There are security risks that affect web servers, local area networks that host web sites, and even innocent users of web browsers. There are basically three overlapping types of risk:
Bugs or mis-configuration problems in the web server that allow unauthorized remote users to:
- Steal confidential documents not intended for their eyes
- Execute commands on the server host machine, allowing them to modify the system
- Gain information about the Web server's host machine that will allow them to break into the system
- Launch denial-of-service attacks, rendering the machine temporarily unusable.
Browser-side risks, including:
- Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates an annoyance.
- The misuse of personal information knowingly or unknowingly provided by the end-user.
Interception of network data sent from browser to server or vice-versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:
- The network on the browser's side of the connection.
- The network on the server's side of the connection (including intranets).
- The end-user's Internet service provider (ISP).
- The server's ISP.
- Either ISPs' regional access provider.
It's important to realize that "secure" browsers and servers are only designed to protect confidential information against network eavesdropping. Without system security on both, browser and server sides, confidential documents are vulnerable to interception.
Protecting against network eavesdropping and system security are the subjects of sections 1 to 5 of this document. Client-side security is covered in sections 6 and 7. Section 8 deals with security alerts for specific Web servers.