272 Chapter 12 Running an E-commerce Site Evolving Governmental Policies and Taxes Depending on where you live, legislation relating to Internet-based businesses might be nonexistent, in the pipeline, or immature.This is unlikely to last. Some business models might be threatened, regulated, or eliminated by future legislation.Taxes might be added. You cannot avoid these issues.The only way to deal with them is to keep up-to-date with what is happening and keep your site in line with the legislation.You might want to consider joining any appropriate lobby groups as issues arise. System Capacity Limits One thing to bear in mind when designing your system is growth.Your system will hopefully get busier and busier. It should be designed in such a way that it will scale to cope with demand. For limited growth, you can increase capacity by simply buying faster hardware.There is a limit to how fast a computer you can buy. Is your software written so that after you reach this point, you can separate parts of it to share the load on multiple systems? Can your database handle multiple concurrent requests from different machines? Few systems cope with massive growth effortlessly, but if you design it with scalability in mind, you should be able to identify and eliminate bottlenecks as your customer base grows. Deciding on a Strategy Some people believe that the Internet changes too fast to allow effective planning.We would argue that it is this very changeability that makes planning crucial.Without setting goals and deciding on a strategy, you will be left reacting to changes as they occur, rather than being able to act in anticipation of change. Having examined some of the typical goals for a commercial Web site, and some of the main threats, you hopefully have some strategies for your own. Your strategy will need to identify a business model.The model will usually be some- thing that has been shown to work elsewhere, but is sometimes a new idea that you have faith in.Will you adapt your existing business model to the Web, mimic an existing com- petitor, or aggressively create a pioneering service? Next In the next chapter, we will look specifically at security for e-commerce, providing an overview of security terms, threats, and techniques. 16 525x ch12 1/24/03 2:57 PM Page 272 13 E-commerce Security Issues THIS CHAPTER DISCUSSES THE ROLE OF SECURITY in e-commerce.We will discuss who might be interested in your information and how they might try to obtain it, the princi- ples involved in creating a policy to avoid these kinds of problems, and some of the tech- nologies available for safeguarding the security of a Web site including encryption, authentication, and tracking. Topics include n How important is your information? n Security threats n Creating a security policy n Balancing usability, performance, cost, and security n Authentication principles n Using authentication n Encryption basics n Private key encryption n Public key encryption n Digital signatures n Digital certificates n Secure Web servers n Auditing and logging n Firewalls n Backing up data n Physical security 17 525x ch13 1/24/03 3:37 PM Page 273 274 Chapter 13 E-commerce Security Issues How Important Is Your Information? When considering security, the first thing you need to evaluate is the importance of what you are protecting.You need to consider its importance both to you and to poten- tial crackers. It might be tempting to believe that the highest possible level of security is required for all sites at all times, but protection comes at a cost. Before deciding how much effort or expense your security warrants, you need to decide how much your information is worth. The value of the information stored on the computer of a hobby user, a business, a bank, and a military organization obviously varies.The lengths to which an attacker would be likely to go in order to obtain access to that information vary similarly. How attractive would the contents of your machines be to a malicious visitor? Hobby users will probably have limited time to learn about or work towards securing their systems. Given that information stored on their machines is likely to be of limited value to anyone other than its owner, attacks are likely to be infrequent and involve lim- ited effort. However, all network computer users should take sensible precautions. Even the computer with the least interesting data still has significant appeal as an anonymous launching pad for attacks on other systems. Military computers are an obvious target for both individuals and foreign govern- ments. As attacking governments might have extensive resources, it would be wise to invest personnel and other resources to ensure that all practical precautions are taken in this domain. If you are responsible for an e-commerce site, its attractiveness to crackers presumably falls somewhere between these two extremes. Security Threats What is at risk on your site? What threats are out there? We discussed some of the threats to an e-commerce business in Chapter 12, “Running an E-commerce Site.” Many of these relate to security. Depending on your Web site, security threats might include n Exposure of confidential data n Loss or destruction of data n Modification of data n Denial of service n Errors in software n Repudiation Let’s run through each of these threats. 