The World Wide Web Security FAQ
Lincoln D. Stein <lstein@cshl.org> & John N. Stewart <jns@digitalisland.net>


Version 3.1.2, February 4, 2002
DISCLAIMER
This information is provided by Lincoln Stein (lstein@cshl.org) and John Stewart (jns@digitalisland.net). The World Wide Web Consortium (W3C) hosts this document as a service to the Web Community; however, it does not endorse its contents. For further information, please contact Lincoln Stein or John Stewart, directly.

[down]Table of Contents Forward to Introduction>>
New

1. version 3.1.2, added Lithuanian mirror site.
2. version 3.1.1, fixed a vulnerability introduced by the untainting a variable example.

Mirrors
The master copy of this document can be found at http://www.w3.org/Security/Faq/.

See this page for a listing of mirror sites or if you are interested in becoming a mirror site yourself.
CONTENTS

1. Introduction
2. What's New?
3. General Questions
* Q1 What's to worry about?
* Q2 Exactly what security risks are we talking about?
* Q3 Are some Web servers and operating systems more secure than others?
* Q4 Are some Web server software programs more secure than others?
* Q5 Are CGI scripts insecure?
* Q6 Are server-side includes insecure?
* Q7 What general security precautions should I take?
* Q8 Where can I learn more about network security?
4. Client Side Security
* Q1 How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?
* Q2 How secure is the encryption used by SSL?
* Q3 When I try to view a secure page, the browser complains that the site certificate doesn't match the server and asks me if I wish to continue. Should I?
* Q4 When I try to view a secure page, the browser complains that it doesn't recognize the authority that signed its certificate and asks me if I want to continue. Should I?
* Q5 How private are my requests for Web documents?
* Q6 What's the difference between Java and JavaScript?
* Q7 Are there any known security holes in Java?
* Q8 Are there any known security holes in JavaScript?
* Q9 What is ActiveX? Does it pose any risks?
* Q10 Do "Cookies" Pose any Security Risks?
* Q11 I hear there's an e-mail message making the rounds that can trash my hard disk when I open it. Is this true?
* Q12 Can one Web site hijack another's content?
* Q13 Can my web browser reveal my LAN login name and password?
* Q14 Are there any known problems with Microsoft Internet Explorer?
* Q15 Are there any known problems with Netscape Communicator?
* Q16 Are there any known problems with Lynx for Unix?
* Q17 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?
* Q18 Is there anything else I should keep in mind regarding external viewers?
5. Server Side Security
* General
o Q1 How do I set the file permissions of my server and document roots?
o Q2 I'm running a server that provides a whole bunch of optional features. Are any of them security risks?
o Q3 I heard that running the server as "root" is a bad idea. Is this true?
o Q4 I want to share the same document tree between my ftp and Web servers. Is there any problem with this idea?
o Q5 Can I make my site completely safe by running the server in a "chroot" environment?
o Q6 My local network runs behind a firewall. How can I use it to increase my Web site's security?
o Q7 My local network runs behind a firewall. How can I get around it to give the rest of the world access to the Web server?
o Q8 How can I detect if my site's been broken into?
* Windows NT Servers
o Q9 Are there any known problems with the Netscape Servers?
o Q10 Are there any known problems with the WebSite Server?
o Q11 Are there any known problems with Purveyor?
o Q12 Are there any known problems with Microsoft IIS?
o Q13Are there any known security problems with Sun Microsystem's JavaWebServer?
o Q14Are there any known security problems with the MetaInfo MetaWeb Server?
* Unix Servers
o Q15 Are there any known problems with NCSA httpd?
o Q16 Are there any known problems with Apache httpd?
o Q17 Are there any known problems with the Netscape Servers?
o Q18 Are there any known problems with the Lotus Domino Go Server?
o Q19 Are there any known problems with the WN Server?
* Macintosh Servers
