Web Confidential 5 0 4

Alco Blom has released version 5 of his venerable Web Confidential password manager (which TidBITS has been covering for more than two decades; see 'Web Confidential: Securing Information of All Sorts,' 3 August 1998), which was rewritten from scratch to meet the 64-bit requirements in the upcoming macOS 10.15 Catalina. Additionally, the update adds support for Touch ID and the Touch Bar on MacBook Pro models, incorporates support for AppleScript, enables you to import passwords from tab-delimited text files, and adds support for large text sizes. Web Confidential 5 costs $25, and you can upgrade from previous versions for $20. ($25 new from the Web Confidential Web site or the Mac App Store, $20 upgrade, 6.2 MB, release notes, macOS 10.13+)

DISCLAIMER

Web Confidential 5.0 has some AppleScript support. It should be handy to import password files from other sources. Please check it out and let me know and perhaps send me your scripts. By the way, there is also the command Import from Text from the File menu to. Web 4.0 services will be autonomous, proactive, content-exploring, self-learning, collaborative, and content-generating agents based on fully matured semantic and reasoning technologies as well as AI. They will support adaptive content presentation that will use the Web database via an intelligent agent. Examples might be services interacting with sensors and implants, natural.

1. This will deny access to everybody but the indicated hosts (18.157.0.5 and stoat.outback.au), subnets (192.198.2) and domains (.zoo.org). Although you can use either numeric IP addresses or host names, it's safer to use the numeric form because this form of identification is less easily subverted ( Q1 ).
2. NOTE Kind of Confidential willl be back with final season! 89 - Fallen (Mid Season Finale) Jun 3, 2020 like 23,942 #98 Ep. 88 - Hide and seek May 27, 2020 like 19,875 #97.

Q1: What types of access restrictions are available?

1. Restriction by IP address, subnet, or domain:
   Individual documents or whole directories are protected in such a waythat only browsers connecting from certain IP (Internet) addresses, IPsubnets, or domains can access them.
2. Restriction by user name and password:
   Documents or directories are protected so that the remote user hasto provide a name and password in order to get access.
3. Encryption using public key cryptography:
   Both the request for the document and the document itself are encryptedin such a way that the text cannot be read by anyone but the intended recipient.Public key cryptography can also be used for reliable user verification.See below.

Q2: How safe is restriction by IP address or domainname?

IP address restriction can be made much safer by running your serverbehind a firewall machine that is capable of detecting and rejecting attemptsat spoofing IP addresses. Such detection works best for intercepting packetsfrom the outside world that claim to be from trusted machines on your internalnetwork.

One thing to be aware of is that if a browser is set to use a proxyserver to fetch documents, then your server will only know about the IPaddress of the proxy, not the real user's. This means that if the proxyis in a trusted domain, anyone can use that proxy to access your site.Unless you know that you can trust a particular proxy to do its own restriction,don't add the IP address of a proxy (or a domain containing a proxy server)to the list of authorized addresses.

Web Confidential 5 0 4 0

One thing to be aware of is that if a browser is set to use a proxyserver to fetch documents, then your server will only know about the IPaddress of the proxy, not the real user's. This means that if the proxyis in a trusted domain, anyone can use that proxy to access your site.Unless you know that you can trust a particular proxy to do its own restriction,don't add the IP address of a proxy (or a domain containing a proxy server)to the list of authorized addresses.

Web Confidential 5 0 4 0

Restriction by host or domain name has the same risks as restrictionby IP address, but also suffers from the risk of 'DNS spoofing', an attackin which your server is temporarily fooled into thinking that a trustedhost name belongs to an alien IP address. To lessen that risk, some serverscan be configured to do an extra DNS lookup for each client. After translatingthe IP address of the incoming request to a host name, the server usesthe DNS to translate from the host name back to the IP address. If thetwo addresses don't match, the access is forbidden. Seebelow for instructions on enabling this feature in NCSA's httpd

Q3: How safe is restriction by user name and password?

Another problem is that the password is vulnerable to interception asit is transmitted from browser to server. It is not encrypted in any meaningfulway, so a hacker with the right hardware and software can pull it off theInternet as it passes through. Barsoom 2 1 download free. Furthermore, unlike a login session, inwhich the password is passed over the Internet just once, a browser sendsthe password each and every time it fetches a protected document. Thismakes it easier for a hacker to intercept the transmitted data as it flowsacross the Internet. To avoid this, you have to encrypt the data. See below.

If you need to protect documents against _local_ users on the server'shost system, you'll need to run the server as something other than 'nobody'and to set the permissions of both the restricted documents and serverscripts so that they're not world readable. See Q9.

