Skip Navigation Links

Page One

Campus Computing News

IMSP Remote Address Book and Options Service to be Discontinued

Renew PRAS Accounts Now

Interim General Access Lab Hours

UNT General Access Labs

Usability Guidelines for Web Sites

Statistical Application Installation

Today's Cartoon

RSS Matters

SAS Corner

The Network Connection

Link of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online
    

WWW@UNT.EDU


Breaking News in Web World

By Shannon Eric Peevey, UNT Central Web Support

Hi, everyone!! How has everyone been? We have been busy getting ready for a move from a single server to a web farm for Web2.unt.edu/osprey and this has been exposing some very interesting problems that were not apparent in the previous setup. This article is going to cover these problems, and the fixes that we have put into place.

Internet Explorer...

Internet Explorer has been topping our list of trouble-makers. The first, and most dangerous flaw is covered in an article by Sam Costello, "Severe IE flaw undermines SSL security". This flaw is detrimental to the security scheme that most of us have taken for granted when doing online transactions.

PROBLEM 1: "IE fails to check the Basic Constraints of certificates signed by intermediate Certificate Authorities (CAs). That means that as far as IE is concerned, anyone with a signed certificate for any domain can generate a certificate for any other domain, which will appear to be signed by a valid CA."

IN PLAIN ENGLISH: A certificate, in this case, is talking about a special certificate that is generated by a webmaster to prove the authenticity of a secure Website. (Basically, "is this site who they say they are?") This certificate is then used by your browser to create a secure connection to the server, which means that it is encrypted and therefore, more difficult for third-parties to view. (Not impossible!!) One part of the secure certificate process is that we send this certificate to a third-party that has been designated as a Certificate Authority. This Certificate Authority, (we use VeriSign), then signs the certificate, verifying that they have researched this business/school, and that they are a legitimate institution. It seems that Internet Explorer does not really check to see if the certificate is signed by a viable Certificate Authority. Therefore, any person in possession of a secure certificate signed by a Certificate Authority can create a certificate for another domain and sign the certificate themselves, bypassing the need for a Certificate Authority. This is very dangerous, as the Certificate Authorities have been setup by the "powers" of the internet to be the "last word on authenticity "of Websites, and completely authoritative. If Internet Explorer is not checking this correctly, then no signed certificate is authoritative, and the structure of web security has broken down.

SOLUTION: This problem is found in all version of Internet Explorer, up to and including 6.0. I have not yet seen a security update, or bulletin, from Microsoft, so am wondering about the silence. This means that you should never use Internet Explorer for any personal transactions, such as credit card payment, online banking, personal information browsing, etc. This problem does not effect Netscape Navigator, so you should switch to Netscape for all important online transactions.

Another problem that has come up with Internet Explorer occurred when we upgraded to Apache 2.0.39 and PHP 4.2.2.

PROBLEM 2: When trying to administer a MySQL database using PHPMyAdmin, Internet Explorer does not update the browser page with the most current information. For example, you create a new table in your database, and IE does not refresh the page to show this new table, (though, it exists on the database server). In essence, IE is perpetually showing you a cached page.

SOLUTION: This problem occurred as a direct result of upgrading to Apache 2.0.39 and PHP 4.2.2, but only effects PHP applications that take advantage of sessions. (Sessions are the way through which we remember your information, as a user, for a specified period of time. This can be achieved through using cookies, or by keeping the information in a database, etc, and associating that information with a unique identifier for a specific user. The problem with PHPMyAdmin is found in the use of cookies, and the implementation of cookie-handling in Internet Explorer. This effects all version of Internet Explorer up to, and including, 6.0. The work-around is to use either Netscape, which has a better implementation of cookies, or by using a secure connection, (being aware of Problem 1, as stated above).

Microsoft SQL Server

Our next look at web problems that are becoming apparent have to do with Microsoft SQL Server. As usual, we, meaning universities, must do things in a unique way, and it seems that Microsoft didn't foresee the use of the SQL Server administrative tool, Enterprise Manager, in the multi-user environment that we are now using it. Let me explain.

PROBLEM 1: The security model that is used by Microsoft SQL Server doesn't work with our situation. When I create a database for your web front-end, I want you to have complete control of your database so that I don't have to help you with administering it. (This is a bit selfish but more efficient for you, as I am administering over 150 databases, and you would have to wait your turn... What a pain, no?) This means that I create you as a database owner, or, in my mind, dbo. The dbo is the owner of all objects in the database when I create it, and is the user that you would want to own all of the objects in your database, to keep from having to worry about conflicting rights to objects. (In other words, "jon" wants to select data from the "earl.test" table. ("earl" is the owner, and the dot notation is a shorthand way of seeing both the owner and the object.) "earl" would have to explicitly give rights to "jon" to select data from his "test" table. This becomes a pain when more than one user are making items in the database. An easier solution, is to make "dbo" the owner of all items, but Microsoft has thrown a kink into this solution. Only members of the sys_admin, or system administrator, group can create items that are mapped to "dbo". But... In our situation, if I would make everyone a member of the sys_admin group, I have given everybody administrative rights to everything on the SQL Server. No matter how much we like each other, I'm sure that we don't want someone coming in a messing up our most important applications by mistake... (Bad Microsoft!!) Therefore, there is no way for you to create any items as "dbo", (even if you are a member of the "dbo" group for that database...

SOLUTION: I have written a stored procedure that will check for items in your database that do not belong to "dbo" and change them to "dbo.object". If you need help, contact me at speeves@unt.edu

The second problem is similar to the first, but has to do with permissions on Enterprise Manager itself.

PROBLEM 2: If you are using Enterprise Manager to administer your database, I have given you certain rights to your database. In the best case scenario, you would only be able to see the items that you have rights to on your screen. In Enterprise Manager world, you see all of the databases, (you cannot manipulate any database that you do not have rights to, but still...) and can view various items that should not be available to everyone.

SOLUTION: There is none. Obviously Microsoft did not think of our implementation of Enterprise Manager as a campus-wide administrative tool. Therefore, they will probably not fix the problem either. It is my intention to create a web gui, modeled after PHPMyAdmin, that would allow us to limit the abilities of users to view objects on the database server. (Anyone that would like to get involved, is more than welcome to contact me :) )

Conclusion

As you can see, this is an exciting time! We are pushing the envelope, and are finding the boundaries of current technology. I have covered only a few of the problems that are becoming apparent as I get ready to migrate web2/osprey, but am sure that many more will become obvious as we push technology further and further. If you have any problems that you are encountering, let me know, and we will either mention it in a future article, or work on fixing the problem together.

Until then...