The World Wide Web Security FAQ

9. Client Side Security

(Thanks to Laura Pearlman, who contributed many of the Q&A's in this section).

Q53: Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?

This is not a good idea. Configuring any command-line shell, interpreter, macro processor, of scripting language processor as the "viewer" for a document type leaves you vulnerable to attack over the Web. You should never blindly execute any program you download from the Internet (including programs obtained by FTP). It is safer to download a script as text, look it over to make sure it isn't doing anything malicious, and then run it by hand.

These words of warning apply also to the macro worksheets generated by popular PC spreadsheet programs. Although it seems natural to declare a type "application/x-msexcel-macro" in order to receive spreadsheets that automatically recalculate themselves, some of the functions in the Excel macro language have the potential to inflict damage on other worksheets and files. These warnings even apply to such seemingly innocuous things as word processor style sheets and template files! Many high end word processors have a built-in macro processing ability. An example of the way in which word processing macros can be misused is the Microsoft Word "prank macro", which has the ability to spread, virus-like, from document to document.

I have heard of at least one individual who decided he'd only be using the C-shell to download scripts written by himself and other trusted parties. He screened all URLs by hand to make sure they didn't end with a .csh extension before downloading them. Unfortunately the file extension is not a reliable way to determine what a URL contains. The type of a document is determined by the Web (HTTP) server, not the browser, and a document of type application/x-csh can just as easily have an extension of .txt or no extension at all.

In short, beware of declaring an external viewer for any file that contains executable statements.

This security problem is addressed by scripting languages as Java and Safe Tcl in which dangerous functions can be disabled. There's even a prototype "Safe Perl" that can be used as a safer external viewer for perl programs.

Q54: Is there anything else I should keep in mind regarding external viewers?

Yes. Whenever you upgrade a program that you've configured as an external viewer you should think about the issues related in Q53 in light of the program's new features. For example, if the viewer is a word processor, and the new version has just added scripting/macro features, is there any chance that loading and displaying the document could automatically launch a script?

Q55: How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?

This message indicates that the contents of a form that you're submitting to a CGI script is not encrypted and could be intercepted. Right now you'll get this message whenever you submit a form to any non-Netscape server, since only the Netsite Commerce Server can handle encrypted forms. You probably shouldn't send sensitive information such as credit card numbers via unencrypted forms (however if you're the type who reads his credit card number over cellular phones, an even more insecure means of communication, go right ahead!).

To turn this warning off, select Preferences from Netscape's Options menu, choose "Images and Security", and uncheck the checkbox labeled "Warn before submitting forms insecurely."

Q56 How secure is the encryption used by SSL?

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that if someone manages to decrypt a transaction, that does not mean that they've found the server's secret key; if they want to decrypt another transaction, they'll need to spend as much time and effort on the second transaction as they did on the first.

Netscape servers and browsers do encryption using either a 40-bit secret key or a 128-bit secret key. Many people feel that using a 40-bit key is insecure because it's vulnerable to a "brute force" attack (trying each of the 2^40 possible keys until you find the one that decrypts the message). Using a 128-bit key eleiminates this problem because there are 2^128 instead of 2^40 possible keys. Unfortunately, most Netscape users have browsers that support only 40-bit secret keys. This is because of legal restrictions on the encryption software that can be exported from the United States (The Federal Government has recently modified this policy on following the well-publicized cracking of a Netscape message encrypted using a 40-bit key. Expect this situation to change).

In Netscape you can tell what kind of encryption is in use for a particular document by looking at the "document" information" screen accessible from the file menu. The little key in the lower left-hand corner of the Netscape window also indicates this information. A solid key with two teeth means 128-bit encryption, a solid key with one tooth means 40-bit encryption, and a broken key means no encryption. Even if your browser supports 128-bit encryption, it may use 40-bit encryption when talking to older Netscape servers or Netscape servers outside the U.S. and Canada.

Q57 My Netscape browser is displaying a form for ordering merchandise from a department store that I trust. The little key at the lower left-hand corner of the Netscape window is solid and has two teeth. This means I can safely submit my credit card number, right?

Not quite. A solid key with two teeth appears indicates that SSL is being used with a 128-bit secret key and that the remote host owns a valid server certificate that was certified by some authority that Netscape recognizes. At this point, however, you don't know who that certificate belongs to. It's possible that someone has bought or stolen a server certificate and then diverted network traffic destined for the department store by subverting a router somewhere between you and the store. The only way to make sure that you're talking to the company you think you're talking to is to open up the "Document Information" window (from the File menu) and examine the server certificate. If the host and organization names that appear there match the company you expect, then you're probably safe to submit the form. If something unexpected appears there (like "Embezzlers R Us") you might want to call the department store's 800 number.

