HTML/CGI Talk
Basic Security and Limited Distribution

Security

The standard HTTP server provides very limited security. If you require better security you need to choose one of the commercial servers.

You can lock certain pages from view by specifying IP numbers, User IDs or anything you can write into a script. However each of these can usually be hacked.

IP - You can specify which IP numbers or domains can have access to certain documents. This works well for department docuemtents or restricting phone numbers to an institute. However this can be bypassed if somebody has a proxy server in that range. This is hard to control. It is also possible to spoof an IP number if you are on the same ethernet run.
User ID - This is as safe as telnet/ftp. There is a concern with this because User IDs and Password can be watched through routers or ethernet connections.
Scripts - Scripts have access to other information such as host server, client IP, date and time, you can do a ARP look up of the caller's ethernet address etc. etc.

In the above cases, the information is still transmitted in plain text, as is the information requested, user name and password.

Viewer Warnings

Although proxy caches are designed not to cache the above types of documents, viewers do. Netscape keeps all documents on hard disk and these are not wiped until the space is needed for something else.

You can specify documents to be cached until the end of a session. But Netscape does not delete the documents until it restarts. This again relies on the user.

Some Good News

Now all the bad stuff is out of the way, some good news. If you restart Netscape you will be required to enter your name and password for any or all pages accessed on a secure site (depending on the settings discussed above).

This means that you can not SUBMIT information or run a script or access another page without this name/password.

For most users this is secure enough.

HTTPD - Cern

How to do this.

User/Group

	# HTTPD.CONF
	UserId  sysadmin
	GroupId wheel

The user ID and group should be set and the files protected. This is to stop anyone accessing the documents via other methods (FTP, account on computer etc.)

However you must run httpd as root. Then it can specify the above user/group. Alternatively you can run httpd as the user and group. The above entries are ignored.

Protection Groups

These are the groups you setup hosts and users in

	# HTTPD.CONF
	Protection SYSADMIN-PROTECT {
	        UserId          sysadmin
	        GroupId         wheel
	        ServerId        www.anywhere.com.au
	        AuthType        Basic
	        PasswdFile      /usr/web/passwd
	        GroupFile       /usr/web/group
	        GET-Mask        scottp, nicka, davidb
	        POST-Mask       scottp, nicka, davidb
	}

This example sets users scottp, nicka and davidb to userid sysadmin and group wheel on a server. The group and passwd files are kept in the standard web directory.

Protecting Documents

Here you specify a directory and the group that allows access.

	
	# HTTPD.CONF
	Protect /network/sysadmin/*      SYSADMIN-PROTECT

More...

There is even more on security at yahoo!

Modified: 1/8/95
Created: 28/7/95
By: scottp@pas.com.au

HTML/CGI Talk Basic Security and Limited Distribution