Web Cookies - Cookie is provided by a Website and stored on user’s machine
- Cookie indexes a database at Website
- Cookies maintain state across sessions
- Web uses a stateless protocol: HTTP
- Cookies also maintain state within a session
- Sorta like a single sign-on for a website
- But, very, very weak form of authentication
- Cookies also create privacy concerns
Chapter 8: Authorization It is easier to exclude harmful passions than to rule them, and to deny them admittance than to control them after they have been admitted. Seneca by people who are crazy; they have an access to truth not available through regular channels. Sheila Ballantyne - Authentication Are you who you say you are?
- Restrictions on who (or what) can access system
- Authorization Are you allowed to do that?
- Restrictions on actions of authenticated users
- Authorization is a form of access control
- But first, we look at system certification…
System Certification - Government attempt to certify “security level” of products
- Of historical interest
- Sorta like a history of authorization
- Still important today if you want to sell a product to the government
Orange Book - Trusted Computing System Evaluation Criteria (TCSEC), 1983
- Universally known as the “orange book”
- Name is due to color of it’s cover
- About 115 pages
- Developed by U.S. DoD (NSA)
- Part of the “rainbow series”
- Orange book generated a pseudo-religious fervor among some people
- Less and less intensity as time goes by
Chia sẻ với bạn bè của bạn: |