Website Security
|
|
Open Protocol vs. Closed Protocol
Compare a local area network in an office to the Internet. They're both networks where users request files to be displayed on their machines but the difference is that office networks use a closed protocol compared to the Internet, which uses an open protocol.A closed protocol, as used by a local area network, means that all users must have a logon to request anything on the system. So by default if you don't have a logon you have no access. This means that programmers grant users access only to those resources that they are permitted to request. As well as this the software tracks each user on the system - where they have logged on from, how long they have been logged on and what they have requested etc.
An open protocol, as used on the Internet, requires no user logon. By default all requests for resources on the server are granted unless programmers choose otherwise. This is the reverse of a closed protocol since by default the server doesn't screen requests so doesn't know or care who is accessing which resources unless programmers write scripts to mimic the aspects of a closed protocol.
So What's the Problem?To understand why this is a problem imagine you are writing a script to gather a user's details from an HTML form and forward it to a script on the server. Suppose you want the user to forward only characters, or character combinations, from a-z but no others. There are two ways this could be tackled.Solution 1: Screen the input for all the characters, or character combinations that you wish to forbid and remove them allowing the remainder. Comment: This sounds OK but the problem is that it relies on your script being aware of all possible characters and character combinations that are forbidden. This is dangerous since you might easily overlook some possibilities. Solution 2: Forbid all input except that which you wish to allow - i.e. the acceptable characters or character combinations. Comment: This is much safer since you don't have to think of all possible forbidden combinations - only the ones you are going to allow. |
In the first solution by default we allow everything except that which we forbid and this is similar to the open protocol used on the Internet. This is why programmers find it very difficult to write scripts that don't leave security holes for hackers since it's hard to imagine all possible ways a user request might be constructed.
In the second solution by default we forbid everything except that which we allow and this is similar to the closed protocol used in the office local area network. In this situation it's much easier for programmers to write secure scripts.
Programmers are at a disadvantage when writing server side scripts for the web since they have to think of all possible ways that user requests might be constructed to exploit their scripts and this is almost impossible. Writing secure scripts would be easy if the Internet used a closed protocol but then this wouldn't be much use for users. The Internet will always use an open protocol so all programmers can do is use best practice to limit security problems with their scripts.
© 2000-2008 smallbizonline website design Tel: 01501 771106 Privacy Policy Terms & Conditions
