Web Site Security

No self-respecting tour of web design tools and features should overlook mentioning some popular security features. This topic will introduce Secure Socket Layer, CGI-BIN, and .htaccess.

Secure Socket Layer - provides security to the transmission of data between the client and the server, and is essential to e-commerce and online banking and brokerage transactions.

CGI-BIN - maintains security at the web site to protect executable CGI scripts and their data, hence the name 'CGI' for the scripts and 'BIN' for binary files, implying programs.

.htaccess - along with its companion .htpasswd, enables the webmaster to protect specific directories and their contents.

Let's have a look.

Secure Socket Layer (SSL) is the software protocol provided by Apache, IBM, Red Hat, Netscape, Microsoft, Novell, Oracle and many, many others' host server software to provide Encryption of the data flow between the server and the user's browser, and to present to the security conscious user Authentication that the web site is secured by a Server ID and a current Digital Certificate from a trusted company.

Current browsers are capable of establishing secured communications with such a web site using either 40 bit or 128 bit encryption. The higher the encryption level, the more different encoding schemes are available. 'RSA Labs' is quoted as saying it would take a trillion-trillion years to crack 128-bit encryption with today's technology.

You'll know that you're on a secured web site by noticing in your browser's URL or Location window an address beginning with https://. That's your invitation to see if the site is truly authorized by clicking on the browser's 'security' icon where quite a bit of information is available to you, including the level of encryption available, what company authorized it, when the certificate expires, and so on. (Netscape I know has a couple icons on their window in the shape of an unlocked padlock which then becomes locked when you've entered a secured site.  Verisign proudly provides this logo for servers to display on their sites, documenting the security they offer. Click this logo and you'll see as an example Verisign's own security authorization.

Verisign is one of the leading companies authorized to issue these Certificates and quite a bit of useful information is available on their web site if you want to learn more. What you learn there will apply to their competition as well (I'm not being paid to endorse Verisign, it just looks that way < grin >). To get you started, here's a link to their site explaining the basics of SSL. I hope they keep it the same for a while but let me know if they change it.

CGI-BIN is a specially authorized directory to warehouse script programs and applications, generally along with their data. It is special in that the user is not permitted to list the contents of these directories, nor to view any of their items available directly. The script programs themselves do have such authorization and can therefore access their data files.

You can demonstrate this to yourself, if you haven't already, by entering any known cgi-bin on the URL line above. Click THIS and you'll see what I mean when you try to list my CGI-BIN.  Now, an exception to what I've explained is the case of executable objects like things ending in .CGI or .HTM. The web designer will designate them as 'executable' so that the user can access them.

Permissions are granted to access files and directories within CGI-BIN by using the CHMOD command. If you login to your server using Telnet, you would enter this command on the command line. just like you would with good old DOS. A common use of CHMOD is to make a CGI script executable. Its syntax is chmod 755 myscript.cgi. This can obviously be a tedious process if you were going to set permissions to a large number of files. Also, NT servers don't permit Telnet. To the rescue, FTP programs have the ability to change one or many items in a directory at the same time and very easily, simply by highlighting them, right-clicking to obtain a pulldown command window, and selecting CHMOD. WS_FTP Pro works this way and is a very good FTP program.

It's important to note that most ISPs (Internet Service Providers) don't allow you to use CGI-BIN, even though they give you a place to build a web site. In fact, a few web hosting services don't provide the capability either and I would avoid them. CGI scripts are extremely useful, are supported by all server platforms and all browsers. Many CGI scripts are available free and do very useful things. This leads me to a 'Sales Pitch' to encourage you to read my topics on CGI/Perl Scripting and you can find links to a number of free script libraries in the Sites to Visit topic by clicking on the Software Download category there.

.htaccess is a facility which allows the designer to protect certain directories from unauthorized access by the general user community. A userid and password scheme is implemented and enforced directly by the server's system software. Often these directories are referred to as Member Areas, especially popular on XXX-Rated sites (not that any of you have ever been to one) but frequently found on any site where it costs $$$ or some form of patronage to be allowed to enter.

In addition to authorizing access to directories, there are other useful purposes for .htaccess. One significant use is for the web designer to intercept those ugly and menacing server error messages by substituting a friendly and pretty information screen. Another use is to redirect a user from a given directory to an alternative URL. You would want to do this, for example, if you moved your web site, or just a directory of your web site.

You can see an example of this if you select my topic Web Theme Samples. You'll be offered the below dialogue box to log in to that directory which is protected by .htaccess. You'll be told what userid and password you can use. However, I suggest you deliberately enter the wrong userid or password. That would normally produce a 401 error, which is an authentication failure. I substituted a very pleasant screen for you.

Finally, I should mention that once you have installed the .htaccess file on your protected directory, you need to use the server program htpasswd to create a file called .htpasswd and then to add userids and encrypted passwords. This .htpasswd file is an ASCII file and can be edited, so it's easy to remove passwords. It is torturous to enter these userids and encrypted password from a Telnet command line but fortunately there are CGI scripts available free that will do this for you from your browser. Also a good web hosting company will provide a function on an administrative menu to make this entire process very easy.

Rather than giving you a link to learn more, just go to a search engine like Yahoo and enter just the word .htaccess. It's amazing how many hits you'll get. You can also go to any prominent server software site like apache.com, and they'll have information.

To provide an example of what a simple .htaccess file looks like, here's the one I'm using to protect the directory where the Web Themes are stored (with directory names changed). The .htaccess file is placed inside that directory. Notice also the ErrorDocument syntax to trap the 401 error.

AuthName "Sample Web Themes"
AuthType Basic
AuthUserFile /root/customers/customerx/
ErrorDocument 401 /webthemes401.html
<Limit GET POST>
Require valid-user