Q4: What is user authentication?

Q5: How do I restrict access to documents by the IPaddress or domain name of the remote browser?

One way to increase the security of restriction by domain name is tomake sure that your server double-checks the results of its DNS lookups. Youcan enable this feature in NCSA's httpd (and the related Apache server)by making sure that the-DMAXIMUM_DNS flag is set in the Makefile.

For the CERN server, you'll need to declare a protection scheme withthe Protection directive, and associate it with a local URL using the Protectdirective. An entry in httpd.conf that limits access to certain domainsmight look like this:

Q6: How do I add new users and passwords?

Check your server documentation for the precise details of how to addnew users. For NCSA httpd, you can add a new user to the password fileusing the htpasswd program that comes with the server software:htpasswd will then prompt you for the password to use. The first time youinvoke htpasswd you must provide a -c flag to create the password filefrom scratch.

The CERN server comes with a slightly different program called htadm:htadm will then prompt you for the new password.

After you add all the authorized users, you can attach password protectionto the directories of your choice. In NCSA httpd and its derivatives, addsomething like this to access.conf:You'll need to replace AuthUserFile with the full path to the passwordfile. This type of protection can be combined with IP address restrictionas described in the previous section. See NCSA's online documentation (http://hoohoo.ncsa.uiuc.edu/)or the author's book (How toSet Up and Maintain a Web Site) for more details.

For the CERN server, the corresponding entry in httpd.conf looks likethis:Again, see the documentation or the author's book for details.

Q7: Is there a CGI script to allow users to change theirpasswords online?

http://stein.cshl.org/~lstein/user_manage/

http://web.fccj.org/~wcjones/WebPass.html

Q8: Using per-directory access control files to controlaccess to directories is so convenient, why should I use access.conf?

Another problem with the the per-directory access files is that if youever need to change the server software, it's a lot easier to update asingle central access control file than to search and fix a hundred smallfiles.

Q9: How does encryption work?

Most practical implementations of secure Internet encryption actuallycombine the traditional symmetric and the new asymmetric schemes. Publickey encryption is used to negotiate a secret symmetric key that is thenused to encrypt the actual data.

Since commercial ventures have a critical need for secure transmissionon the Web, there is very active interest in developing schemes for encryptingthe data that passes between browser and server.

More information on public key cryptography can be found in the book'Applied Cryptography', by Bruce Schneier.

Q10: What are: SSL, SHTTP, Shen?

SSL (Secure Socket Layer) is the scheme proposed by NetscapeCommunications Corporation. It is a low level encryption scheme used toencrypt transactions in higher-level protocols such as HTTP, NNTP and FTP.The SSL protocol includes provisions for server authentication (verifyingthe server's identity to the client), encryption of data in transit, andoptional client authentication (verifying the client's identity to theserver). SSL is currently implemented commercially on several differentbrowsers, including Netscape Navigator, Secure Mosaic, and Microsoft InternetExplorer, and many different servers, including ones from Netscape, Microsoft,IBM, Quarterdeck, OpenMarket and O'Reilly and Associates. Rocket typist 1 1 2b – expand typed abbreviations words. Details on SSLcan be found at:

SHTTP (Secure HTTP) is the scheme proposed by CommerceNet, acoalition of businesses interested in developing the Internet for commercialuses. It is a higher level protocol that only works with the HTTP protocol,but is potentially more extensible than SSL. Currently SHTTP is implementedfor the Open Marketplace Server marketed by Open Market, Inc on the serverside, and Secure HTTP Mosaic by Enterprise Integration Technologies onthe client side. See here for details:

Shen is scheme proposed by Phillip Hallam-Baker of CERN. Like SHTTPit is a high level replacement for the existing HTTP protocol. Althoughit has existed as a proposal for nearly two years, no browser or servervendor has implemented it. Further, the URL that described it is no longeravailable, so for all intents and purposes it can be considered moribund.

Q11: Are there any 'freeware' secure servers?

There are several components to this software. You will need to obtainand install them all in order to have a working SSL-based Web server:

The SSLeay FAQ

http://www.psy.uq.oz.au/~ftp/Crypto/.You'll need to read this carefully.

SSLeay

This is the SSL library itself. It can be obtained via FTP at ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/

Patches to various internet applications

These are source code patches to telnet, ftp, Mosaic, and the like to takeadvantage of SSL. They can be found via FTP at ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/.

