.
Your main concern when using proxy servers is to ensure that you
are using trusted proxies. Proxy servers log all sorts of information,
and can do a wide variety of things, some of which can be detrimental.
| TIP |
For an example of a proxy server that manipulates information: Server: www.2d.org, port 9002, or try port 9004. To use these, set up your browser as outlined in the preceding numbered steps, adding the host name www.2d.org and either of the port numbers given, then view any Web page. To see the full effect of this proxy server, view a Web page with lots of text! Don't worry, neither of these are harmful, but they do show a small portion of the potential of what a proxy server can do. |
Microsoft's Internet Explorer (MSIE) version 3.0 allows you to do this as well. To configure MSIE to use a proxy server, select View, Options.
Next, click the Connection tab, and then click the Connect Through a Proxy Server widget. Now, click the Settings button. As you can see in Figure 34.2, a dialog box is displayed, and you can enter any proxy servers needed.
Another area in which you can be exploited is through the use of helper applications. Helper applications are used within Web browsers, and tell the Web browsers how the browser is supposed to handle certain files. For example, if you click an MPEG video, your browser automatically loads up the MPEG viewer, if configured to do so. Figure 34.3 shows you the dialog box for Netscape, and Figure 34.4 shows the helper application box for MSIE version 3.0.
Figure 34.4 : Microsoft's Internet Explorer allows you to configure helper applications as well.
The problem lies with the fact that you can configure your Web browser to load up Word documents and Excel files, which both can use macros. Macros are quite useful, but macros can also be configured to do malicious things. The Word Concept virus is one example of a macro gone bad. The Word Concept virus is activated by simply viewing a Word document.
Not all helper applications have the potential to compromise your system. For example, none of the programs that allow you to view images or movies can run macros, or other programs that can damage your system. Just be careful, and know what each helper application does before using it.
The easiest way for someone to gain access to your private information, accounts, and e-mail is by sitting in front of your computer. How many times have you gotten up from your computer to socialize, work on a project elsewhere, or simply go to the bathroom? By leaving your computer, even for a short period of time, someone else can gain access to a wide variety of personal information.
There are ways to prevent this. Use a screen saver that requires a password. If you leave your desk for a minute or two, the screen saver activates, and then requires a password to get back in. Microsoft Windows allows you to do this within the display configuration program (see Figure 34.5).
If possible, configure your Web browser to require a password. Netscape 3.0 has this feature. To activate Netscape to require a password, select Options, Security Preferences, and click the Passwords tab. If this is the first time you have entered a password, a window pops up with a Set Password button. After the first time, there is a Change Password button and three additional options that allow you to specify when a password entry is required. (see Figure 34.6). Your choices are as follows:
Figure 34.6 : You have three options for when to require a password entry.
The server can create security problems if it has been configured poorly. Consider the amount of information a server deals with: IP addresses of those connecting, documents on the server side that aren't meant for everyone's eyes, and the capability to run CGI scripts that can allow someone to gain access to system functions.
Most Web servers allow you to limit access to documents by requiring
a username and password so that someone visiting your site cannot
gain access to documents placed in a directory. You can do this
by editing the SERVERROOT/conf/access.conf file for the
NCSA server, or the SERVERROOT/conf/httpd.conf file for
the Apache Web server. You can also control access to directories
by creating and editing a file called .Htaccess. .Htaccess is
a text file that you can create and place in a directory that
allows you to specify access limitations with the use of passwords,
IP addresses, host names, and so on.
| TIP |
By using an .Htaccess file, you can change access specifications without having to reset the server as you would if you were to edit the Access.conf or Httpd.conf files |
Controlling access requires the use of the <Directory> directive. Within the <Directory> and </Directory> tags you can enter directives that allow you to control access to that directory. The following is an example, where the directory /usr/local/etc/httpd/htdocs/private requires a password:
<Directory /usr/local/etc/httpd/htdocs/private> AuthType Basic AuthName "Shareware CGI" AuthUserFile /usr/local/etc/httpd/conf/.htpasswd AuthGroupFile /usr/local/etc/httpd/conf/.htgroup </Directory>
| NOTE |
The .Htaccess file doesn't use the <Directory> and </Directory> tags since the .Htaccess file only provides directives for the directory it is currently in. However, all directives apply |
| ON THE WEB |
http://hoohoo.ncsa.uiuc.edu/ This site is the home of the NCSA Web server, providing the complete documentation, that will help you configure the NCSA server |
First, the <Directory> tag is required along with the path of the directory that is being controlled. The next line is the authorization type. Currently, only Basic is supported with the NCSA Web server.
The AuthName is simply a name that is provided in the Username and Password dialog box. The AuthName directive simply gives a name to the area in which the visitor is trying to enter. An example of this can be seen in Figure 34.7.
