ch30.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,283 行 · 第 1/5 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 30 -- Languages, Extensions, and Security</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch29/ch29.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch31/ch31.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">30</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Languages, Extensions, and Security</FONT></H1>
</CENTER>
<P>This chapter examines the relationship between languages, extensions, and security.
Traditionally, the term <I>language</I> refers (in the computer world) to some form
of computer language, a set of common instructions that when properly assembled,
create a program or application. Most users are well aware of at least one computer
language: BASIC, Pascal, FORTRAN, C, C++, and so on. Such languages are traditionally
understood to be <I>real</I> languages because one can construct a program with them
that can thereafter run generally without need of external support from an interpreter.
<H2><FONT COLOR="#000077"><B>Language</B></FONT></H2>
<P>So much for tradition. Today, the climate is different. For example, the popularity
of <I>shell</I> languages, which are used primarily on the UNIX platform, has greatly
increased. They are written in a syntax that meets the requirements of the shell
or command interpreter of the given platform. These languages cannot create entirely
standalone programs that execute without a command interpreter, yet these languages
have become vastly popular. A programmer who can proficiently program in such a language
is almost guaranteed to land a job somewhere.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>For MS-DOS and Windows users who
	have never worked on a UNIX platform: Shell language programs can be likened to large
	batch files. They are composed of various regular expression operations, pipes, re-directs,
	system calls, and so forth. 
<HR>


