web security from cookies to packet sniffers – what is this stuff anyway and why should i care

WEB WEB securitysecurity

From COOKIES to Packet From COOKIES to Packet Sniffers – What Is This Stuff Sniffers – What Is This Stuff Anyway and Why Should I Anyway and Why Should I

CareCare

85

Section AChapter

6Web TechnologyWeb Technology

Cookies: What is a “cookie”?

Cookie – small chunk of data Cookie – small chunk of data generated by a Web server and generated by a Web server and stored in a text file on your computerstored in a text file on your computer

Cookie: [email protected]/Cookie: [email protected]/

SITESERVER SITESERVER ID=9022591d2390f3b8639aa3c7cf1ca8f5 ID=9022591d2390f3b8639aa3c7cf1ca8f5 sarasota.fl.us/ 0 642859008 31887777 sarasota.fl.us/ 0 642859008 31887777 2868194304 294110262868194304 29411026

Section AChapter


What is a “cookie”?

Web sites use cookies to:Web sites use cookies to: Track your path through a siteTrack your path through a site Provide information that allows the Web Provide information that allows the Web

site to present you with ad bannerssite to present you with ad banners Retain any personal information that Retain any personal information that

you type into a Web page formyou type into a Web page form

286

Section AChapter


Why do Web sites use cookies to keep track of my activity?

Because each request is considered Because each request is considered separate by the Web serverseparate by the Web server

Cookies allow server to know which Cookies allow server to know which requests are yoursrequests are yours Provide temporary storage spaceProvide temporary storage space

Way to identify your requests from Way to identify your requests from othersothers

Section AChapter


Are cookies safe and private?

Cookies are a relatively safe Cookies are a relatively safe technologytechnology Data, not computer programData, not computer program Can only be accessed by site that created Can only be accessed by site that created

itit Contain only information you disclose Contain only information you disclose

while using the sitewhile using the site Uses a randomly generated number Uses a randomly generated number

instead of your nameinstead of your name

Section AChapter


Does my computer have to accept cookies?

Most browsers will let you block Most browsers will let you block cookiescookies

Without cookies, you may not be able Without cookies, you may not be able to do some things on the Webto do some things on the Web

P3PP3P (Platform for Privacy Preferences (Platform for Privacy Preferences Project) – defines security tags for Project) – defines security tags for cookies in their HTTP headercookies in their HTTP header

Compact Privacy PolicyCompact Privacy Policy – describes – describes how cookie data is used by a Web sitehow cookie data is used by a Web site

Section AChapter


Does my computer have to accept cookies?

Section AChapter


How long do cookies stay on my computer?

A web programmer can program A web programmer can program cookie to “time out”cookie to “time out”

You can delete the cookiesYou can delete the cookies Netscape uses Cookies.txt or Netscape uses Cookies.txt or

MagiccookieMagiccookie IE stores each in a separate fileIE stores each in a separate file

Section AChapter


How long do cookies stay on my computer?

CHAPTER

6

E-CommerceSection D

PARSONS/OJA

Web Pages, Web Pages, Web Sites, Web Sites, And E-And E-CommerceCommerce

Section DChapter

6E-CommerceE-Commerce

E-Commerce Basics: What is e-commerce?

E-commerce – describes financial E-commerce – describes financial transactions that are conducted transactions that are conducted electronically over a computer electronically over a computer networknetwork Includes physical products, digital Includes physical products, digital

products, and servicesproducts, and services Digital products such as News, music, Digital products such as News, music,

video, databases, software, and all types video, databases, software, and all types of knowledge-based itemsof knowledge-based items

Peddle services, such as arranging trips, Peddle services, such as arranging trips, online medical consultation, and remote online medical consultation, and remote educationeducation

311

Section DChapter


How does e-commerce work?

Shoppers connects to online storeShoppers connects to online store Behind the scenes, based on a Web Behind the scenes, based on a Web

site and group of technologiessite and group of technologies Based on domain name which acts Based on domain name which acts

as the entry to the online storeas the entry to the online store Includes some mechanism for Includes some mechanism for

customers to select merchandise and customers to select merchandise and then pay for itthen pay for it

Section DChapter


Shopping Carts: What’s an online shopping cart and how does it work?

