Week 5 Flashcards
What is meant byʺactive contentʺ?List some technologies that support active content.
Active content refers to material we download that makes something happen, as opposed to static
content, such as text or simple images that do nothing but get displayed. Active content includes
such things as
i) JavaScript animations
ii) ActiveX controls
iii)Java spreadsheets (e.g., JExcel)
iv) VB Script
v) Java Applets
vi) …anything that actually does something.
Active content is downloaded over the network and run on the client machine. Depending on what type of active content is running,it canevengetfullaccessto the system resources including resources of the intranet of which client machine is a part. ActiveX control, developed by Microsoft, runs only on Windows platform whereas Java Applets can run on any platform for Java being platform independent. Security policy related to the active content is discussed in other questions.
Discuss three examples of security threats created by active content technologies.
Three examples:
i) Program execution is unconstrained ‐When a user downloads a page from un‐trusted site with active content, a program is automatically executed without giving the user an option. If the program is malicious, then it may do damage to the system.
ii) Malicious control could destroy the system‐when the active content is been executed, it could run a program that format a hard‐disk, modify executable files and system files.
iii) Programs may be modified in transit by a malicious third party.
What are some general strategies for addressing security threats arising from active content
technologies?
Have a stringent security policy, implement and adhere to it.
Execute onlyʺtrustedʺcode (Ensuring it is from a trusted source, however trust is not easy to
establish.)
Configure the browser security setting properly
Grant higher access to Java applets if you think it worth
Describe how Java has addressed the issue of client side security against threats from mobile Java
code.
Java 2 Platform does the followings:
‐Supports standard Verisign and Thawte RSA Certificates
‐Provides RSA signed applet support in IE and Netscape
‐Provides pop up dialogs to let the users validates signature
How does Microsoftʹs Authenticode attempt to thwart malicious code attached to ActiveX controls?
Microsoft Authenticode Technology allows the source to associate digital signatures with the code attached to activeX control therefore ensuring certain level of accountability.
It helps in ensuring authenticity (assures users that they know where the code came from) and integrity (verifies that code has not been tampered).
Allows developers to include information about themselves and their code with their activeX application through the use of digital signatures.
Users can be informed whether the software publisher is participating in the infrastructure of trusted entities thus serving both needs of the software publishers and users who rely upon the Internet for software downloading.
Describe how SSL can be used to make a communication channel secure.
SSL is used to create a secure communication channel between the web browser and web server by negotiating a session key at the beginning and then encrypting any data transmitted between these parties using this session key.
What are the advantages and disadvantages of SSL?
Advantages‐Enhances the security and implemented by most of the browsers; it can be used with other protocols such as ftp, nntp, and telnet; it is relatively easy to add SSL support to applications.
Disadvantages ‐SSL leaves a gap between the application and the encryption layer, leaving a door through which security can be breached‐‐hacking into the CCI/Browser is arguably more difficult than hacking between network protocol layers.
Explain why the SET protocol failed to get market support.
For SET protocol to gain wide acceptance, each buyer and merchant must have digital certificate from the bank and each merchant must buy required software which is quite expensive for small business company. Also a buyer must have and be able to user client version of the software. It is also a huge investment for the banks to issue and maintain digital certificates of their customers. All these proved to be very expensive for banks and difficult for ordinary customers to use. This is why not many banks were willing to participate which ultimately made SET protocol a dormant protocol for the time being.