Some security designs place the burden of storing and processing data on the client computer. This can have performance benefits for both the client and server, but it can also raise security risks. In this video, learn about the impact that applets and local caches have on client security.
- [Instructor] Some security designs place the burden of storing and processing data on the client computer. This can have performance benefits for both the client and the server, but it can also raise security risks. In most cases, when you access a website in your browser, your browser requests a page and the web server either retrieves or creates the page that answers your request and then sends that page back to your browser. If you're asking for a calculation or other activity to be performed, the burden of performing that work is on the server.
Applets allow developers to shift that model and put the computational burden on the client. Instead of sending requests and responses back and forth, the web server send your computer a piece of code that runs within your browser and allows you to interact with it. Let's take a look at an example of an applet in the Java programming language. Here I am in the Firefox browser. Now, one thing to note right off the bat, I don't normally use Firefox, but I have to use it here because my normal browser Chrome doesn't support applets.
We'll talk more about that in a minute. But here I am in Firefox, I'm going to go ahead and run this Ensemble demo application as a Java applet. I'm just going to click down here where it says Try Ensemble running inside browser as an applet. When I do that, my browser first gives me a security warning. It tells me that download.oracle.com is trying to use the Java program. It asks me if I want to block this or allow it, so I'm going to go ahead and click Allow to override the security warning and it's just giving me one more warning that download.oracle.com is trying to run Java.
The number of security warnings that pop up should give you an indication of the degree of security concern that people have about Java applets. I'm going to go ahead and click Allow Now to allow the applet to run. Now, what's happening is my computer is loading the code for this program, you can see that progress bar there, and then it's going to execute this Ensemble application within my browser. Now, everything that you see here, these transitions and animations that are going on, all these different things are happening using my local processing power.
The web server sent this code to my computer and my computer is now executing it independent of the web server. Applets written in languages like Java and Microsoft's ActiveX come with some serious security issues, specifically, that they let a remote website run code on your computer. Java tries to solve this by executing code in an isolated sandbox environment, but the technologies are both still fairly dangerous. For this reason, most security professionals recommend against using applets.
In fact, you'll remember, I had to switch browsers and then disable quite a few security settings and dismiss some warnings just to show you that one applet demo. Another security issue that can occur with clients involves a technology known as local caching. A cache is a local store of information that a system uses to operate. For example, you may know that the Domain Name Service, or DNS, converts common domain names such as Lynda.com into the IP addresses that computers use to communicate over the internet.
DNS is like the telephone directory for the internet. Each time you need to look up a new domain name, your computer reaches out to a DNS server and asks the server if it knows the IP address for a particular domain. That may lead to a cascading series of questions from server to server until you receive the final answer. It's a fairly inefficient process. To make things a little speedier, your computer keeps a local cache of the DNS records that it has already received from the server.
After all, you wouldn't want it to keep looking up the IP address for Lynda.com every time you loaded a new page, would you? This would place an unreasonable burden on both the client and the DNS server. The local cache speeds things up tremendously by eliminating these redundant look-ups. Let's take a look at the local cache that Chrome is using on my computer. I'm going to go ahead and access one of the Chrome configuration pages by typing in chrome://net-internals, then I'm going to put /#dns to look specifically at DNS settings.
What Chrome now displays for me are some information about the DNS configuration. It's telling me the DNS server that I'm using, it's name, and some information about the configuration of that server, and then it tells me the cache information. This is the information that's stored on my local computer about DNS. It's telling me that I have a cache capacity of 1,000 entries. This means that my computer will keep track of the last thousand DNS requests that it makes to that DNS server. Then when I look at the current state of the cache, it tells me that there are currently 10 active entries and 10 expired entries, and then it lists them out.
These are all of the domain names that I have recently requested and then the IP addresses that the DNS server responded with. Each one of these cache entries has an expiration date and time, and as you can see, some of these have already expired. Some of them just expired right now while we were talking. When the cache entry expires, this causes my computer to go out and look up those entries again just to make sure that the address it had cached is still valid. Local caches can create security issues if a malicious attacker is able to create incorrect cache records.
In an attack known as cache poisoning, an attacker inserts fake records in the DNS cache on a local computer which then redirects unsuspecting users of that computer to illegitimate websites. DNS isn't the only local cache on a system. Similar caches and security issues exist for the Address Resolution Protocol, ARP, and for files retrieved from the internet.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx. You can also join Mike's free study group at certmike.com.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Understanding security design principles and models
- Cloud computing and virtualization
- Hardware security
- Client and server vulnerabilities
- Web security vulnerabilities
- Securing mobile devices and smart devices
- Understanding encryption
- Symmetric and asymmetric cryptography
- Key management and public key infrastructure
- Physical security