"Understanding Security on the World Wide Web (WWW),"
Donald Davis, SystemExperts Corporation, 1995, 8 pp.

This abstract is not for redistribution, any use of it must include any and all reference (bibliography) information, and all rights are owned by SystemExperts Corporation.

Abstract

Participating in the World Wide Web (WWW) presents security problems for users and for servers alike. This report surveys these problems, and describes the security solutions and tradeoffs that are available in early 1995. The problems fall into two classes: weaknesses in the Web's network protocol, that limited all early Web software; and host-security exposures introduced by specific Web browsers and servers. The Web protocol's insecurity has led several providers to create secure protocols, but no dominant standard has emerged. The host-security exposures trace to implementation bugs and configuration pitfalls, and their redress is much easier.

Each of the major Web software providers has proposed a competing security extension for HTTP:

• SSL (Secure Socket Layer)
• S-HTTP (Secure HTTP)
• Kerberos plus HTTP

This report will mainly focus on SSL and S-HTTP. In this report we will detail these two protocols' advantages and disadvantages.

Table of Contents

• Introduction
  • Secure Access to the World Wide Web
• Netscape's SSL
  • How SSL Works
  • SSL's Advantages
  • SSL's Disadvantages
  • SSL Summary
• CommerceNet's S-HTTP
  • How S-HTTP Works
  • S-HTTP's Advantages
  • S-HTTP's Disadvantages
  • S-HTTP Summary
• Host Security for Web Servers and Browsers
• Conclusion
• Bibliography