Shopping cart – cyberspace version of Shopping cart – cyberspace version of the good old metal cart that you wheel the good old metal cart that you wheel around a store and fill up with around a store and fill up with merchandisemerchandise

Shopper browses Web site, and then Shopper browses Web site, and then adds products using a “Buy” or “Add to adds products using a “Buy” or “Add to Cart” buttonCart” button

Uses cookies to store information about Uses cookies to store information about your activities on Web siteyour activities on Web site

Section DChapter


How do shopping carts work?

Section DChapter


What is an HTML form?

Section DChapter


What happens to the data that’s entered into a form?

Your information is stored on your Your information is stored on your hard disk; it not left “hanging hard disk; it not left “hanging around”around”

When you click a Submit button, When you click a Submit button, information is gathered and information is gathered and submitted via a specially designated submitted via a specially designated program on an HTTP serverprogram on an HTTP server

There Is More to WEB There Is More to WEB Security Than CookiesSecurity Than Cookies

What happens when you fill out a WEB form:What happens when you fill out a WEB form:

You may input your name and address – You may input your name and address – not so badnot so bad You may input your phone number – You may input your phone number – hmmmhmmm You may input your credit card number and expiration You may input your credit card number and expiration

date – date – could be BADcould be BAD

This information will temporarily stay on your This information will temporarily stay on your hard drive – not so badhard drive – not so bad

This information will travel across the internet This information will travel across the internet wires readable as the Sunday comics – wires readable as the Sunday comics – BAD! BAD! NEWSNEWS

Section DChapter


Can the data in the HTTP message be intercepted in transit?

Packet sniffer – monitors data as it Packet sniffer – monitors data as it travels over networkstravels over networks

2 technologies protect the data2 technologies protect the data SSLSSL (Secure Sockets Layer) – encrypts (Secure Sockets Layer) – encrypts

the data the data S-HTTPS-HTTP (secure HTTP) – extension of (secure HTTP) – extension of

HTML that encrypts the text of an HTML that encrypts the text of an HTTP message before it is sentHTTP message before it is sent

Packet SniffersPacket Sniffers

Software that will read network packets Software that will read network packets not meant for the machine it runs onnot meant for the machine it runs on

Packets travel between network cardsPackets travel between network cards Network cards pass packets that are Network cards pass packets that are

addressed to their machine up to the addressed to their machine up to the operating system and drop all others – OS operating system and drop all others – OS knows what to do with packets knows what to do with packets

Packet sniffers put network cards in Packet sniffers put network cards in promiscuous mode – read packets not promiscuous mode – read packets not meant for themmeant for them

EncryptionEncryption

How does it work?How does it work? Encryption - hmmmmEncryption - hmmmm

There are different methods:There are different methods: Main idea is there is an encrypt and a Main idea is there is an encrypt and a

decrypt functions that work in the decrypt functions that work in the following manner:following manner: Encrypt ( key, plaintext ) => ciphertextEncrypt ( key, plaintext ) => ciphertext Decrypt ( key, ciphertext ) => plaintextDecrypt ( key, ciphertext ) => plaintext

Ciphertext is not understandable by Ciphertext is not understandable by anyone who doesn’t have the right KEYanyone who doesn’t have the right KEY

Types of CryptographyTypes of Cryptography

Symmetric:Symmetric: Caesar cipher – shift cryptographyCaesar cipher – shift cryptography Cryptogram - substitution cryptoCryptogram - substitution crypto One time padOne time pad

Asymmetric:Asymmetric: Public/PrivatePublic/Private PGP (email)PGP (email)

How do these work?How do these work? SymmetricSymmetric

Both parties need the same key to encrypt/decryptBoth parties need the same key to encrypt/decrypt Problem – how do we get keys to each other in a Problem – how do we get keys to each other in a

secure manner: turns into a sort chicken and egg secure manner: turns into a sort chicken and egg problemproblem

AsymmetricAsymmetric Solves this problem – Solves this problem –

WITH REALLY BEAUTIFUL MATH: WITH REALLY BEAUTIFUL MATH: involves a involves a publicly available key that anyone can use to publicly available key that anyone can use to encrypt but only the holder of the (shhh!) secret encrypt but only the holder of the (shhh!) secret key can decryptkey can decrypt

Creates a new problem (no free lunch) – how do I Creates a new problem (no free lunch) – how do I know that the public key that you are advertising is know that the public key that you are advertising is really yours - hmmmreally yours - hmmm

Solution – Digital Solution – Digital CertificatesCertificates

These are digital verifications that These are digital verifications that bind a NAME, or other important bind a NAME, or other important identification with a Public Keyidentification with a Public Key

Your browser can then do some Your browser can then do some magic to verify these to some magic to verify these to some standardstandard

Section CChapter

6Web Page Web Page Extensions, Scripts, Extensions, Scripts, and Programsand Programs

What is a digital certificate?

