Blue Divider Line
Internal Systems

     From an internal perspective, the browser is the most obvious security risk. The objective is to protect the user's computer and local internal network. Much of the insecurity of browsers is the possibility of revealing private information about a user such as email address, name, or other personal information that might be stored in the browser's configuration. Other risks involve the execution of malicious applets or scripts by the browser. These may be written in Java, JavaScript, VBScript, or Active X.

     Protecting the user is also important. Security concerns exist because the browser can accept cookies, certain information sent by a server at a particular site which are stored in a human-readable file), by having items listed in bookmark file, or by the user accessing a secure section of a local internal network. These are primarily privacy issues when considering cookies and bookmark files, and a case where a user may remain "logged in" through a browser and someone takes advantage of the available security clearance. These issues are concerns of workstation security and are beyond the treatment of the briefing or, in the case of cookies, is now an option to the user whether or not to accept this type of information from a server.


Java Attacks

     Java, a language developed at Sun microsystems and is widely used by WWW applications. The language is a cross between a compiled and interpretive language which can be loaded as an applet (an application running within another, the browser in this case) with appropriate tags in a Web page. The language has some loopholes, however:

- By using specific lines of code it has been found that one can delete files on someone else's machine through Java.
- If two Java programs are working at the same time, they may interfere with one another, altering information they are carrying.
- Java programs may attempt to access other machines that are within the same LAN as the one it's trying to contact.
- By using hand-crafted byte code, it may be possible to make Java programs perform forbidden operations.


JavaScript Attacks

    Javascript is a Netscape creation. It is similar to Java in syntax and structure but is strictly interpretive and is executed by directly coding the functions into a Web page. It also has some security concerns:

- They can trick the user into uploading a file on his local hard disk to an arbitrary machine on the Internet. This may be done my masquerading a useful button as the download button and never notifying the user of what happened.
- They can obtain directory listings of the user's local hard drive.
- They can monitor all pages the user visits during a session, capture their URL and transmit them to a host somehwere else on the Internet.
- They can trick Netscape Navigator into sending off email messages without the user's permission.


Solutions

     Most of these concerns are easily remedied on an individual level. The current browser versions from Netscape and Microsoft correct these loopholes. Upgrading may not be quite as simple from a corporate perspective where multiple machines must be attended to.

     Updated versions can be downloaded from their web sites and licensed packages can later be bought for the entire company. Netscape Communicator costs $80 and it includes upgrades and accessories that may be added to the browser for a limited time by downloading them directly from the Netscape website. Internet Explorer is available for free download from the Microsoft website.

     Reviews have found Netscape to be more user friendly, with special add ons tailored specifically for business who want to improve their websites though serious coding. Netscape even offers their own verision of servers which make accessing the web even easier. On the other hand, Internet Explorer is more user friendly and tailored to the individual user. It is meant to be just that, a browser. It features all of the qualities that make Netscape so good with one additional positive characteristic, itís free. Netscape with the added features like mail, news, internet meeting module, chat, etc is attractive to a company, however, because it's an all-inclusives communications package allowing for easier application maintainance. This also allows the installation of a single, multi-purpose, application rather than many application that may conflict.

     Normally, these companies issue warnings and upgrades as soon as leaks or bugs in their programs are spotted so it is encouraged to periodically inspect their websites to download the latest version of their browsers.

     A current version of the browser is the most obvious and easiest solution. A network may be equipped with a firewall, which we will discuss in the next section, which has the ability to filter certain types of information entering or exiting a local network. In this case, Java applets can be forbidden to enter the internal network. This solution does not guard against malicious JavaScript code, however. Next stop, the network gateway.

Executive Brief Gateway

Ender Design Mock Site Showpiece