17 525x ch13 1/24/03 3:37 PM Page 274 275 Security Threats Exposure of Confidential Data Data stored on your computers, or being transmitted to or from your computers, might be confidential. It might be information that only certain people are intended to see such as wholesale price lists. It might be confidential information provided by a cus- tomer, such as his password, contact details, and credit card number. Hopefully you are not storing information on your Web server that you do not intend anyone to see. A Web server is the wrong place for secret information. If you were storing your payroll records or your plan for world domination on a computer, you would be wise to use a computer other than your Web server.The Web server is inher- ently a publicly accessible machine, and should only contain information that either needs to be provided to the public or has recently been collected from the public. To r educe the risk of exposure, you need to limit the methods by which information can be accessed and limit the people who can access it.This involves designing with security in mind, configuring your server and software properly, programming carefully, testing thoroughly, removing unnecessary services from the Web server, and requiring authentication. Design, configure, code, and test carefully to reduce the risk of a successful criminal attack and, equally important, to reduce the chance that an error will leave your infor- mation open to accidental exposure. Remove unnecessary services from your Web server to decrease the number of potential weak points. Each service you are running might have vulnerabilities. Each one needs to be kept up-to-date to ensure that known vulnerabilities are not present.The services that you do not use might be more dangerous. If you never use the command rcp,why have the service installed? 1 If you tell the installer that your machine is a net- work host, the major Linux distributions and Windows NT install a large number of services that you do not need and should remove. Authentication means asking people to prove their identity.When the system knows who is making a request, it can decide whether that person is allowed access.There are a number of possible methods of authentication, but only two commonly used forms— passwords and digital signatures.We will talk a little more about both later. CD Universe offers a good example of the cost both in dollars and reputation of allowing confidential information to be exposed. In late 1999, a cracker calling himself Maxus reportedly contacted CD Universe, claiming to have 300,000 credit card numbers stolen from their site. He wanted a $100,000 (U.S.) ransom from the site to destroy the numbers.They refused and found themselves in embarrassing coverage on the front pages of major newspapers as Maxus doled out numbers for others to abuse. Data is also at risk of exposure while it traverses a network.Although TCP/IP net- works have many fine features that have made them the de facto standard for connecting diverse networks together as the Internet, security is not one of them.TCP/IP works by 1 Even if you do currently use rcp,you should probably remove it and use scp (secure copy) instead. 17 525x ch13 1/24/03 3:37 PM Page 275 276 Chapter 13 E-commerce Security Issues chopping your data into packets and then forwarding those packets from machine to machine until they reach their destination.This means that your data is passing through numerous machines on the way, as illustrated in Figure 13.1.Any one of those machines could view your data as it passes by. Source Destination The Internet Figure 13.1 Transmitting information via the Internet sends your information via a number of potentially untrustworthy hosts. To see the path that data takes from you to a particular machine, you can use the com- mand traceroute (on a Unix machine).This command will give you the addresses of the machines that your data passes through to reach that host. For a host in your own country, data is likely to pass through 10 different machines. For an international machine, there can be more than 20 intermediaries. If your organization has a large and complex network, your data might pass through five machines before it even leaves the building. To protect confidential information, you can encrypt it before it is sent across a net- work, and decrypt it at the other end.Web servers often use Secure Socket Layer (SSL), developed by Netscape, to accomplish this as data travels between Web servers and browsers.This is a fairly low-cost, low-effort way of securing transmissions, but because your server needs to encrypt and decrypt data rather than simply sending and receiving it, the number of visitors-per-second that a machine can serve drops dramatically. Loss or Destruction of Data It can be more costly for you to lose data than to have it revealed. If you have spent months building up your site, gathering user data and orders, how much would it cost you, in time, reputation, and dollars to lose all that information? If you had no backups of any of your data, you would need to rewrite the Web site in a hurry and start from scratch. 17 525x ch13 1/24/03 3:37 PM Page 276 . fairly low-cost, low-effort way of securing transmissions, but because your server needs to encrypt and decrypt data rather than simply sending and receiving it, the number of visitors-per-second. provided by a cus- tomer, such as his password, contact details, and credit card number. Hopefully you are not storing information on your Web server that you do not intend anyone to see. A Web server. computer, you would be wise to use a computer other than your Web server.The Web server is inher- ently a publicly accessible machine, and should only contain information that either needs to be