Digital certificateDigital certificate – electronic – electronic attachment to a file that verifies the attachment to a file that verifies the identity of its sourceidentity of its source

Certificate authorityCertificate authority – company – company that supplies digital certificatesthat supplies digital certificates

Section CChapter


How does a digital certificate work?

If your security is set to “medium”, If your security is set to “medium”, browser displays a warning message to browser displays a warning message to alert you that an ActiveX component is alert you that an ActiveX component is trying to install itselftrying to install itself

Your browser reads the certificate, Your browser reads the certificate, displays the name of the person or displays the name of the person or company that signed it, and verifies company that signed it, and verifies that the component was not altered that the component was not altered since it was signedsince it was signed

Section CChapter


How does a digital certificate work?

SSL and SHTTPSSL and SHTTP SSL: SSL:

A networking technology which uses A networking technology which uses public/private key to encrypt packets going public/private key to encrypt packets going over internet wiresover internet wires

Can be used in situations other than web Can be used in situations other than web sessionssessions

SHTTP: SHTTP: Public/private key technology used to send Public/private key technology used to send

web pages in encrypted formweb pages in encrypted form HTTPS:HTTPS:

Only send information that you want to Only send information that you want to remain secret during a remain secret during a https:// https:// session.session.

Section DChapter


Can the data in the HTTP message be intercepted in transit?

Securing your credit card number Securing your credit card number solves only half of the security problemsolves only half of the security problem

SETSET (Secure Electronic Transaction – (Secure Electronic Transaction – security method that relies on security method that relies on cryptography and digital certificates to cryptography and digital certificates to ensure that transactions are legitimate ensure that transactions are legitimate as well as secureas well as secure Endorsed by major players in the e-Endorsed by major players in the e-

commerce arenacommerce arena

315

Section DChapter


Credit Card Security: How can online credit card transactions get hacked?

Fake StorefrontsFake Storefronts – Trojan horse site – Trojan horse site Intercepted packetsIntercepted packets – uses packet – uses packet

snifferssniffers Database break-insDatabase break-ins – unauthorized – unauthorized

access of customer databasesaccess of customer databases Dishonest employeesDishonest employees Always-on connectionsAlways-on connections

5

Section DChapter


What steps can I take to safeguard my credit card number?

Only foolproof method – don’t use itOnly foolproof method – don’t use it To reduce probability of online credit To reduce probability of online credit

card fraud, make sure that you deal with card fraud, make sure that you deal with legitimate merchantslegitimate merchants

One-time-use credit cardOne-time-use credit card numbers – numbers – allow customers to make purchases while allow customers to make purchases while keeping their actual card numbers hiddenkeeping their actual card numbers hidden Provided by your credit card provider’s Web Provided by your credit card provider’s Web

sitesite

Last ThoughtsLast Thoughts Security is a multifaceted computer issueSecurity is a multifaceted computer issue

There is security pertaining to your computer – There is security pertaining to your computer –

without the networkwithout the network The network adds a new layer of security issuesThe network adds a new layer of security issues The WEB adds a new layer The WEB adds a new layer

Security ProtocolsSecurity Protocols People in the computer field try to come up with People in the computer field try to come up with

procedures that ensure computer security at procedures that ensure computer security at different levels – hard to get right different levels – hard to get right

Security User InterfacesSecurity User Interfaces How to get the computer user to enforce How to get the computer user to enforce

security policies on her own machine - security policies on her own machine - MY MY RESEARCH INTERESTRESEARCH INTEREST

web security from cookies to packet sniffers – what is this stuff anyway and why should i care

Documents

web sitepage

web technologypage

web securityfrom cookies

section achapter6 cookies

web technologya web

web technologycookies

web pages

web technologybecause