[264] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (Mr. Le)
Tue Dec 13 23:53:10 1994
Date: Tue, 13 Dec 1994 18:41:46 -0800 (PST)
From: "Mr. Le" <leb@cs.ucdavis.edu>
To: www-security@ns1.rutgers.edu
In-Reply-To: <9412132129.AA19185@oxygen.house.gov>
Reply-To: www-security@ns1.rutgers.edu
Let me express my perspective on the subject:
WWW server security is not just limited to protecting
the server from being 'torpedoed'.
I recently participated in the design of a private WWW wide area
network to experiment with the concept of on-line multimedia
shopping. In this context, WWW servers are used as interfaces to
large amounts of commercial-quality video clips, still pictures,
and digital sound that can be purchased on-line.
For this kind of application, preventing the data from being READ or
retrieved by unauthorized users is more important than protecting
the files and the server themselves (the multimedia content
providers have lots of backups).
Imagine you have the digital version of Madonna's next CD on-line,
and find out that it was stolen by hundreds of Web hackers.
A WWW sever running in a chroot'ed environment still needs to be
able to access the content files, therefore they need to be stored
under the restricted file system subtree.
The only good solution to this problem is strong authentication,
which is what SHTTP, Shen, and SSL are for, right?
====================================================
Bich C. Le (also known as Tchiu)
Graduate Student in Computer Science
University of California at Davis
eMail: leb@cs.ucdavis.edu
====================================================