</BLOCKQUOTE>

<P>As such, these languages stretch the definition of language itself. For even though
these programs cannot run without assistance from the underlying system, they are
indeed full-fledged programs that can and often do run various services and functions
on the Internet.</P>
<P>Similarly, there are interpreted languages such as Perl that offer extreme power
to the user. These can often interface not just with their own interpreter, but with
various shell languages and system calls. They can even be nested within other language
constructs. A typical example would be a Perl script nested within a TCL script or
within a C program. These are bona fide languages that cross the barriers (or perhaps
bridge the gaps) between one or more real languages.</P>
<P>But where does the definition of language stop? For example, Hypertext Markup
Language (HTML) is a language, even though it is completely useless unless interpreted
by a hypertext reader (Navigator, Internet Explorer, Grail, Arena, Lynx, Opera, Powerbrowser,
Netcruiser, and so forth). True, HTML is a language, but its application is limited
(PostScript stands in a similar light).</P>
<P>JavaScript and VBScript are languages that actually stand squarely between Perl
and HTML. JavaScript and VBScript perform only a limited set of tasks. They are designed
to be interpreted by the browser, true, but unlike HTML, these languages perform
tasks dynamically (examples include getting and processing variables to perform a
calculation or other process). It is likely that in order to create a fully functional
and dynamic Web-page environment, you will use a combination of languages.</P>
<P>That said, for the purpose of this chapter, a language is any set of instructions
that can perform more than simple display processes, dynamically and without user
intervention (that is, any set of instructions that could potentially automate a
task).
<H2><FONT COLOR="#000077"><B>Extensions</B></FONT></H2>
<P>In contrast, an <I>extension</I> is any set of instructions, declarations, or
statements that formulate one application of a particular language. Extensions are
elements of (or designed to enhance) a particular language. Most commonly, the term
<I>extensions</I> refers to HTML extensions, the majority of which are proprietary.</P>
<P>For example, consider the use of tables in HTML. Tables are extensions. They are
statements that alter the face of a Web page. The use of tables is becoming more
common because tables provide near-pixel-perfect control of the Web page's appearance.
Extremely high-end Web development packages use tables to offer almost word-processor
control of your Web page's look and feel. Fusion by NetObjects is an example of this
phenomenon. In a WYSIWYG environment, the user can place pictures, text, sound, or
video anywhere on the page. Tables mathematically plot out the location. The final
result is accomplished by using invisible table structures that surround the object
in question, thus giving the appearance of free-form location of the object. Fusion
by NetObjects is often referred to as the <I>&quot;</I>PageMaker of the WWW.&quot;</P>
<P>Perhaps the easiest way to grasp the concept of extensions is to understand that
they are statements that <I>extend</I> the originally intended implementation of
HTML. These are new features, often proposed by proprietary entities such as Netscape
or Microsoft. Most extensions are designed to enhance the surfer's experience by
offering more dynamic visual or multimedia content. These are proprietary and only
work in browsers designed to read them.
<H3><FONT COLOR="#000077"><B>HTML</B></FONT></H3>
<P>On the surface, it sounds silly. HTML is a non-dynamic language that cannot serve
a purpose unless read by a browser. How could it possibly have security implications?
Well, it does. To understand why and what measures are being undertaken to address
those implications, consider the original idea behind HTML. The intended purpose
was to provide a platform-independent method of distributing data. It so happens
that this original implementation was intended for use with plain (clear) text. At
its most simple, then, a Web page consists of clear text. Examine the following HTML
code:</P>
<PRE><FONT COLOR="#0066FF">&lt;HTML&gt;
&lt;HEAD&gt;
&lt;/HEAD&gt;
&lt;BODY&gt;
&lt;P &gt;This is a page&lt;/P&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;
</FONT></PRE>
<P>Pretty simple stuff. This HTML does no more than print a page that says <TT>This
is a page</TT>. No extensions are used; the page would be boring. However, we <I>could</I>
add an extension to change the background color to white:</P>
<PRE><FONT COLOR="#0066FF">&lt;HTML&gt;
&lt;HEAD&gt;
&lt;/HEAD&gt;
&lt;BODY bgcolor = &quot;#ffffff&quot;&gt;
&lt;P &gt;This is a page.&lt;/P&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;
</FONT></PRE>
<P>The <TT>&lt;BODY&gt;</TT> tag sets the color. There are dozens of other tags we
could use to add sound, animation, video, and so forth. However, all these still
appear in clear text. Likewise, when you submit information in an HTML form, it is
generally accepted (and parsed by a Perl program or other CGI application) in clear
text.</P>
<P>When the WWW was used primarily for research and education, that was fine. The
material could be intercepted across a network, but there was a relatively low risk
of this actually occurring. However, time passed, and eventually people became concerned.
Extensions were added to the HTML specification, including a password field. This
field is called by issuing the following statement within a form:</P>
<PRE><FONT COLOR="#0066FF">INPUT TYPE=PASSWORD
</FONT></PRE>
<P>This tag produces an input field that does not echo the password to the screen.
Instead, characters of the password are represented by asterisks. Unfortunately,
this field does very little to enhance real security.</P>
<P>First, the main concern is not whether someone standing over the shoulder of the
user can see the password, but whether someone intercepting traffic can. This password
field does little to prevent that. Moreover, the password field (which is used by
thousands of sites all over the world) does absolutely nothing to prevent someone
from entering the so-called protected site.</P>
<P>True, average users--when confronted with a page so protected--shy away and assume
that if they don't have a password, they cannot get in. However, to anyone with even
minimal knowledge of HTML implementation, this is the modern equivalent of a &quot;Beware
of Dog&quot; or &quot;Keep Off the Grass&quot; sign. By venturing into the directory
structure of the target server, any user can bypass this so-called security measure.</P>
<P>For example, suppose the password-protected site's address was this:

