HTTP stands for Hypertext Transfer Protocol, and it is a protocol – or a prescribed order and syntax for presenting information – used for transferring data over a network. Most information that is sent over the Internet, including website content and API calls, uses the HTTP protocol. There are two main kinds of HTTP messages: requests and responses.
HTTP requests are generated by a user's browser as the user interacts
with web properties. These HTTP requests all go to either an origin server or a
proxy caching server, and that server will generate an HTTP response. HTTP
responses are answers to HTTP requests.
HTTP is used for communications over the internet, so application
developers, information providers, and users should be aware of the security
limitations in HTTP/1.1.
Suggestions for reducing security risks are:
Personal information
Users must be very careful to prevent unintentional leakage of
information via the HTTP protocol to other sources.
HTTP cannot regulate the content of data that is transferred. HTTP cannot
have any prior method to determine the sensitivity of any particular part of
the information within the context of any request.
All the confidential information should be stored at the server in
encrypted form.
Authors of services that use the HTTP protocol should not use GET based
forms for the submission of sensitive data, because it will cause the data to
be encoded in the Request-URI (Uniform resource identifier).
File and Path Names
Based Attack
The documents returned by HTTP requests should be restricted to be only
those that were intended by the server administrators.
An HTTP server MUST disallow any such construct in the Request-URI, if it
would otherwise allow access to a resource outside those intended to be
accessible via the HTTP server.
DNS Spoofing
Clients using HTTP depend heavily on the Domain Name Service, and are
thus generally prone to security attacks based on the deliberate
mis-association of IP addresses and DNS names.
Clients need to be cautious in assuming the continuing validity of an IP
number/DNS name association.
If the clients of HTTP cache the results of hostname lookups to improve
the performance, they must observe the TTL information, which was reported by
the DNS. When the IP address of the previously accessed server is changed, then
the HTTP clients could be spoofed if they do not observe this rule.
Authentication
Credentials and Idle Clients
Existing HTTP clients and user agents typically retain authentication
information indefinitely. HTTP/1.1 does not provide a method for a server to
direct clients to discard these cached credentials which are a big security
risk.
It is recommended to make the use of password protection in screen
savers, idle time-outs, and other methods that mitigate the security problems
inherent in this problem.
Proxies and Caching
Proxies have access to security-related information, personal information
about individual users and organizations, and proprietary information belonging
to users and content providers. Proxy systems should be protected as they
contains or transports sensitive information.
Caching proxies provide additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation. Therefore, cache contents should be protected as sensitive information.
No comments:
Post a Comment