Frequently Asked Questions

CONTENTS

1. Introduction
2. What's New?
3. General Questions
• Q1 What's to worry about?
• Q2 Exactly what security risks are we talking about?
• Q3 Are some Web servers and operating systems more secure than others?
• Q4 Are some Web server software programs more secure than others?
• Q5 Are CGI scripts insecure?
• Q6 Are server-side includes insecure?
• Q7 What general security precautions should I take?
• Q8 Where can I learn more about network security?



4. Client Side Security
• Q1 How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?
• Q2 How secure is the encryption used by SSL?
• Q3 When I try to view a secure page, the browser complains that the site certificate doesn't match the server and asks me if I wish to continue. Should I?
• Q4 When I try to view a secure page, the browser complains that it doesn't recognize the authority that signed its certificate and asks me if I want to continue. Should I?
• Q5 How private are my requests for Web documents?
• Q6 What's the difference between Java and JavaScript?
• Q7 Are there any known security holes in Java?
• Q8 Are there any known security holes in JavaScript?
• Q9 What is ActiveX? Does it pose any risks?
• Q10 Do "Cookies" Pose any Security Risks?
• Q11 I hear there's an e-mail message making the rounds that can trash my hard disk when I open it. Is this true?
• Q12 Can one Web site hijack another's content?
• Q13 Can my web browser reveal my LAN login name and password?
• Q14 Are there any known problems with Microsoft Internet Explorer?
• Q15 Are there any known problems with Netscape Communicator?
• Q16 Are there any known problems with Lynx for Unix?
• Q17 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?
• Q18 Is there anything else I should keep in mind regarding external viewers?



5. Server Side Security
• General
  • Q1 How do I set the file permissions of my server and document roots?
  • Q2 I'm running a server that provides a whole bunch of optional features. Are any of them security risks?
  • Q3 I heard that running the server as "root" is a bad idea. Is this true?
  • Q4 I want to share the same document tree between my ftp and Web servers. Is there any problem with this idea?
  • Q5 Can I make my site completely safe by running the server in a "chroot" environment?
  • Q6 My local network runs behind a firewall. How can I use it to increase my Web site's security?
  • Q7 My local network runs behind a firewall. How can I get around it to give the rest of the world access to the Web server?
  • Q8 How can I detect if my site's been broken into?
• Windows NT Servers
• Q9 Are there any known problems with the Netscape Servers?
• Q10 Are there any known problems with the WebSite Server?
• Q11 Are there any known problems with Purveyor?
• Q12 Are there any known problems with Microsoft IIS?
• Q13Are there any known security problems with Sun Microsystem's JavaWebServer?
• Q14Are there any known security problems with the MetaInfo MetaWeb Server?
• Unix Servers
• Q15 Are there any known problems with NCSA httpd?
• Q16 Are there any known problems with Apache httpd?
• Q17 Are there any known problems with the Netscape Servers?
• Q18 Are there any known problems with the Lotus Domino Go Server?
• Q19 Are there any known problems with the WN Server?
• Macintosh Servers
• Q20 Are there any known problems with WebStar?
• Q21 Are there any known problems with MacHTTP?
• Q22 Are there any known problems with Quid Pro Quo?
• Other Servers
• Q23 Are there any known problems with Novell WebServer?
• Server Logs and Privacy
• Q24 What information do readers reveal that they might want to keep private?
• Q25 Do I need to respect my readers' privacy?
• Q26 How do I avoid collecting too much information?
• Q27 How do I protect my readers' privacy?



6. CGI Scripts
• General
  • Q1 What's the problem with CGI scripts?
  • Q2 Is it better to store scripts in the cgi-bin directory or to identify them using the .cgi extension?
  • Q3 Are compiled languages such as C safer than interpreted languages like Perl and shell scripts?
  • Q4 I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
  • Q5 What CGI scripts are known to contain security holes?
• Language Independent Issues
  • Q6 I'm developing custom CGI scripts. What unsafe practices should I avoid?
  • Q7 But if I avoid eval(), exec(), popen() and system(), how can I create an interface to my database/search engine/graphics package?
  • Q8 Is it safe to rely on the PATH environment variable to locate external programs?
  • Q9 I hear there's a package called cgiwrap that makes CGI scripts safe?
  • Q10 People can only use scripts if they're accessed from a form that lives on my local system, right?
  • Q11 Can people see or change the values in "hidden" form variables?
  • Q12 Is using the "POST" method for submitting forms more private than "GET"?
  • Q13 Where can I learn more about safe CGI scripting?
• Safe Scripting in Perl
  • Q14 How do I avoid passing user variables through a shell when calling exec() and system()?
  • Q15 What are Perl taint checks? How do I turn them on?
  • Q16 OK, I turned on taint checks like you said. Now my script dies with the message: "Insecure path at line XX" every time I try to run it!
  • Q17 How do I "untaint" a variable?
  • Q18 I'm removing shell metacharacters from the variable, but Perl still thinks it's tainted!
  • Q19 Is it true that the pattern matching operation $foo=~/$user_variable/ is unsafe?
  • Q20 My CGI script needs more privileges than it's getting as user "nobody". How do I run a Perl script as suid?



7. Protecting Confidential Documents at Your Site
• Q1 What types of access restrictions are available?
• Q2 How safe is restriction by IP address or domain name?
• Q3 How safe is restriction by user name and password?
• Q4 What is user verification?
• Q5 How do I restrict access to documents by the IP address or domain name of the remote browser?
• Q6 How do I add new users and passwords?
• Q7 Isn't there a CGI script to allow users to change their passwords online?
• Q8 Using .htaccess to control access in individual directories is so convenient, why should I use access.conf?
• Q9 How does encryption work?
• Q10 What are: SSL, SHTTP, Shen?
• Q11 Are there any "freeware" secure servers?
• Q12 Can I use Personal Certificates to Control Server Access?
• Q13 How do I accept credit card orders over the Web?
• Q14 What are: CyberCash, SET, Open Market?



8. Denial of Service Attacks 
• Overview
• Q1 What is a Denial of Service attack?
• Q2 What is a Distributed Denial of Service attack?
• Q3 How is a DDoS executed against a website?
• Q4 Is there a quick and easy way to secure against a DDoS attack?
• Q5 Can the U.S. Government make a difference?
• Step-by-Step
• Q6 How do I check my servers to see if they are active DDoS hosts?
• Q7 What should I do if I find a DDoS host program on my server?
• Q8 How can I prevent my servers from being used as DDoS hosts in the future?
• Q9 How can I prevent my personal computer from being used as a DDoS host?
• Q10 What is a "smurf attack" and how do I defend against it?
• Q11 What is "trinoo" and how do I defend against it?
• Q12 What are "Tribal Flood Network" and "TFN2K" and how do I defend against them?
• Q13 What is "stacheldraht" and how do I defend against it?
• Q14 How should I configure my routers, firewalls, and intrusion detection systems against DDoS attacks?
  

  

Table of Contents

Forward to Introduction