The AuthUserFile is the file that contains the user name and password, which is separated with a colon. The password is encrypted so that the passwords cannot be viewed. The following is an example of what the .Htpasswd file looks like:
rniles:X1DyzmyD8BKNw test1:GyZXdE/sVS82c test2:jjSF/S5W43Q6Y
Last is the AuthGroupFile, which is the path and the file name of the text file that contains a listing of the Groups required to use a password. An example of such a file looks something like this
Admin:joe fred barney RD:mike sam greg Finance:sara melissa george
The AuthGroupFile directive isn't required. If you don't want to use it, set the AuthGroupFile to null, like so
AuthGroupFile /dev/null
You can also control access by only allowing those from a particular domain name or IP address. This is done using the Limit tag and the allow and deny directives. The following example limits access to the /usr/local/etc/httpd/htdocs/private directory:
<Directory /usr/local/etc/httpd/htdocs/private> <Limit GET POST> order deny,allow deny from all allow from 204.182.131. </Limit> </Directory>
First, it checks the deny directive, which in this case states that it is supposed to deny access to everyone. Next it checks the allow directive. In this example, we allow anyone who is using the IP domain 204.182.131.
We have just talked about how you can control access to your documents from those on the outside trying to view your documents. But what about those on the inside?
Most administrators fail to understand that while you can easily control access from those on the outside, they forget that there is a possible threat from those on the inside-that is to say, from those who have proper access to the host in which the Web documents are being served.
A typical Web server is set up so that the user nobody is the user that controls the Web server. The idea is that if someone circumvents the security of the Web server, then he doesn't gain access to much, because the user nobody doesn't usually have permission to do many things. But if jdoe was to place an HTML file that he would like password protected into the private directory, he would have to set the permissions so that other was readable.
By doing this, anyone who has valid access to that site can also read that private file. In most cases, this poses no problem, but if, for example, you don't want the R&D group to have access to the Finance group's files, then this certainly does pose a problem.
A simple way to get around this is to assign the owner of that file to the user name that is used by the Web server, create various groups, and assign that file to the particular group in which it belongs.
For example, we have the following file Payrate.html, in which the Finance group needs access to but would prefer that everyone else not have access to. If the Web server is running as nobody then we need to create a group called finance that can have and remove access to everyone else. Take a look at the following line:
-r--rw---- 1 nobody finance 241 Feb 29 1996 payrate.html
This shows us that the user nobody can read the file PAYRATE.HTML, while the group finance can read and write to the file, and no one else has access to the file at all.
Poorly written CGI scripts can also create problems. If you're on a site that many people use, and possibly install, their own CGI scripts, little security holes can mistakenly be created. While Chapter 35, "CGI Security," covers security problems with CGI scripts in more detail, the following are some of the basics:
A firewall is a hardware or software solution that controls access to your internal network from the Internet or vice versa (see Figure 34.8). A firewall can also be used to separate various parts of a network, so that, for instance, the R&D division doesn't gain access to the Finance division, and so on. Using a firewall helps businesses control what kind of information can enter or leave a site. How a firewall is set up depends solely on your company's policy on security.
Figure 34.8 : By using a firewall you can protect your network from those on the outside.
There are many ways to set up a firewall, and how you go about it depends most on what you want to protect. One of the easiest ways to set up a firewall is by using a site through which all other sites have to go to gain access to the Internet, or through which those on the Internet have to go to gain access to your network. Using this method, you can easily control what type of information can come into or go out from the network.
This is easily illustrated through the use of HTTP proxy servers. The proxy server sits on the firewall and those on the internal network can only gain access to the outside through the use of the proxy server. When you do this, you can control, or log, what type of information is sent or received.
Probably the hardest facet of Internet security is connection security. Anyone along the path on which your packets are sent can sit there and use a program to sniff TCP/IP packets. These programs-usually called packet sniffers, grab information that is passed to them and log that information. If you send your credit card information in plain text over the Web, this can easily be intercepted as well.
Another problem is that these packet sniffers are easy to obtain. In fact, Windows NT comes with one. Others can be found on the Internet. One such program is called sniffit. Sniffit can intercept and log any information that hits a network. Here's an example of a packet that has been intercepted using sniffit:
POST /cgi-bin/mailform.cgi HTTP/1.0 Referer: http://www.selah.net/cgiform.html Connection: Keep-Alive User-Agent: Mozilla/3.0b7 (Win95; I) Host: www.selah.net Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Content-type: application/x-www-form-urlencoded Content-length: 283 mailformToEmail=rniles@imtired.selah.net&mailformToName=Robert+Niles&mail formURL=http%3A%2F%2Fwww.selah.net%2Fthanks.html&mailformFrom Name=Some+One&mailformFromEmail=someone@somewhere.com&mailformSubject =Comments%2C+Questions&Message=+This+will+show+what+sniffit+can+ intercept.%0D%0At.%0D%0A
This example certainly looks like a jumbled mess, but it's quite readable. The only effective way around this is to secure the transaction.
