The World Wide Web Security FAQ

Lincoln D. Stein <lstein@cshl.org> & John N. Stewart <jns@digitalisland.net>

Version 3.1.2, February 4, 2002

DISCLAIMER

This information is provided by Lincoln Stein (lstein@cshl.org) and John Stewart (jns@digitalisland.net). The World Wide Web Consortium (W3C) hosts this document as a service to the Web Community; however, it does not endorse its contents. For further information, please contact Lincoln Stein or John Stewart, directly.

Table of Contents

Forward to Introduction

New

version 3.1.2, added Lithuanian mirror site.
version 3.1.1, fixed a vulnerability introduced by the untainting a variable example.

Mirrors

The master copy of this document can be found at https://www.w3.org/Security/Faq/.

See this page for a listing of mirror sites or if you are interested in becoming a mirror site yourself.

Introduction
What's New?
General Questions
- Q1 What's to worry about?
- Q2 Exactly what security risks are we talking about?
- Q3 Are some Web servers and operating systems more secure than others?
- Q4 Are some Web server software programs more secure than others?
- Q5 Are CGI scripts insecure?
- Q6 Are server-side includes insecure?
- Q7 What general security precautions should I take?
- Q8 Where can I learn more about network security?
Client Side Security
- Q1 How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?
- Q2 How secure is the encryption used by SSL?
- Q3 When I try to view a secure page, the browser complains that the site certificate doesn't match the server and asks me if I wish to continue. Should I?
- Q4 When I try to view a secure page, the browser complains that it doesn't recognize the authority that signed its certificate and asks me if I want to continue. Should I?
- Q5 How private are my requests for Web documents?
- Q6 What's the difference between Java and JavaScript?
- Q7 Are there any known security holes in Java?
- Q8 Are there any known security holes in JavaScript?
- Q9 What is ActiveX? Does it pose any risks?
- Q10 Do "Cookies" Pose any Security Risks?
- Q11 I hear there's an e-mail message making the rounds that can trash my hard disk when I open it. Is this true?
- Q12 Can one Web site hijack another's content?
- Q13 Can my web browser reveal my LAN login name and password?
- Q14 Are there any known problems with Microsoft Internet Explorer?
- Q15 Are there any known problems with Netscape Communicator?
- Q16 Are there any known problems with Lynx for Unix?
- Q17 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?
- Q18 Is there anything else I should keep in mind regarding external viewers?
Server Side Security
- General
  - Q1 How do I set the file permissions of my server and document roots?
  - Q2 I'm running a server that provides a whole bunch of optional features. Are any of them security risks?
  - Q3 I heard that running the server as "root" is a bad idea. Is this true?
  - Q4 I want to share the same document tree between my ftp and Web servers. Is there any problem with this idea?
  - Q5 Can I make my site completely safe by running the server in a "chroot" environment?
  - Q6 My local network runs behind a firewall. How can I use it to increase my Web site's security?
  - Q7 My local network runs behind a firewall. How can I get around it to give the rest of the world access to the Web server?
  - Q8 How can I detect if my site's been broken into?
- Windows NT Servers
  - Q9 Are there any known problems with the Netscape Servers?
  - Q10 Are there any known problems with the WebSite Server?
  - Q11 Are there any known problems with Purveyor?
  - Q12 Are there any known problems with Microsoft IIS?
  - Q13Are there any known security problems with Sun Microsystem's JavaWebServer?
  - Q14Are there any known security problems with the MetaInfo MetaWeb Server?
- Unix Servers
  - Q15 Are there any known problems with NCSA httpd?
  - Q16 Are there any known problems with Apache httpd?
  - Q17 Are there any known problems with the Netscape Servers?
  - Q18 Are there any known problems with the Lotus Domino Go Server?
  - Q19 Are there any known problems with the WN Server?
- Macintosh Servers
  - Q20 Are there any known problems with WebStar?
  - Q21 Are there any known problems with MacHTTP?
  - Q22 Are there any known problems with Quid Pro Quo?
- Other Servers
  - Q23 Are there any known problems with Novell WebServer?
- Server Logs and Privacy
  - Q24 What information do readers reveal that they might want to keep private?
  - Q25 Do I need to respect my readers' privacy?
  - Q26 How do I avoid collecting too much information?
  - Q27 How do I protect my readers' privacy?
CGI Scripts
- General
  - Q1 What's the problem with CGI scripts?
