Security concerns are typically broken down into the following areas:
Under this heading, basically, we are talking about non-disclosure of information except to those authorised (typically creator and anyone they wish to transmit it to, subject to proof of identity!). If I send something over a communications channel, it is liable to be eavesdropped, copied, intercepted in many different ways. The solution is to mangle (encrypt) what is sent so that someone who takes a copy can't recognise it. The easy way to do this is to have "one-time-codebooks" (e.g. each letter is sent as a number which is its next occurrence in some pre-agreed book). This is inefficient, and complex and error prone, and not a lot of use for WWW servers. A more useful technology is cryptography, and in particular, a mechanism called public key cryptography, of which more below. A less useful (but still effective) technique is private key cryptography, (such as the US NSA standard DES, Data Encryption Standard).
All cryptographic technology for privacy is export controlled from the US at the moment, which means that use every day in the Internet relies on externally produced implementations. Also, for International companies trading in the US, this is a political obstacle to using such technology for fear of offending the US government.
In fact, for many WWW servers, privacy may not really be an issue - especially if the function of the server is effectively to add value to other services (advertise). Even if not, it may simply be too difficult for someone to monitor all WWW traffic from a particular server and piece together all the data from there - but do not count on this one bit!
This is to do with proving ones identity. It is a very subtle business. Typically, it relies on some notion of trust. If I transmit something to someone by talking to them face to face, I am assured by their face, or voice, that they are who they say they are. However, I need to also understand their role - do they really work for who they say they do? Typically, they produce credentials (an expensive to fake ID-Card, for example).
If I send something over a communications channel, I must also exchange some forms of credentials to be assured the receiver is who they say they are (like listening to their voice or looking at their face, I may need a notarised signature etc etc). There are a number of techniques for digital signatures that are hard to forge. Luckily, this technology is also not subject to US export controls. Systems such as Kerberos and PGP (Pretty Good Privacy) provide authentication, as well as possibly non-exportable privacy.
Once you have authentication, then a server can be protected from dangerous access. It can then match authenticated credentials to Access Control Lists, and even carry out billing based on these (though it still better not accept credit card numbers or send bills over the same network until it also has privacy technology).
Non-repudiation is the facility of a secure system to permit proofs that a sender or receiver were indeed the sender and receiver. Non-repudiation of contents is to do with anonynimity.
This is to do with making sure that information is not tampered with in transit. It is usually achieved by signing the data with some function (checksum) of the data itself, wrapped up with some secret key that is not transmitted (perhaps has been exchanged previously through public key cryptography).
We might add another: legal recognition!
All the security in the world is not much use if it is not backed up
by some sort of legal position, if you want to charge people for
information, exchange contracts over networks etc etc
Berners-Lee lists the following specific checklist for existing WWW servers:
Finally, note that keeping logs is a very important part of security. Any secure system will attract more attempts to hack simply because it poses more of a challenge, but also because there is potentially more monetary gain hacking a system that someone has apparently spent money to protect. A system always has vulnerabilities (there is no such thing as 100 % security, just 100 % lack of detected hacks). If you keep audit trails, then it is possible to track a lot more problems. It may also be possible to track the cause of the loophole and fix it.
Finally, always keep backups of valuable data!.