Patches for the Apache server

Currently there are patches for the Apache 0.8.14h and 1.0.1a servers.The patches may work with other versions as well, but are not guaranteed.ftp://ftp.ox.ac.uk/pub/crypto/SSL/

The Apache server source code

http://www.apache.org

After installing an SSL-enabled server you will need to obtain aservercertificate from a certifying authority. Server certificates are availablefrom a number of different companies, each with a slightly different applicationprocedure and fee schedule. In the United States, the VeriSignCorporation was the first and still most widely used certifying authority.Because of a recent fee increase ($495 for a commercial server certificate),however, VeriSign is currently one of the more expensive agencies. A goodalternative to VeriSign is Thawte Consulting;its fees are significantly lower and its application procedure for non-Americanorganization is far less of a hassle. Other certifying authorities include:

Entrust

http://www.entrust.com/

GTE CyberTrust

http://www.cybertrust.gte.com/

EuroSign

http://eurosign.com

COST

http://www.cost.se

BiNARY SuRGEONS

http://www.surgeons.co.za/certificate.html

Keywitness

http://www.keywitness.ca

SoftForum

http://www.softforum.co.kr/

CompuSource

http://www.compusource.co.za/

The process of obtaining a server certificate is slightly differentfrom CA to CA, but follows the same basic outline. After choosing a certifyingauthority, connect to its Web site and find the server certificate applicationsection. From here locate the appropriate application form for your serversoftware, and fill it out. You'll be asked to provide your Web site's domainname, company name, and contact information. You'll also be asked to providedocumentation, such as a Dun and Bradstreet number, articles of incorporation,or a notarized letter from the bursar of your college to prove the identityof your organization. You'll also be asked to provide payment information,such as a credit card number.

The application form is only half of the process. You'll also need togenerate an electronic certificate request. After submitting the applicationform to the CA, you'll use a program provided with your server softwareto generate a public/private key pair. In the Apache-SSL distributions,the program is calledgenkey.

After generating the key pair, the key generation software will createa file containing the key request. In some cases it will automaticallymail the file to the CA. In other cases, it will ask you to manually mailthe file to the CA. In either case there will now be a wait of days toweeks while the CA confirms the validity of your request. Eventually youwill receive a signed certificate by return e-mail. You then complete theprocess by installing the signed certificate on your server. The detailsagain vary from server to server. For Apache-SSL you'll use a program calledgetca.

At this point users will be able to retrieve documents from your serverand to submit forms without fear of interception. Your server's certificateprovides remote users with proof of your server's identity.

Q12: Can I use Personal Certificates to Control ServerAccess?

Users can obtain inexpensive personal certificates from VeriSign.VeriSign offers two classes of certificate. Class 1 certificates cost amere $9.95 yearly, but provide no assurance that the user is who he orshe claims to be because VeriSign performs no validation of the informationsubmitted by the user on the application form. At most, class 1 certificatescertify that the user can receive e-mail at the address provided in theapplication. Class 2 certificates, available for $19.95 yearly, providea greater level of assurance. In order to obtain such a certificate, theuser must provide personal identifying information that is validated bya credit bureau.

If you are running an intranet, you may wish to issue personal certificatesyourself, in order to provide fine-grained access control to employeesof your organization. To do this, you will need to obtain and install acertificate server. Such systems are available from Microsoft,Netscape,XCert,Entrustand GTE.

To use personal certificates for access control, your server will needto be specially configured. The mechanics of setting this up are beyondthe scope of this document, but detailed directions can be found in theauthor's book, Web Security: A Step-by-Step Reference Guide.

Q13: How do I accept credit card orders over the Web?

Even with an encrypting server, you should be careful about what happensto the credit card number after it's received by the server. Forexample, if the number is received by a server script, make sure not towrite it out to a world-readable log file or send it via e-mail to a remotesite.

Q14: What are: CyberCash, SET, OpenMarket?

CyberCash

When a user goes to purchase an item from a CyberCash enrolled merchant,the user fills out a traditional payment form to be submitted via SSL,or, if the merchant also supports InstaBuy, clicks on the InstaBuy iconto to set up or use a Wallet. CyberCash merchants may choose whetheror not to implement InstaBuy, which is a new service owned by CyberCash.Payment information is then sent to the merchant's web server which packagesthe transaction for forwarding to the CyberCash Gateway servers, whichare linked to financial institutions. CyberCash, in contrast to the associationscreated by its name, is really a back-end payment system, transparent tothe user, which merchants use for payment processing.

An advantage of CyberCash is its use of triple-DES encryption when transmittingpayment information. Also, because payments are processed entirelyby CyberCash, there is really no need for merchants to record credit cardor checking account information in a database or other static memory location. This lessens the merchant's risk that financial information can be stolenby individuals who have broken into the merchant's computer system. The onus is on CyberCash to handle all security concerns.