o Q20 Are there any known problems with WebStar?
o Q21 Are there any known problems with MacHTTP?
o Q22 Are there any known problems with Quid Pro Quo?
* Other Servers
o Q23 Are there any known problems with Novell WebServer?
* Server Logs and Privacy
o Q24 What information do readers reveal that they might want to keep private?
o Q25 Do I need to respect my readers' privacy?
o Q26 How do I avoid collecting too much information?
o Q27 How do I protect my readers' privacy?
6. CGI Scripts
* General
o Q1 What's the problem with CGI scripts?
o Q2 Is it better to store scripts in the cgi-bin directory or to identify them using the .cgi extension?
o Q3 Are compiled languages such as C safer than interpreted languages like Perl and shell scripts?
o Q4 I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
o Q5 What CGI scripts are known to contain security holes?
* Language Independent Issues
o Q6 I'm developing custom CGI scripts. What unsafe practices should I avoid?
o Q7 But if I avoid eval(), exec(), popen() and system(), how can I create an interface to my database/search engine/graphics package?
o Q8 Is it safe to rely on the PATH environment variable to locate external programs?
o Q9 I hear there's a package called cgiwrap that makes CGI scripts safe?
o Q10 People can only use scripts if they're accessed from a form that lives on my local system, right?
o Q11 Can people see or change the values in "hidden" form variables?
o Q12 Is using the "POST" method for submitting forms more private than "GET"?
o Q13 Where can I learn more about safe CGI scripting?
* Safe Scripting in Perl
o Q14 How do I avoid passing user variables through a shell when calling exec() and system()?
o Q15 What are Perl taint checks? How do I turn them on?
o Q16 OK, I turned on taint checks like you said. Now my script dies with the message: "Insecure path at line XX" every time I try to run it!
o Q17 How do I "untaint" a variable?
o Q18 I'm removing shell metacharacters from the variable, but Perl still thinks it's tainted!
o Q19 Is it true that the pattern matching operation $foo=~/$user_variable/ is unsafe?
o Q20 My CGI script needs more privileges than it's getting as user "nobody". How do I run a Perl script as suid?
7. Protecting Confidential Documents at Your Site
* Q1 What types of access restrictions are available?
* Q2 How safe is restriction by IP address or domain name?
* Q3 How safe is restriction by user name and password?
* Q4 What is user verification?
* Q5 How do I restrict access to documents by the IP address or domain name of the remote browser?
* Q6 How do I add new users and passwords?
* Q7 Isn't there a CGI script to allow users to change their passwords online?
* Q8 Using .htaccess to control access in individual directories is so convenient, why should I use access.conf?
* Q9 How does encryption work?
* Q10 What are: SSL, SHTTP, Shen?
* Q11 Are there any "freeware" secure servers?
* Q12 Can I use Personal Certificates to Control Server Access?
* Q13 How do I accept credit card orders over the Web?
* Q14 What are: CyberCash, SET, Open Market?
8. Denial of Service Attacks
* Overview
o Q1 What is a Denial of Service attack?
o Q2 What is a Distributed Denial of Service attack?
o Q3 How is a DDoS executed against a website?
o Q4 Is there a quick and easy way to secure against a DDoS attack?
o Q5 Can the U.S. Government make a difference?
* Step-by-Step
o Q6 How do I check my servers to see if they are active DDoS hosts?
o Q7 What should I do if I find a DDoS host program on my server?
o Q8 How can I prevent my servers from being used as DDoS hosts in the future?
o Q9 How can I prevent my personal computer from being used as a DDoS host?
o Q10 What is a "smurf attack" and how do I defend against it?
o Q11 What is "trinoo" and how do I defend against it?
o Q12 What are "Tribal Flood Network" and "TFN2K" and how do I defend against them?
o Q13 What is "stacheldraht" and how do I defend against it?
o Q14 How should I configure my routers, firewalls, and intrusion detection systems against DDoS attacks?
9. Bibliography

Click the URL above to read the full FAQ
Comments: 0
Votes:6