Security limitations

Although breaches of security on the Internet are infrequent, it is important to be aware of the inherent limitations of any Internet security system. The following information is not unique to Z and I Emulator for Web; it applies to most Internet applications that use http. None of this information applies if your Web server uses secure http (https).

For Z and I Emulator for Web, SSL security is still provided even when Server Authentication is disabled.

A common SSL connection between a client and a server works as follows:

Using a CA-signed certificate:

The client contacts the server.
The server sends its CA-signed certificate to the client.
The client checks its list of trusted CAs to see if the CA that signed the server's certificate is in the list and therefore can be trusted. If so, the SSL negotiation continues; if not, it fails immediately.

Using a self-signed certificate:

The client contacts the server.
The server sends its self-signed certificate to the client.
The client checks its list of self-signed certificates to see if the server's certificate is in the list and can therefore be trusted. If so, the SSL negotiation continues; if not, it fails immediately.

Why You Must Be Careful
The crucial step in the process is when the client checks its list of trusted CAs and self-signed certificates. For a locally-installed client, on which Z and I Emulator for Web is loaded directly from the client's hard disk, that list is kept on its local hard disk. This is considered adequately secure. However, for a download client, on which the client is really just a browser that downloads all its code from the server using http, the only place the browser can look for the list of trusted CAs or self-signed certificates is on the server from which it has just downloaded the certificate. If that server is an intruder, security is breached. One way to avoid this problem is to use https rather than http, because https ensures that the browser really is connected to the correct server.

Why You Must Be Careful

The crucial step in the process is when the client checks its list of trusted CAs and self-signed certificates. For a locally-installed client, on which Z and I Emulator for Web is loaded directly from the client's hard disk, that list is kept on its local hard disk. This is considered adequately secure.

However, for a download client, on which the client is really just a browser that downloads all its code from the server using http, the only place the browser can look for the list of trusted CAs or self-signed certificates is on the server from which it has just downloaded the certificate. If that server is an intruder, security is breached. One way to avoid this problem is to use https rather than http, because https ensures that the browser really is connected to the correct server.