The World Wide Web Security FAQ
Lincoln D. Stein
<lstein@cshl.org> & John N.
Stewart <jns@digitalisland.net>
Version 3.1.2, February 4, 2002
DISCLAIMER
This information is provided by Lincoln Stein (lstein@cshl.org)
and John Stewart (jns@digitalisland.net).
The World Wide Web Consortium (W3C) hosts this document as a service to
the Web Community; however, it does not endorse its contents. For further
information, please contact Lincoln Stein or John Stewart, directly.
New
- version 3.1.2, added Lithuanian mirror site.
- version 3.1.1, fixed a vulnerability introduced by the untainting a variable example.
Mirrors
The master copy of this document can be found at https://www.w3.org/Security/Faq/.
See this page for a listing of
mirror sites or if you are interested in becoming a mirror site yourself.
CONTENTS
-
Introduction
-
What's New?
-
General Questions
-
Q1 What's to worry about?
-
Q2 Exactly what security risks are we talking
about?
-
Q3 Are some Web servers and operating systems
more secure than others?
-
Q4 Are some Web server software programs more
secure than others?
-
Q5 Are CGI scripts insecure?
-
Q6 Are server-side includes insecure?
-
Q7 What general security precautions should
I take?
-
Q8 Where can I learn more about network security?
-
Client Side Security
-
Q1 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I worry
about it?
-
Q2 How secure is the encryption used by
SSL?
-
Q3 When I try to view a secure page, the
browser complains that the site certificate doesn't match the server and
asks me if I wish to continue. Should I?
-
Q4 When I try to view a secure page, the
browser complains that it doesn't recognize the authority that signed its
certificate and asks me if I want to continue. Should I?
-
Q5 How private are my requests for Web documents?
-
Q6 What's the difference between Java and
JavaScript?
-
Q7 Are there any known security holes in
Java?
-
Q8 Are there any known security holes in
JavaScript?
-
Q9 What is ActiveX? Does it pose any risks?
-
Q10 Do "Cookies" Pose any Security Risks?
-
Q11 I hear there's an e-mail message making
the rounds that can trash my hard disk when I open it. Is this true?
-
Q12 Can one Web site hijack another's content?
-
Q13 Can my web browser reveal my LAN login
name and password?
-
Q14 Are there any known problems with Microsoft
Internet Explorer?
-
Q15 Are there any known problems with Netscape
Communicator?
-
Q16 Are there any known problems with Lynx
for Unix?
-
Q17 Someone suggested I configure /bin/csh
as a viewer for documents of type application/x-csh. Is this a good idea?
-
Q18 Is there anything else I should keep
in mind regarding external viewers?
-
Server Side Security
-
General
- Q1 How do I set the file permissions of my
server and document roots?
- Q2 I'm running a server that provides a
whole bunch of optional features. Are any of them security risks?
- Q3 I heard that running the server as "root"
is a bad idea. Is this true?
- Q4 I want to share the same document tree
between my ftp and Web servers. Is there any problem with this idea?
- Q5 Can I make my site completely safe by
running the server in a "chroot" environment?
- Q6 My local network runs behind a firewall.
How can I use it to increase my Web site's security?
- Q7 My local network runs behind a firewall.
How can I get around it to give the rest of the world access to the Web
server?
- Q8 How can I detect if my site's been broken
into?
-
Windows NT Servers
-
Q9 Are there any known problems with the
Netscape Servers?
-
Q10 Are there any known problems with the
WebSite Server?
-
Q11 Are there any known problems with Purveyor?
-
Q12 Are there any known problems with Microsoft
IIS?
-
Q13Are there any known security problems
with Sun Microsystem's JavaWebServer?
-
Q14Are there any known security problems
with the MetaInfo MetaWeb Server?
-
Unix Servers
-
Q15 Are there any known problems with NCSA
httpd?
-
Q16 Are there any known problems with Apache
httpd?
-
Q17 Are there any known problems with the
Netscape Servers?
-
Q18 Are there any known problems with the
Lotus Domino Go Server?
-
Q19 Are there any known problems with the
WN Server?
-
Macintosh Servers
-
Q20 Are there any known problems with WebStar?
-
Q21 Are there any known problems with MacHTTP?
-
Q22 Are there any known problems with Quid
Pro Quo?
-
Other Servers
-
Q23 Are there any known problems with Novell
WebServer?
-
Server Logs and Privacy
-
Q24 What information do readers reveal that
they might want to keep private?
-
Q25 Do I need to respect my readers' privacy?
-
Q26 How do I avoid collecting too much information?
-
Q27 How do I protect my readers' privacy?
