Web & Password Security FAQ
This document contains frequently asked questions about web and password security and their solutions.
What does it mean to be "Authenticated"?
When you are authenticated, the server knows that you are you. Once the server confirms your identity, it grants you access to the files and directories that you are authorized to see or change.
Note: Your authentication expires after a certain amount of time. In order to continue accessing your data, you will need to re-authenticate your user ID and password.
What are certificates? And why would I install one into my browser?
Certificates are electronic documents included in your browser. When you connect to a secure site, certificates allow two things to happen: encryption and authentication.
For encryption, secure sites use the SSL (Secure Socket Layer) protocol.
This protocol uses public key cryptography to encrypt the data sent back and forth. With public key cryptography, to encode and decode data you need a public encryption key and a private encryption key. The certificate installed on the server and in your browser provides those keys. If you have the certificate required by the secure site, you can exchange data with the site that only you and the server will be able to read.
Certificates also are used for authentication. If you are exchanging data with a secure site you will want to make sure the site is who they say they are. Certificates are issued by a trusted third party, called a Certification Authority (CA). Before a CA will grant a certificate to a site, the CA will verify that the site is who it claims to be. In this way, the CA does the verification for you - if you trust the CA you know you can trust the site.
Most browsers have certificates from several of the larger CAs already installed. For most of the secure websites you encounter you will not need to install a certificate. If you do encounter a site that uses a certificate not already installed in your browser, a dialog box will pop up notifying you that to make a secure connection you will need to install a certificate. Read this dialog box carefully. Most of the time it is safe to install that certificate and access the site, however it is possible (although unlikely) that this site is a fraudulent site. Check with the organization running the site to be sure you have the correct URL and that the site is a trustworthy site.
Is it possible for someone to find out my password?
Yes. Contrary to what many people believe, the Andrew System does not make your password "sniff proof." Using any one of numerous products, someone on the same network as you could intercept and steal your unprotected password. However, there are ways you can protect yourself. The most effective way is to use products that have Kerberos authentication built in. This way your password will not be sent in clear text over the network, and it will be protected from theft.
How can I choose a secure password?
To select a secure password, refer to the Password Requirements web page.
I don't keep anything private online. Why should I worry if someone has my password?
Your user ID and password identify you as you to the server. If someone stole your password, that person could pretend to be you while doing unauthorized or illegal things on-line. For example, you may not care if someone reads all of your email, but you would care if someone was using your account to send email to organize a crime. Also, someone with your password may be able to make your account unusable to you. To protect yourself from unnecessary investigation and frustration, it is a good idea to protect your password.
Some web sites on campus ask for my Andrew ID and password before I can enter their site. Is it safe for me to give it to them?
It depends on the site. There are a few things you need to be sure of before you enter your password:
I want to publish a web site, but I only want certain people to be able to see it. Can I do that?
- Make sure the site is a secure site. The URL to a secure site will begin with https (note the S for secure) rather than just http.
- Be sure that the page belongs to the organization that it is representing. Double check the URL with the organization.
- Legitimate sign-on services at Carnegie Mellon are Web Login and WebISO. When you try to access a secure web site, you are presented with the WebISO Secure Login page. The url for WebLogin will always be https://login.cmu.edu. The url for WebISO will always be https://webiso.andrew.cmu.edu/. If it is NOT, do not enter your password. Send mail to email@example.com to report the site.
It depends. If you are running your own server, you can configure your server to use SSL or Kweb to restrict pages. If you are publishing your pages on a server maintained by Computing Services, such as www.cmu.edu or www.andrew.cmu.edu, some types of pages can be restricted while others cannot.
If you are publishing Course pages or Department pages you may restrict access to your pages using .htaccess. For other types of pages, such as personal pages or organization/club pages on the user web, you may not restrict access to your pages.
I want to use the web to shop. Is it safe to send my credit card number over the web?
It can be. Before you send your credit card number over the web, make sure:
- The site is a secure site.
If it is a secure site, the URL of the site will begin with https (note the S at the end) rather than simply http.
- The site is who it says it is. Some sites are confusing. Double check the URL before you do anything.
What is Kerberos?
Kerberos is an authentication system that uses private key encryption. Developed by MIT, Kerberos allows you to prove (using your password) that you are who you say you are. With Kerberos, your password is encrypted before it is sent over the network; it is never sent in the clear. Kerberos is the authentication system used on campus.
What are Kerberos for Windows and Macintosh software?
Kerberos for Windows and Macintosh are utilities that allow programs to use Kerberos authentication on Windows and Macintosh machines. It is used to manage your authentication status.
Last Updated: 9/19/12