Server structure project implementing security standards and protocols according to the Open Standards Everywhere project
Abstract
The Open Standards Everywhere project was created in order to help web servers have high availability and be as secure as possible, using standards and protocols defined by the Internet Engineering Task Force. The objective of this work was to analyze whether some web servers are respecting these standards and to indicate improvements that can be made. In addition, to propose a structure project for a web server that implements these standards and protocols, using free resources and services. Through this analysis, it was evident the low adherence rate of the protocols by popular sites from different branches, showing even more the importance of the server structure project, facilitating the creation of more secure web servers.
Keywords:
web security, application security
References
Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. (2005). RFC 4033: DNS Security Introduction and Requirements.
BROADBAND COMMISSION (2019). The State of Broadband Report 2019. International Telecommunication Union and United Nations Educational.
Cloudfare (2020). What is DNS cache poisoning? - DNS spoong. Disponível em: https://www.cloudare.com/learning/dns/dns-cache-poisoning/. Acesso em: 04 jun 2020.
What is a DNS MX record? Cloudfare (2021). Disponível em: https://www.cloudare.com/pt-br/learning/dns/dns-records/dns-mx-record/. Acesso em: 02 fev 2021.
Deering, S. and Hinden, R. (1998). RFC 2460: Internet Protocol, Version 6 (IPv6) Specication.
Dukhovni, V. and Hardaker, W. (2015). RFC 7671: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance.
Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. (2013). Analysis of the https certicate ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference, IMC ’13, page 291–304, New York, NY, USA. Association for Computing Machinery.
Gont, F. (2014). RFC 7217: A Method for Generating Semantically Opaque Interface Identiers with IPv6 Stateless Address Autoconguration (SLAAC).
IETF (2020). Internet Engineering Task Force. Disponível em: https://www.ietf.org/. Acesso em: 14 mar 2020.
ISOC (2020a). Internet Society. Disponível em: https://www.internetsociety.org/. Acesso em: 14 mar 2020.
ISOC (2020b). Internet Society Open Standards Everywhere Documentation. Disponível em: https://github.com/internetsociety/ose-documentation/. Acesso em: 14 mar 2020.
Jankov, T. (2020). Nginx vs apache: Confronto entre servidores web. Disponível em: https://kinsta.com/pt/blog/nginx-vs-apache. Acesso em: 08 jun 2021.
NATIONAL CYBER SECURITY CENTRE (2019). It security guidelines for transport layer security (tls).
OWASP (2017). OWASP Top Ten. Disponível em: https://owasp.org/www-project-topten/. Acesso em 08 jun 2021.
PCI SECURITY STANDARDS COUNCIL (2018). Requirements
and Security Assessment Procedures. Disponível em: https://www.pcisecuritystandards.org/documentlibrary. Acesso em 11 fev 2021.
Rescorla, E. (2000). RFC 2818: HTTP Over TLS.
Rescorla, E. (2018). RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3.
Ribeiro, F. (2019). Apenas 53% dos sites governamentais são seguros. Disponível em: [link]. Acesso em: 07 fev 2021.
BROADBAND COMMISSION (2019). The State of Broadband Report 2019. International Telecommunication Union and United Nations Educational.
Cloudfare (2020). What is DNS cache poisoning? - DNS spoong. Disponível em: https://www.cloudare.com/learning/dns/dns-cache-poisoning/. Acesso em: 04 jun 2020.
What is a DNS MX record? Cloudfare (2021). Disponível em: https://www.cloudare.com/pt-br/learning/dns/dns-records/dns-mx-record/. Acesso em: 02 fev 2021.
Deering, S. and Hinden, R. (1998). RFC 2460: Internet Protocol, Version 6 (IPv6) Specication.
Dukhovni, V. and Hardaker, W. (2015). RFC 7671: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance.
Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. (2013). Analysis of the https certicate ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference, IMC ’13, page 291–304, New York, NY, USA. Association for Computing Machinery.
Gont, F. (2014). RFC 7217: A Method for Generating Semantically Opaque Interface Identiers with IPv6 Stateless Address Autoconguration (SLAAC).
IETF (2020). Internet Engineering Task Force. Disponível em: https://www.ietf.org/. Acesso em: 14 mar 2020.
ISOC (2020a). Internet Society. Disponível em: https://www.internetsociety.org/. Acesso em: 14 mar 2020.
ISOC (2020b). Internet Society Open Standards Everywhere Documentation. Disponível em: https://github.com/internetsociety/ose-documentation/. Acesso em: 14 mar 2020.
Jankov, T. (2020). Nginx vs apache: Confronto entre servidores web. Disponível em: https://kinsta.com/pt/blog/nginx-vs-apache. Acesso em: 08 jun 2021.
NATIONAL CYBER SECURITY CENTRE (2019). It security guidelines for transport layer security (tls).
OWASP (2017). OWASP Top Ten. Disponível em: https://owasp.org/www-project-topten/. Acesso em 08 jun 2021.
PCI SECURITY STANDARDS COUNCIL (2018). Requirements
and Security Assessment Procedures. Disponível em: https://www.pcisecuritystandards.org/documentlibrary. Acesso em 11 fev 2021.
Rescorla, E. (2000). RFC 2818: HTTP Over TLS.
Rescorla, E. (2018). RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3.
Ribeiro, F. (2019). Apenas 53% dos sites governamentais são seguros. Disponível em: [link]. Acesso em: 07 fev 2021.
Published
2021-10-04
How to Cite
GOULART, Raphaela Silva; ALBUQUERQUE, Silvia Calmon de.
Server structure project implementing security standards and protocols according to the Open Standards Everywhere project. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 110-123.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17346.