  - Q2 Is it better to store scripts in the cgi-bin directory or to identify them using the .cgi extension?
  - Q3 Are compiled languages such as C safer than interpreted languages like Perl and shell scripts?
  - Q4 I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
  - Q5 What CGI scripts are known to contain security holes?
- Language Independent Issues
  - Q6 I'm developing custom CGI scripts. What unsafe practices should I avoid?
  - Q7 But if I avoid eval(), exec(), popen() and system(), how can I create an interface to my database/search engine/graphics package?
  - Q8 Is it safe to rely on the PATH environment variable to locate external programs?
  - Q9 I hear there's a package called cgiwrap that makes CGI scripts safe?
  - Q10 People can only use scripts if they're accessed from a form that lives on my local system, right?
  - Q11 Can people see or change the values in "hidden" form variables?
  - Q12 Is using the "POST" method for submitting forms more private than "GET"?
  - Q13 Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
  - Q14 How do I avoid passing user variables through a shell when calling exec() and system()?
  - Q15 What are Perl taint checks? How do I turn them on?
  - Q16 OK, I turned on taint checks like you said. Now my script dies with the message: "Insecure path at line XX"every time I try to run it!
  - Q17 How do I "untaint" a variable?
  - Q18 I'm removing shell metacharacters from the variable, but Perl still thinks it's tainted!
  - Q19 Is it true that the pattern matching operation $foo=~/$user_variable/ is unsafe?
  - Q20 My CGI script needs more privileges than it's getting as user "nobody". How do I run a Perl script as suid?
Protecting Confidential Documents at Your Site
- Q1 What types of access restrictions are available?
- Q2 How safe is restriction by IP address or domain name?
- Q3 How safe is restriction by user name and password?
- Q4 What is user verification?
- Q5 How do I restrict access to documents by the IP address or domain name of the remote browser?
- Q6 How do I add new users and passwords?
- Q7 Isn't there a CGI script to allow users to change their passwords online?
- Q8 Using .htaccess to control access in individual directories is so convenient, why should I use access.conf?
- Q9 How does encryption work?
- Q10 What are: SSL, SHTTP, Shen?
- Q11 Are there any "freeware" secure servers?
- Q12 Can I use Personal Certificates to Control Server Access?
- Q13 How do I accept credit card orders over the Web?
- Q14 What are: CyberCash, SET, Open Market?
Denial of Service Attacks
- Overview
  - Q1 What is a Denial of Service attack?
  - Q2 What is a Distributed Denial of Service attack?
  - Q3 How is a DDoS executed against a website?
  - Q4 Is there a quick and easy way to secure against a DDoS attack?
  - Q5 Can the U.S. Government make a difference?
- Step-by-Step
  - Q6 How do I check my servers to see if they are active DDoS hosts?
  - Q7 What should I do if I find a DDoS host program on my server?
  - Q8 How can I prevent my servers from being used as DDoS hosts in the future?
  - Q9 How can I prevent my personal computer from being used as a DDoS host?
  - Q10 What is a "smurf attack" and how do I defend against it?
  - Q11 What is "trinoo" and how do I defend against it?
  - Q12 What are "Tribal Flood Network" and "TFN2K" and how do I defend against them?
  - Q13 What is "stacheldraht" and how do I defend against it?
  - Q14 How should I configure my routers, firewalls, and intrusion detection systems against DDoS attacks?
Bibliography

Corrections and Updates

We welcome bug reports, updates, reports about broken links, comments and outright disagreements. Please send your comments to lstein@cshl.org and/or jns@digitalisland.net. Please make sure that you are referring to the most recent version of the FAQ (maintained at https://www.w3.org/Security/Faq/); someone else might have caught the problem before you.

Please understand that we maintain the FAQ on a purely voluntary basis, and that we may fall behind on making updates when other responsibilities intrude. You can help us out by making an attempt to identify replacement links when reporting a broken one, and by suggesting appropriate rewording when you have found an error in the text. Suggestions for new questions and answers are welcomed, particularly if you are willing to contribute the text yourself. ;-)

Table of Contents Forward to Introduction

Lincoln D. Stein (lstein@cshl.org) and John N. Stewart (jns@digitalisland.net)

$Id: index.html,v 1.13 2002/02/04 18:59:43 lstein Exp $

The World Wide Web Security FAQ

DISCLAIMER

New

Mirrors

CONTENTS

Corrections and Updates