One of the major fallbacks to commerce on the Net today is the incapability to securely transmit personal information, like your credit card number, across the Net. While it might be a lot easier for a malicious person to get your credit card number by digging through your garbage can, it's not terribly difficult to intercept this information on the Net. Two standards have been introduced that will help ensure that your personal information remains private.
SET was introduced in June of 1996 by Visa and Mastercard along with Netscape, Microsoft, Verisign, Therisa Systems, and others to provide a method in which credit card information can be sent and validated. SET has been proposed to be an open industry standard.
Currently SET is being tested to ensure the interoperability between
various credit card infrastructures and to ensure that various
browsers can incorporate SET easily. It is estimated that SET
should be available for use in early 1997.
| ON THE WEB |
http://www.visa.com/cgi-bin/vee/sf/standard.html Visit the VISA Web site for more information on SET |
SSL, or Secure Socket Layers, was originally developed by Netscape Communications Corporation in conjunction with RSA Data Security.
SSL uses a special "handshake" protocol that allows the server and client to authenticate each other and develop an encryption algorithm and cryptographic keys. This protocol accomplishes the following three things:
Currently, most Web servers support SSL. Microsoft's Internet Information Server, Netscape's Commerce Server, and the Apache Stronghold Server are just a few that support SSL. As well, there are a few clients that support SSL, such as Netscape 3.0 and higher, and Microsoft's Internet Explorer version 3.0.
When you connect to a site, you are ensured that the site is who it says it is because SSL uses digital certificates that have been issued by a Certificate Authority, commonly known as a CA. Previously, digital certificates were only issued for Web servers, but there was a need to ensure that the person visiting the Web page was who he or she said he or she was. To ensure that a person was who he or she said he or she was, a method was devised to issue client certificates.
Client Certificates Verisign, a leading certificate authority, recently started allowing individuals to obtain client certificates. These certificates are referred to as digital IDs (see Figure 34.9).
The easiest and cheapest is a Class 1 digital ID. Normally a class one digital ID costs $6 per year, but Verisign currently is giving them away for free. The Class 1 ID only verifies that the person requesting the certificate can use the e-mail address entered by the user.
The Class 2 client certificate requires that the visitor enter some personal information, which is checked against EquiFax, a nationwide credit reporting company. A Class 2 client certificate costs $12 per year.
A Class 3 client certificate requires that you be present in front of a notary, and mail the certificate request to Verisign. A Class 3 certificate costs $24 per year.
Browsers Supporting Certificates Currently only Netscape 3.0 and Microsoft's Internet Explorer support client certificates, although other browsers are sure to follow suit.
How to Obtain a Certificate The latest versions of Netscape and MSIE allow you to obtain a certificate through their pull-down menus. Simply follow these steps:
In Netscape, go to Options and then select Security Preferences. A dialog box is displayed. Click the Personal Certificates tab, and then click Obtain New Certificate. Netscape will bring up another Netscape window that introduces you to client certificates and provides you with a link to Verisign.
To obtain a client certificate using Microsoft's Internet Explorer, go to
http://www.microsoft.com/intdev/security/capage-f.htm
Click the linked text, Enroll. You are immediately sent to Verisign's Web page from which you can select the digital ID class required. If you choose a Class 1 certificate, you are sent to a page where you need to fill out your name, e-mail address, and a pass phrase that is used if you need to make any changes to your certificate. Follow the links to complete the process. After you finish the first phase, you are e-mailed a verification of your request, along with a verification code and an URL where you need to go to finalize your request.
Using either Web browser, you can look at your personal certificate after the process is complete. Figure 34.10 shows you an example of such a certificate.
Server Certificates As client certificates help verify that the visitor to your site is who he or she says he or she is, server certificates used in conjunction with a server that supports Secure Socket Layers (SSL) does the same for potential customers; it lets visitors know that you are who you say you are.
Servers Supporting Certificates Most every Web server supports SSL, and thus requires a digital certificate for encrypted transmission of information. Following is a list of some of the most popular Web servers using SSL:
Netscape Communications Corporation Microsoft Information Server QuarterDeck Open Market The Internet Factory Commerce Server IBM Connection Servers Apache-SSL-US Apache Stronghold AOL Internet Server WebSite server Lotus Domino Server Oracle Web Server OneServer FTP Software Server SPRY Safety Web server Purveyor Web Server Sioux Server Alibaba Server LuckMan Web Commander Dynamo Server Radnet Server S2 Server NetCentric Server GLACI Web Server How to Obtain a Certificate The first thing you need to do to obtain a digital certificate is to find a CA. Two of the more popular Certificate Authorities in the USA are Verisign and Thawte Consulting.