Q58: How private are my requests for Web documents?

Read section (7) above. All requests for documents are logged by the Web server. Although your name is not usually logged, your IP address and computer's host name usually is. In addition, some servers also log the URL you were viewing (such as your home page) at the time you requested the new URL. If the site is well administered, the record of your accesses will be used for statistics generation and debugging only. However, some sites may leave the logs open for casual viewing by local users at the site or even use them to create mailing lists.

The contents of queries in forms submitted using the GET request appear in the server log files because the query is submitted as part of the URL. However, when a query is submitted as a POST request (which is often the case when submitting a fill-out form), the data you submit doesn't get logged. If you are concerned about the contents of a keyword search appearing in a public log somewhere, check whether the search script uses the GET or POST method. The easiest technique is to try an innocuous query first. If the contents of the query appear in the URL of the retrieved document, then they probably appear in the remote server's logs too.

Server/browser combinations that use data encryption, such as Netsite/Netscape, encrypt the URL request. Furthermore the encrypted request, because it is submitted as a POST request, does not appear in the server logs.

Q59: What's the difference between Java and JavaScript?

Despite the similarity in names, Java and JavaScript are two separate entities. Java is a language designed by Sun Microsystems. Java scripts are precompiled into a compact form and stored on the server's side of the connection. HTML documents refer to the mini-applications known as Java "applets" by incorporating <APPLET> tags. Browsers that support the <APPLET> tag (currently only Netscape Navigator 2.0 and Sun's HotJava), download the compiled Java applications and execute them.

JavaScript is a series of extensions to the HTML language understood only by Netscape Navigator versions 2.0 (and higher). It's an interpreted language designed for controlling the Netscape browser; it has the ability to open and close windows, manipulate form elements, adjust browser settings, and download and execute Java applets.

Although JavaScript has a similar syntax to Java, it is quite distinct in many ways.

Q60: Are there any known security holes in Java?

Java scripts, because they execute on the browser's side of the connection instead of on the server's, move the security risk squarely from the server to the client. Is there anything for the client to worry about?

Several failsafes are built into Java to prevent it from compromising the remote user's machine. When running as applets, Java scripts are restricted with respect to what they are allowed to do by a "security manager" object. The security manager does not ordinarily allow applets to execute arbitrary system commands, to load system libraries, or to open up system device drivers such as disk drives. In addition, scripts are generally limited to reading and writing to files in a user-designated directory only (the HotJava browser allows you to set this directory, while Netscape disallows all file manipulation).

Applets are also limited in the network connections they can make: An applet is only allowed to make a network connection back to the server from which it was downloaded. This is important for reasons discussed below.

Finally, the security manager allows Java applets to read and write to the network, read and write to the local disk, but not both. This limitation was created to reduce the risk of an Applet spying on the user's private documents and transmitting the information back to the server. Since the Netscape implementation disables all local file manipulation anyway, this restriction is currently moot.

Security holes

Unfortunately in the short time since its release, a number of security holes have been found in Java caused by bugs in the implementation. Although most of the worst bugs have been fixed in the current release, at least one serious security hole remains and there are a number of worrisome potential vulnerabilities in the design of the language itself, not least of which is the Java Security: From HotJava to Netscape and Beyond, a paper published by Drew Dean, Edward Felten and Dan Wallach in the 1996 IEEE Symposium on Security and Privacy, presents a complete of anatomy of Java security holes and concludes with the following sobering assessment:
We conclude that the Java system in its current form cannot easily be made secure. Significant redesign of the language, the bytecode format, and the runtime system appear to be necessary steps toward building a higher-assurance system.

Because of the current problems with Java, the safest course is to turn Java off (from the Netscape Security Preferences menu item) except when retrieving URLs from well-known and trusted hosts.

Below are some of the specific holes present in the Java implementation distributed with Netscape 2.0 and/or 2.01.

Ability to Execute Arbitrary Machine Instructions

On 22 March 1996, Drew Dean ( ddean@CS.Princeton.EDUand Ed Felton ( felten@CS.Princeton.EDU) of the Princeton Dept of Computer Science, announced that they had successfully exploited a bug in Java to create a applet that deletes a file on the user's local disk. In this bug, a binary library file is first downloaded to the user's local disk using the Netscape caching mechanism. The Java interpreter is then tricked into loading the file into memory and executing it.

