Printable version of lesson; return to section index when finished.



Security issues can be divided into two categories: system security (for example, ensuring that other people cannot change your Web site) and information security (for example, ensuring that the customer details from an online store are safe).

System security

It is important to ensure that your system is secure, and reduce the chance that hackers can break into your Web server and alter pages.

System security is a strong responsibility, especially if you operate your own Web server.

Information security

Some Web sites may store sensitive information, such as the personal details (and perhaps even credit card numbers) of users. You should analyse the information stored and work out which information must be kept secure.

As the operator of such a site, you have a responsibility to keep this information safe.


Encryption, which makes it difficult for other people to intercept information, can be an important aid to security. However, encrypted Web connections (indicated by a padlock icon in the browser) do not ensure that information is held securely.

Complex issue

Making a site secure can be complicated. If you don't understand some of the basic concepts, you are unlikely to create a secure site simply by using 'secure' software.


There are two important issues in system security. One is in the use of passwords, which should be chosen and used securely. However secure a system might be, it is normally left wide open if the password used to access it is compromised.

Problems with passwords

Most systems use passwords to restrict access. It is possible to obtain a password in several ways:

Using passwords securely

You can avoid these problems by:

Software security

Another system security issue is the actual software that makes up the system. This software may have bugs and security holes that permit access even without a password. System software should be kept current with security patches and updates.

Software flaws

Web servers are complicated programs and frequently contain bugs which may, under certain conditions, allow hackers access to your system even if they cannot get a password.

If you use a Web hosting provider, then it is their responsibility to ensure that software is kept updated (but you should check they actually do this). If you run your own server then you must be very careful to secure it.

Keeping software current

Security problems are often discovered in Web servers. Sometimes these problems are relatively minor, only allowing an attacker to disable your server until you can fix the problem (a 'denial of service attack'). Frequently, though, security holes will allow hackers significant or full access to the machine and its files.

Server manufacturers issue patches (updates) to their software when a problem is found. You must ensure that your server, and other key software such as the operating system, is kept current. This also applies to any other critical machines. For example, if you get a virus on your home machine, which you use to log into the server, then your password might be stolen; so it is important that you keep your email software updated.

Do not fall into the trap of thinking that a particular server is 'secure' because it says so or because it is developed by a large company. For example, Microsoft's Internet Information Server is frequently hacked.

Using minimal software

Configure software (especially servers) so that all unnecessary features are disabled. Some software ships with many unnecessary features active, which means that if a hole is found in any of those features, your system could be vulnerable even if you do not use the features.

Using firewalls

'Firewall' software prevents access to your server except via specific 'ports'. Though firewall software can be helpful in reducing security risks, it is not an overall solution because you are still vulnerable to attacks that might occur via your Web server or other ports that you really have to allow.

Information security

Some of the information on your Web site may need to be stored securely. You should pay particular attention to the way this information is stored. The first step is to decide exactly which information needs special attention.

General personal information

If you store personal information about other people, then (apart from your legal responsibilities, for example under the Data Protection Act in the UK) you should consider the importance of that information.

For example, a person's name is generally not particularly critical information - but if, for example, you provide a confidential resource such as information about homosexuality, it could be catastrophic if the information is revealed.

Credit card details

Credit card details always need to be treated with the utmost care. There are many examples of sites which have lost large numbers of credit cards; the cards are then used for fraud. In a famous example, the site 'CD Universe' had hundreds of thousands of credit card details stolen; these details were posted to the Internet.

Secure site information

Some sites may include information on their own behalf, not for users, but which is nevertheless security-critical. For example, a company Web site might contain financial information about the company which should not be visible outside the company.

Handling secure information

Once you have decided which information needs to be handled securely, you need to consider how that information might be at risk, and take steps to reduce that risk.

We will take the example of credit card numbers from an online store.

Maintaining system security

Your first step should be to keep system security as high as possible. Ensure that all software is current and that the software is reliable. (For example, if you use a shopping cart program, make sure there are no known holes in that program and make sure it has been examined by security experts.)

Securing information in transit

Whenever the credit card numbers are transmitted, this must be done securely. For example, the site should have an encrypted connection when the user initially types in the number. However, many sites then send the order details by unencrypted email! Clearly this introduces the risk of interception.

Reducing consequences of failure

No site is perfectly secure. For example, even if you keep your software current, there will always be a period between when a security hole is discovered, and when you install a patch from the manufacturer that fixes that hole.

In order to handle this risk, you must make sure that the consequences of a break-in to your Web site are not serious. For example, you should not store customer credit card details on an Internet-connected machine for any longer than absolutely necessary. You should make certain that the information is deleted, or transferred to a safe, off-Net computer, as soon as possible after the order has been received.

If your system is broken into, you will then only lose a few credit card numbers instead of hundreds or thousands.

Detecting failure

You should have some way of finding out when your site is compromised (for example, by regularly checking logs, though be aware that an intelligent attacker may be able to remove their traces from logs). If you suspect your site might have been compromised, you should immediately set about cleaning the site, selecting new passwords and keys, and so on.