A certificate issued by Verisign costs $290 for your first certificate,
plus $95 for any additional certificate for your organization.
The issued certificate is good for one year, and it costs $75
to renew the certificate.
| ON THE WEB |
http://www.verisign.com/enroll.s/payment.html This site will provide you with the latest pricing information on server certificate |
Thawte Consulting charges a flat rate of $100 per year for each
certificate, and the renewal fee is $100.
| ON THE WEB |
http://www.thawte.com/ This site will provide more information on obtaining a certificate along with current pricing |
After you have decided on a Certificate Authority, you need to enroll with the company you have chosen. Both Verisign and Thawte have an online registration process that you can use to receive your certificate.
While SSL might be prohibitive in cost or convenience, and while SET most likely will not be in use by the consumer until the spring or summer of 1997, several existing services exist which may help you conduct business transactions on the World Wide Web.
Each of these services vary in how the consumer's credit card, or other personal information, is delivered to your virtual place of business. Some use virtual money, which allows the user to buy items with an electronic wallet, while others store information provided by the consumer on a secure site, which allows a customer to simply enter an identification number, or code, when purchasing a product. This section will take a look at some of the most common methods already in place to process orders and conduct business transactions on-line.
CyberCash, Inc. was founded in August 1994 by Bill Melton, Dan Lynch, Steve Crocker, Magdalena Yesil, and Bruce Wilson. The goal was to provide a method with which people could purchase products over the Internet in a secure manner.
CyberCash consists of a helper application known as a CyberCash wallet. When you decide on a product and select Pay, information about your credit card (or other payment method) is sent to the merchant, who takes the order and routes the information from your wallet to CyberCash. CyberCash then decrypts the information and processes your request to the merchant's bank via preexisting lines. The merchant's bank then contacts the credit card's issuing bank for approval. The approval or denial is then sent back to the merchant through Cybercash, and on to the purchaser.
All this takes roughly 20 seconds, and the merchant never sees
the credit card information. Since your "wallet" is
a helper application, the program should run independent of the
browser you use.
| ON THE WEB |
http://www.cybercash.com/ Find out more about CyberCash and how you can utilize this service by visiting its Web page |
DigiCash, Inc. in Amsterdam has created an online payment system called e-cash. This system runs as a client-server process in which the purchaser stores digital coins on his or her hard drive.
The user first opens an account with a participating bank, and downloads the e-cash client software. The user can access her account through the client, receiving digital coins, or in effect, money debited from their account. When the user selects an item they want to purchase, the merchant, using a server, queries the user's client. The user's client displays a window asking if it is authorized to pay the merchant the amount specified. If so, the digital coins are "removed" from the hard drive. The merchant can take this payment and deposit it in its bank account.
All this is done so that the client and the server (in effect
the buyer and the seller) don't keep track of who the other one
is.
| ON THE WEB |
http://www.digicash.com See the DigiCash home page for more information about this service, and what you need to do to participate in this program |
First Virtual Holdings, Inc. has created First Virtual, a system in which people can buy goods over the Internet. To do so, you have to set up an account with First Virtual, entering your name, address, and so on. Next, you are instructed via e-mail how to contact First Virtual by telephone, where you give your credit card information. A seller has to send his bank account information (for deposits to his account) via postal mail.
After the initial process is complete, the buyer can purchase products on the Net at participating First Virtual shops.
First Virtual's method of sending credit card information over the telephone helps ensure that your credit card number isn't broadcast over the Net. At the same time, there is no need for encryption of any sort.
When you decide to purchase an item, you are asked for your First Virtual PIN (Personal Identification Number). The seller takes that information and forwards it to First Virtual along with the amount to charge your credit card. First Virtual, before any money is charged against the consumer, contacts the customer via e-mail, and the customer must confirm the request.
If confirmed, First Virtual charges the buyer's account, and informs the seller that the transaction has been approved.
The seller then ships off the product ordered by the buyer.
| ON THE WEB |
http://www.fv.com/ For more information on First Virtual and how you can participate in this program visit them on their Web page |
It's hard to say what the future of Web commerce has in store for both buyers and sellers of goods and services. The only certainty is that the amount of goods bought and sold on the Internet is going to increase abundantly.
With the World Wide Web's easy-to-use interface, and the prices of purchasing computers and getting them online decreases, it's quite certain that people are going to want to use the Internet as something more than a tool for just browsing around.
For this to happen, though, the following things need to be in place:
While the technology exists to do most of these things, there is no standard, and frankly, we have a ways to go. But as things have changed drastically in the last six months, I'm sure that things will change even faster in the next six months.
It's presumed that by the year 2000, billions of dollars will be floating across the Internet as more and more people are purchasing goods from the convenience of their homes.