This bug is present in version 2.0 of Netscape as well as the recent 2.01 "security enhancements" release. Although the bug was demonstrated on a Unix system, it appears that Windows systems are vulnerable as well.

More information on this bug can be found at 

   http://www.cs.princeton.edu/sip

Vulnerability to Denial of Service Attacks

Applets can hog system resources such as memory and CPU time. This may happen as the result of a programmer error, or maliciously in order to slow down the computer system to the point of unusability. Applets running under the same browser are not protected from one another. One applet can easily discover another's existence and interfere with it, raising the interesting spectre of one vendor's applet deliberately making a competitor's applet appear to behave erratically.

If an applet appears to be behaving improperly, closing the page from which it originated does not necessarily shut it down. It may be necessary to shut off the browser entirely.

Ability to Make Network Connections with Arbitrary Hosts

Version 2.0 of Netscape Navigator contained another Java bug, this one involving the restriction on Applets from contacting arbitrary hosts. This bug has been fixed in version 2.01 of Netscape, and you should upgrade to 2.01 if you haven't already.

Applets are supposed to be able to talk only to the server that they originated from. However in early March 1996, Steve Gibbons (a href="mailto:sgibbo@amexdns.amex-trs.com" mailto:sgibbo@amexdns.amex-trs.com) and Drew Dean (ddean@CS.Princeton.EDU) independently discovered holes in the implementation that allows Applets to make connections to any host on the Internet. This is a serious problem: once downloaded to a user's machine, the applet can now attempt to make a connection to any machine on the user's local area network, even if the LAN is protected by a firewall. Many LANs are set up so that local machines are trusted to access services that distant machines are not. As a trivial example, an Applet could open up a connection to the organization's private news server, fetch recent postings to an internal newsgroup, and transmit them back to a foreign host.

Unix users who are familiar with the Berkeley rsh, rlogin and rcp commands will see that this bug represents a risk to systems that trust each other enough to allow commands to be executed remotely. This bug also makes it possible for Applets to collect detailed information on network topology and name services from behind a firewall.

This security hole involves Java's trusting use of the Domain Name System (DNS) to confirm that it is allowed to contact a particular host. A malfeasant using his own DNS server can create a bogus DNS entry to fool the Java system into thinking that a script is allowed to talk to a host that it is not authorized to contact.

More information about Java and security can be found at URL: 

  http://java.sun.com/sfaq/

Q61: Are there any known security holes in JavaScript?

JavaScript also has a troubling history of security holes, three of which have persisted despite the Netscape developers' attempts to close them.

Unlike the Java hole, which can actively damage the user's machine, the JavaScript holes all involve infringements on the user's privacy. The following holes all exist in Netscape 2.01, and were discovered and publicized by John Robert LoVerso of the OSF Research Institute (mailto:loverso@osf.org:

  1. JavaScripts can trick the user into uploading a file on his local hard disk or network mounted disk to an arbitrary machine on the Internet. Although the user must click a button in order to initiate the transfer, the button can easily masquerade as something innocent. Nor is there any indication that a file transfer has occurred before or after the event. This is a major security risk for systems that rely on a password file to control access, because a stolen password file can often be readily cracked.
  2. JavaScripts can obtain directory listings of the user's local hard disk and any network mounted disks. This represents both an invasion of privacy and a security risk, since an understanding of a machine's organization is a great advantage for devising a way to break into it.
  3. JavaScripts can monitor all pages the user visits during a session, capture the URLs, and transmit them to a host somewhere on the Internet. This hole requires a user interaction to complete the upload, but as in the first example the interaction can be disguised in an innocuous manner.
A description of these bugs can be found at: 
   http://www.osf.org/~loverso/javascript/
Because of concerns for public safety, LoVerso has not generally released the details of all three holes. However it is unlikely that the same holes cannot be discovered by others.

It is expected that these bugs will be addressed in the next release of Netscape Navigator. However, until that time, you are strongly advised to turn JavaScript off (from the Network & Security Options dialog) except when retrieving URLs from well-known and trusted hosts. If you do choose to use JavaScript, be alert for pages that do unexpected things such as creating superfluous windows or prompting you to take unusual actions. These may be indications of a malevolent script at work.

Lincoln D. Stein, lstein@genome.wi.mit.edu
Whitehead Institute/MIT Center for Genome Research
Last modified: Fri Apr 26 09:22:46 EDT 1996