272    Chapter 5 • Communication Security: Web Based Services

                 Because cookies can be used to store any kind of textual data, it is important
             that they’re secure.As a developer, the best way to protect people from having the
             information stored in cookies from being viewed is not to store any personal or
             sensitive information in a cookie.This isn’t always an option, but it’s always wise to
             never store any more information than is needed in a cookie.
                 If sensitive data must be stored, then the information should be encrypted and
             transmitted using the Transport Layer Security (TLS) or SSL protocols, which we
             discuss later in this chapter. By using SSL, the cookie can be sent encrypted,
             meaning that the data in the cookie won’t be plain to see if anyone intercepts it.
             Without TLS or SSL, someone using a packet sniffer or other tools to view data
             transmitted across the network will be unable to read the contents of the cookie.
             Web Spoofing

             Web spoofing is a means of tricking users to connect to a different Web server than
             they intended.Web spoofing may be done in a number of ways. It can be done by
             simply providing a link to a fraudulent Web site that looks legitimate, or involve
             more complex attacks in which the user’s request or Web pages requested by the
             user are intercepted and altered.
             One of the more complex methods of Web spoofing involves an attacker that is
             able to see and make changes to Web pages that are transmitted to or from another
             computer (the target machine).These pages can include confidential information
             such as credit card numbers entered into online commerce forms and passwords
             that are used to access restricted Web sites.The changes are not made to the actual
             Web pages on their original servers, but to the copies of those pages that the
             spoofer returns to the Web client who made the request.
                 The term spoofing refers to impersonation, or pretending to be someone or
             something you are not.Web spoofing involves creating a “shadow copy” of a Web
             site or even the entire Web of servers at a specific site. JavaScript can be used to
             route Web pages and information through the attacker’s computer, which imper-
             sonates the destination Web server.The attacker can initiate the spoof by sending e-
             mail to the victim that contains a link to the forged page or putting a link into a
             popular search engine.
                 SSL does not necessarily prevent this sort of “man-in-the-middle” (MITM)
             attack; the connection appears to the victim user to be secure because it is secure.
             The problem is that the secure connection is to a different site than the one to
             which the victim thinks they are connecting.Although many modern browsers will
             indicate a problem with the SSL certificate not matching, hyperlink spoofing exploits




          www.syngress.com