 |  | Education -> Information security center -> Web page access control |  |
 | |
| |
WEB PAGE ACCESS CONTROL
What is web page access control?
Web page access control is the mechanism by which access to web pages is limited to specific users.
Web page access control may be achieved in a number of ways. Of course there is the simple identity and password type of access control, the problems of which have been dealt with at enough length in the articles on web page login and web login.
There is another level of sophistication to web page access control, and that is to encrypt the information that makes up the web page (the underlying html, javascript or Active-X, pictures and so on) so that whilst the user is able to see the results on the screen, the underlying information is not accessible to them.
There are also two levels of sophistication when applying encryption in order to provide web page access control.
At the simplest level the encryption key is either a password that the user enters, or it is a password that is carried in the page itself, and is used dynamically to decrypt the underlying information and pass it into the web browser.
This has two obvious problems. The first is that if a user actually enters the password, then the page may be attacked easily by a hacker using a dictionary attack. Since passwords tend to be short and memorable this is not a realistic control approach, although surprisingly popular. The second is that if the key is actually somewhere on the page, then it is not going to take someone long to build a tool to automatically find the key and apply it in order to decrypt the page information. (Do a web search for html decrypter and you should get around 1 million results.)
At the more complex level you need an application to handle the access to the decryption key(s) and a special viewer to ensure that neither the content nor the underlying information can be accessed by the user although they are able to see the information they require on the screen. It also ensures that locating and using the relevant decryption key is not simple for an attacker and makes the use of an exhaustive key attack (start with the value of 1, add 1 and keep going until you find it) impractical.
A different approach might be to use the system proposed in the OASIS SAML specification, but we have pointed out in the article on web login that implementation of such an approach is so challenging there are no useful examples to point to. Only the unkind might say that it seems to be a technology solution for technologists who have so far found nothing that it really maps to.
So web page access control is best achieved by using an encryption technology, but you require something better than the trivial encryption methods if you are going to achieve any realistic security.
Download web page access control softwareDownload web page access control software where there are no passwords for your users to enter, manage or forget.
Digital rights management controls and US Government approved AES 256 bit encryption prevent unauthorized use and misuse of your web page content. Control who can view your web pages, what they can do with them (copy, print, etc.) and when they can no longer be viewed (expire).
Web page access control guide covering secure web page access control, web page access control security, and web page access control software. Learn why you should not use passwords for web page access control. LockLizard Protector software provides secure web page access control and protects your web pages from unauthorized use and misuse without using password protection. Secure web page access control with AES 256 bit encryption and digital rights management controls. | |
| |