For merchants to accept CyberCash payments they must first establisha credit card merchant account with an acquiring financial institution.More than 95 percent of the acquiring financial institutions in the UnitedStates are CyberCash-enabled. Fees to open merchant accounts vary, as theyare set by the regional banks themselves. A typical scenario wouldinclude: a one-time fee of approximately $100 to create the account, amonthly fee of approximately $15 to keep the account open, and a transactionfee of 2-3% of the purchase price of each transaction. In additionto fees charged by the acquiring financial institution, CyberCash saysthat merchants should expect to pay (to CyberCash) a one-time service setupfee ($500 to $1,000), and monthly service fees typically comprised of aservice access fee (usually $40 - $80) and transaction charges based onvolume (usually $0.20 to $0.60 per transaction).

After setting up a merchant bank account, the merchant must installsoftware called the 'Merchant Connection Kit' (MCK) on their Web server.This software is launched when the user presses the 'pay' button in a shoppingcart script (or equivalent), and forwards the transaction to the 'CashRegister'service running on the CyberCash servers. The MCK is downloadable freeof charge and available for many platforms, including Windows NT and Unix.It requires only 100k of hard disk space, and consists of encryption andcommunication libraries, HTML templates, and CGI scripts for handling paymentsat your online store.

The MCK's job is to transmit all payment information to the CyberCashGateway servers, which are responsible for executing the transaction. These are payment servers which communicate with financial institutionsin such a way that, to the financial institution, the transactions looklike standard point of sale events, not internet transactions.

CyberCash also offers an 'Administrative Interface', which is a website that enables you to perform administrative tasks such as queryingfor transactions, getting daily transaction totals, or refunding moneyfor returned items.

The main advantage of CyberCash is that it provides the merchant witha fully functional, externally managed payment processing system. The merchantneed only set up a merchant account and configure the MCK to get started.Disadvantages include the risk of centralizing so much financial informationon one server system (CyberCash), and the accompanying dependence on theCyberCash servers' performance and throughput characteristics. In addition,the fees charged to merchants for processing credit card transactions makeCyberCash impractical for small purchases, such as 'pay per play' on-linevideo games.

Commander 3 1 – advanced two pane file manager word. More information on CyberCash is available at: http://www.cybercash.com

SET

Web Confidential 5 0 46

To address the high potential for fraud on the Internet, the SET standarduses a complex system of certifying authorities to vouch for the identifyof every party in the transaction: customer, merchant, card-issuer andmerchant's bank are all identified by signed, unforgeable certificates.To address privacy concerns, the transaction is separated in such a waythat the merchant has access to information about what is being purchased,how much it costs, and whether the payment is approved, but no informationon what payment method the customer is using. Similarly, the card-issuerhas access to the purchase price, but no information on the type of merchandiseinvolved. Despite these precautions, however, SET does not provide completeanonymity to the consumer.

SET requires specialized software on both the customer's and merchant'sside of the connection. Cardholders shopping on SET-compliant sites whowant to take advantage of secure SET processing must have a SET compliantwallet, available from SET merchants or financial institutions. Some merchantsmay also require that the cardholder have a SET Certificate. The main advantagesof SET to the consumer are security guaranteed by digital certificates,and the ability to utilize the same wallet, theoretically, on any SET-compliantsite.

Web Confidential 5 0 4 +

Merchant's who wish to become a SET online merchant site need to buildor purchase a SET-compliant merchant server product. The SET websiteprovides a Vendor StatusMatrix with information about purchasing and installing merchant serverapplications. Merchants then need to contact their financial institutionto obtain a digital certificate.

Microsoft offers Site Server Commerce Edition, a superset of the MicrosoftSite Server server product, which is itself a superset of Internet InformationServer. Site Server Commerce Edition supports real-time credit authorizationwith SET. It also includes all of Site Server's features for dynamicallypublishing content, searching content and the delivery of content in multipleformats. For more information on Site Server Commerce, go to http://www.microsoft.com/siteserver/commerce/default.htm.

For its part, the iPlanet.com collaboration of Netscape Corporationand Sun Microsystems, offers MerchantXPertwhich provides catalog management, order management, membership services,and payment services. While Netscape's earlier e-commerce merchant serverproduct, LivePayment, was moving in the direction of full SET compliance,the new offering from the Alliance is not SET-compliant and does not appearto be headed in that direction.

For more information on SET, see the SecureElectronic Transaction LLC website. They are responsible for the ongoingmanagement of the SET specification.

Open Market Web Commerce System