-
CGI Scripts
-
General
-
Q1 What's the problem with CGI scripts?
-
Q2 Is it better to store scripts in the
cgi-bin directory or to identify them using the .cgi extension?
-
Q3 Are compiled languages such as C safer
than interpreted languages like Perl and shell scripts?
-
Q4 I found a great CGI script on the Web
and I want to install it. How can I tell if it's safe?
-
Q5 What CGI scripts are known to contain
security holes?
-
Language Independent Issues
-
Q6 I'm developing custom CGI scripts. What
unsafe practices should I avoid?
-
Q7 But if I avoid eval(), exec(), popen()
and system(), how can I create an interface to my database/search engine/graphics
package?
-
Q8 Is it safe to rely on the PATH environment
variable to locate external programs?
-
Q9 I hear there's a package called cgiwrap
that makes CGI scripts safe?
-
Q10 People can only use scripts if they're
accessed from a form that lives on my local system, right?
-
Q11 Can people see or change the values in
"hidden" form variables?
-
Q12 Is using the "POST" method for submitting
forms more private than "GET"?
-
Q13 Where can I learn more about safe CGI
scripting?
-
Safe Scripting in Perl
-
Q14 How do I avoid passing user variables
through a shell when calling exec() and system()?
-
Q15 What are Perl taint checks? How do I
turn them on?
-
Q16 OK, I turned on taint checks like you
said. Now my script dies with the message: "Insecure path at line XX"
every
time I try to run it!
-
Q17 How do I "untaint" a variable?
-
Q18 I'm removing shell metacharacters from
the variable, but Perl still thinks it's tainted!
-
Q19 Is it true that the pattern matching
operation $foo=~/$user_variable/ is unsafe?
-
Q20 My CGI script needs more privileges than
it's getting as user "nobody". How do I run a Perl script as suid?
-
Protecting Confidential Documents at Your Site
-
Q1 What types of access restrictions are
available?
-
Q2 How safe is restriction by IP address
or domain name?
-
Q3 How safe is restriction by user name
and password?
-
Q4 What is user verification?
-
Q5 How do I restrict access to documents
by the IP address or domain name of the remote browser?
-
Q6 How do I add new users and passwords?
-
Q7 Isn't there a CGI script to allow users
to change their passwords online?
-
Q8 Using .htaccess to control access
in individual directories is so convenient, why should I use access.conf?
-
Q9 How does encryption work?
-
Q10 What are: SSL, SHTTP, Shen?
-
Q11 Are there any "freeware" secure servers?
-
Q12 Can I use Personal Certificates to Control
Server Access?
-
Q13 How do I accept credit card orders over
the Web?
-
Q14 What are: CyberCash, SET, Open Market?
-
Denial of Service Attacks
-
Overview
-
Q1 What is a Denial of Service attack?
-
Q2 What is a Distributed Denial of Service
attack?
-
Q3 How is a DDoS executed against a website?
-
Q4 Is there a quick and easy way to secure
against a DDoS attack?
-
Q5 Can the U.S. Government make a difference?
-
Step-by-Step
-
Q6 How do I check my servers to see if they
are active DDoS hosts?
-
Q7 What should I do if I find a DDoS host
program on my server?
-
Q8 How can I prevent my servers from being
used as DDoS hosts in the future?
-
Q9 How can I prevent my personal computer
from being used as a DDoS host?
-
Q10 What is a "smurf attack" and how do I
defend against it?
- Q11 What is "trinoo" and how do I defend
against it?
- Q12 What are "Tribal Flood Network" and "TFN2K"
and how do I defend against them?
-
Q13 What is "stacheldraht" and how do I
defend against it?
-
Q14 How should I configure my routers,
firewalls, and intrusion detection systems against DDoS attacks?
-
Bibliography
Corrections and Updates
We welcome bug reports, updates, reports about broken links, comments and
outright disagreements. Please send your comments to lstein@cshl.org
and/or jns@digitalisland.net.
Please make sure that you are referring to the most recent version of the
FAQ (maintained at https://www.w3.org/Security/Faq/);
someone else might have caught the problem before you.
Please understand that we maintain the FAQ on a purely voluntary basis,
and that we may fall behind on making updates when other responsibilities
intrude. You can help us out by making an attempt to identify replacement
links when reporting a broken one, and by suggesting appropriate rewording
when you have found an error in the text. Suggestions for new questions
and answers are welcomed, particularly if you are willing to contribute
the text yourself. ;-)
Lincoln D. Stein (lstein@cshl.org)
and John N. Stewart (jns@digitalisland.net)
$Id: index.html,v 1.13 2002/02/04 18:59:43 lstein Exp $