Web sites use encryption to keep information secure in transit. Modern encryption works using a 'public key' scheme. If done properly, this encryption is not reasonably broken, but you need to pay careful attention to the points when unencrypted information is available.

What public key encryption achieves

Public key encryption allows you to transfer a message securely between two people who might not have previously communicated. Even if all communications between the two people are intercepted, they cannot easily be decrypted.

Conceptual overview

Imagine that you have a briefcase containing secret documents. You can send that briefcase to the recipient, but it might be intercepted. In order to protect against this, you obtain a special unbreakable padlock, which you use to secure the briefcase.

You lock the briefcase and send it to your recipient. Now, even if the briefcase is intercepted, you are safe because it cannot be opened. Unfortunately, when your recipient receives it, they cannot open it because they don't have the key to the padlock.

You could send the recipient the key as well as the briefcase... but if both are intercepted, the attacker can easily open it and obtain the documents.

Instead, your recipient also purchases an unbreakable padlock. When they receive the locked briefcase, they lock it with their padlock, so that it is now locked twice. They then send it back to you.

You receive the briefcase, unlock and remove your padlock, and send it back. It is still locked with the recipient's padlock.

Finally the recipient receives it, unlocks their padlock, and can open the case.

Note that the briefcase was always locked (from when it was sent until when the message was finally received), and you did not have to transfer the keys.

Public key encryption

Public key encryption achieves the same type of security as described, although not in exactly the same manner. The message is not actually sent back and forth three times.

Instead, both parties (the sender and recipient) have a pair of mathematical codes known as keys; a private key which must be kept secret and cannot be transferred, and a public key which can be made public.

When a message is encrypted using a combination of the sender's private key and the recipient's public key, it can only be decrypted using the recipient's private key and the sender's public key. (Some complicated maths which I'm not going to explain makes this happen, so just trust me.)

So, if the recipient sends their public key to the sender, the sender can then encrypt the message using their private key, and send it - along with the sender's public key - to the recipient. The message is secure because it cannot be decrypted without the recipient's private key which was not transferred.

Key sizes

The size of a key is measured as a number of bits. If a key is small, it may be possible to break the encryption without having access to the private key.

Some encryption on the Web uses only 40 bits. This is not secure and is easily broken. However, the more common 128-bit keys should be secure for most purposes at present (in other words, the amount of computer time it would currently take to break a 128-bit key is not worth gaining a few credit card numbers).

Encryption security issues

Fundamentally, a public-key encrypted message is not secure if the private key that is needed to decrypt the message is not secure.

For example, Web servers which provide secure connections work by storing the private key on the server (so that the server can decrypt messages). This means that the message is secure in transit, but is not secure if anybody hacks into the server.

Similarly, there is not too much point encrypting data if you are going to store the private key on the same system.

You could securely store data on a server by encrypting it so that it can only be read using a private key that is not present on the server (but is available on another system that isn't connected to the Internet). Periodically, you could transfer information from the server to your isolated machine, and then access that data using the private key stored on that machine.

Scare stories

There are many scare stories relating to security breaches on the Web. Here are a few embarrassing examples.

Credit card breaches

This story summarises a few credit card breaches that involved blackmail attempts.

"Another case that drew much attention involved the theft of some 300,000 card numbers from in December 1999. In that episode, a teenage Russian hacker released thousands of the numbers online when the music e-tailer refused to meet his $100,000 extortion demand."

This story describes how 2,700 customer credit card numbers were exposed by the Consumers' Association, a UK organisation which promotes its own Web security mark.

This email was sent to customers of, a major online site. It makes entertaining reading.

Web site defacement

This defacement archive lists defaced Web sites (you can also view the defacements). Although Web site defacement is not normally serious, you probably would not want your company's Web site to be replaced by one of these defaced pages. Look at the sheer number of sites that are defaced each day.


Viruses spread mostly due to poor security practices (such as people opening email attachments). However, if you are running out-of-date email software you could be infected by an incoming virus even without opening an attachment.

The anti-virus software provider MessageLabs tracks current viruses, and you can see a 'top 10' of current viruses. They also provide descriptions. At the time of writing, the current number one virus is W32/BadTrans.B-mm, which installs itself without any user intervention (if you have an unpatched email client), sends itself to everyone you know, and also installs a trojan that monitors passwords you type and emails them to the virus creator.


Security is a very serious issue on the Web. If your site contains any sensitive data, you need to take steps to reduce security risks.


Make sure that you use passwords securely.

Software updates

Always keep your software current, immediately applying any security patches that the manufacturer provides. This is particularly important for server software, but might also be an issue for certain software on your own computer such as your email program and browser.

Sensitive information

Treat sensitive information like credit card numbers carefully. Do not store sensitive information on the server for any longer than necessary; if you must store this information for any length of time, transfer it to a machine which is not connected to the Internet. Do not transfer sensitive information without encryption.


Public key encryption can protect your data in transit, but encryption is not a guarantee of security.