<UL>
	<LI><TT>http://www.bogus_password_protection.com/~mypage</TT>
</UL>

<P>When a user lands on this page, he or she is confronted by a field that asks for
a password. If the incorrect password is entered, a page (perhaps <TT>www.bogus_password_protection.com/~mypage/wrong.html</TT>)
is fed to the user to inform him or her of the authentication failure. On the other
hand, if the user enters a correct password, he or she is forwarded to a page of
favorite links, funny jokes, or whatever (for example, <TT>www.bogus_password_protection.com/~mypage/jokes</TT>).</P>
<P>Using any garden-variety search engine, one can quickly identify the pages beneath
the password page. This is done by issuing an explicit, case-sensitive, exact-match
search string that contains the base address, or the address where the HTML documents
for that user begin (in this case, <TT>http://www.bogus_password_protection.com/~mypage</TT>).
The return will be a list of pages that are linked to that page. Naturally, the site's
designer will include a Home button or link on each subsequent page. This way, users
can navigate through the site comfortably.</P>
<P>By opening the location of all subsequent pages on that site, the user can bypass
the password protection of the page. He or she can directly load all the pages that
are loaded after a user provides the correct password. The only time that this technique
will not work is when the password field is tied to a password routine that dynamically
generates the next page (for example, a Perl script might compare the password to
a list and, if the password is good, a subsequent page is compiled with time-sensitive
information pulled from other variables, such as a &quot;tip of the day&quot; page).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>Such implementations are the only
	valid instance in which to use this password field. In other words, you use the field
	to obscure the password to passers-by and point that form to a script on the server's
	local drive. All comparisons and other operations are done within the confines of
	that script, which also resides in a protected directory. 
<HR>


</BLOCKQUOTE>

<P>This brings us to one of the most commonly asked questions: How does one effectively
password protect a site?
<H4><FONT COLOR="#000077"><B>Password Protection for Web Sites: </B><TT>htpasswd</TT></FONT></H4>
<P>Password protection is accomplished with any implementation of <TT>htpasswd</TT>.
This program (which comes stock with most Web server distributions) is designed to
provide real password authentication. You will know when you land on a site using
<TT>htpasswd</TT> because a dialog box demanding a password from the user is immediately
issued. In Netscape, that dialog box appear much like the image in Figure 30.1.</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>FIGURE 30.1.</B></A> <I><BR>
The </I><TT>htpasswd</TT><I> prompt.</I></P>
<P>Those using Mosaic for the X Window System will see a slightly different prompt
(see Figure 30.2).</P>
<P><A NAME="02"></A><A HREF="02.htm"><B>FIGURE 30.2.</B></A> <I><BR>
The </I><TT>htpasswd</TT><I> prompt in Mosaic for X.</I></P>
<P>If the user enters the correct password, he or she will be referred to the next
page in sequence. However, if the user fails to provide the correct password, he
or she will be forwarded to a page that looks very similar to the one shown in Figure
30.3.</P>
<P><A NAME="03"></A><A HREF="03.htm"><B>FIGURE 30.3.</B></A> <BR>
<I>The </I><TT>htpasswd</TT><I> failed authorization screen.</I></P>
<P>As authentication schemes go, <TT>htpasswd</TT> is considered fairly strong. It
relies on the basic HTTP authentication scheme, but will also conform to MD5.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>Be careful about setting the
	option for MD5. Not all browsers support this option, and your users may end up quite
	frustrated due to a failure to authenticate them. Known supported browsers currently
	include Mosaic, NCSA, and Spyglass. 
<HR>


</BLOCKQUOTE>

<P>A word to the wise: although the passwords of users are ultimately stored in encrypted
form, the password is not passed in encrypted form in basic HTTP authentication.
As reported by NCSA in the <I>Mosaic User Authentication Tutorial</I>:

<DL>
	<DD>In Basic HTTP Authentication, the password is passed over the network not encrypted
	but not as plain text--it is &quot;uuencoded.&quot; Anyone watching packet traffic
	on the network will not see the password in the clear, but the password will be easily
	decoded by anyone who happens to catch the right network packet.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find the <I>Mosaic User
	Authentication Tutorial</I> on the Web at <A HREF="http://hoohoo.ncsa.uiuc.edu/docs-1.5/tutorials/user.html"><TT>http://hoohoo.ncsa.uiuc.edu/docs-1.5/tutorials/user.html</TT></A>.
	
<HR>