web security from cookies to packet sniffers – what is this stuff anyway and why should i care
TRANSCRIPT
WEB WEB securitysecurity
From COOKIES to Packet From COOKIES to Packet Sniffers – What Is This Stuff Sniffers – What Is This Stuff Anyway and Why Should I Anyway and Why Should I
CareCare
Page 285
Section AChapter
6Web TechnologyWeb Technology
Cookies: What is a “cookie”?
Cookie – small chunk of data Cookie – small chunk of data generated by a Web server and generated by a Web server and stored in a text file on your computerstored in a text file on your computer
Cookie: [email protected]/Cookie: [email protected]/
SITESERVER SITESERVER ID=9022591d2390f3b8639aa3c7cf1ca8f5 ID=9022591d2390f3b8639aa3c7cf1ca8f5 sarasota.fl.us/ 0 642859008 31887777 sarasota.fl.us/ 0 642859008 31887777 2868194304 294110262868194304 29411026
Page 285
Section AChapter
6Web TechnologyWeb Technology
What is a “cookie”?
Web sites use cookies to:Web sites use cookies to: Track your path through a siteTrack your path through a site Provide information that allows the Web Provide information that allows the Web
site to present you with ad bannerssite to present you with ad banners Retain any personal information that Retain any personal information that
you type into a Web page formyou type into a Web page form
Page 285-286
Section AChapter
6Web TechnologyWeb Technology
Why do Web sites use cookies to keep track of my activity?
Because each request is considered Because each request is considered separate by the Web serverseparate by the Web server
Cookies allow server to know which Cookies allow server to know which requests are yoursrequests are yours Provide temporary storage spaceProvide temporary storage space
Way to identify your requests from Way to identify your requests from othersothers
Page 286
Section AChapter
6Web TechnologyWeb Technology
Are cookies safe and private?
Cookies are a relatively safe Cookies are a relatively safe technologytechnology Data, not computer programData, not computer program Can only be accessed by site that created Can only be accessed by site that created
itit Contain only information you disclose Contain only information you disclose
while using the sitewhile using the site Uses a randomly generated number Uses a randomly generated number
instead of your nameinstead of your name
Page 286
Section AChapter
6Web TechnologyWeb Technology
Does my computer have to accept cookies?
Most browsers will let you block Most browsers will let you block cookiescookies
Without cookies, you may not be able Without cookies, you may not be able to do some things on the Webto do some things on the Web
P3PP3P (Platform for Privacy Preferences (Platform for Privacy Preferences Project) – defines security tags for Project) – defines security tags for cookies in their HTTP headercookies in their HTTP header
Compact Privacy PolicyCompact Privacy Policy – describes – describes how cookie data is used by a Web sitehow cookie data is used by a Web site
Page 286
Section AChapter
6Web TechnologyWeb Technology
Does my computer have to accept cookies?
Page 287
Section AChapter
6Web TechnologyWeb Technology
How long do cookies stay on my computer?
A web programmer can program A web programmer can program cookie to “time out”cookie to “time out”
You can delete the cookiesYou can delete the cookies Netscape uses Cookies.txt or Netscape uses Cookies.txt or
MagiccookieMagiccookie IE stores each in a separate fileIE stores each in a separate file
Page 287
Section AChapter
6Web TechnologyWeb Technology
How long do cookies stay on my computer?
Page 309
CHAPTER
6
E-CommerceSection D
PARSONS/OJA
Web Pages, Web Pages, Web Sites, Web Sites, And E-And E-CommerceCommerce
Page 309
Section DChapter
6E-CommerceE-Commerce
E-Commerce Basics: What is e-commerce?
E-commerce – describes financial E-commerce – describes financial transactions that are conducted transactions that are conducted electronically over a computer electronically over a computer networknetwork Includes physical products, digital Includes physical products, digital
products, and servicesproducts, and services Digital products such as News, music, Digital products such as News, music,
video, databases, software, and all types video, databases, software, and all types of knowledge-based itemsof knowledge-based items
Peddle services, such as arranging trips, Peddle services, such as arranging trips, online medical consultation, and remote online medical consultation, and remote educationeducation
Page 310-311
Section DChapter
6E-CommerceE-Commerce
How does e-commerce work?
Shoppers connects to online storeShoppers connects to online store Behind the scenes, based on a Web Behind the scenes, based on a Web
site and group of technologiessite and group of technologies Based on domain name which acts Based on domain name which acts
as the entry to the online storeas the entry to the online store Includes some mechanism for Includes some mechanism for
customers to select merchandise and customers to select merchandise and then pay for itthen pay for it
Page 311
Section DChapter
6E-CommerceE-Commerce
Shopping Carts: What’s an online shopping cart and how does it work?
Shopping cart – cyberspace version of Shopping cart – cyberspace version of the good old metal cart that you wheel the good old metal cart that you wheel around a store and fill up with around a store and fill up with merchandisemerchandise
Shopper browses Web site, and then Shopper browses Web site, and then adds products using a “Buy” or “Add to adds products using a “Buy” or “Add to Cart” buttonCart” button
Uses cookies to store information about Uses cookies to store information about your activities on Web siteyour activities on Web site
Page 311
Section DChapter
6E-CommerceE-Commerce
How do shopping carts work?
Page 312
Section DChapter
6E-CommerceE-Commerce
How do shopping carts work?
Page 312
Section DChapter
6E-CommerceE-Commerce
What is an HTML form?
Page 313
Section DChapter
6E-CommerceE-Commerce
What happens to the data that’s entered into a form?
Your information is stored on your Your information is stored on your hard disk; it not left “hanging hard disk; it not left “hanging around”around”
When you click a Submit button, When you click a Submit button, information is gathered and information is gathered and submitted via a specially designated submitted via a specially designated program on an HTTP serverprogram on an HTTP server
There Is More to WEB There Is More to WEB Security Than CookiesSecurity Than Cookies
What happens when you fill out a WEB form:What happens when you fill out a WEB form:
You may input your name and address – You may input your name and address – not so badnot so bad You may input your phone number – You may input your phone number – hmmmhmmm You may input your credit card number and expiration You may input your credit card number and expiration
date – date – could be BADcould be BAD
This information will temporarily stay on your This information will temporarily stay on your hard drive – not so badhard drive – not so bad
This information will travel across the internet This information will travel across the internet wires readable as the Sunday comics – wires readable as the Sunday comics – BAD! BAD! NEWSNEWS
Page 313
Section DChapter
6E-CommerceE-Commerce
Can the data in the HTTP message be intercepted in transit?
Packet sniffer – monitors data as it Packet sniffer – monitors data as it travels over networkstravels over networks
2 technologies protect the data2 technologies protect the data SSLSSL (Secure Sockets Layer) – encrypts (Secure Sockets Layer) – encrypts
the data the data S-HTTPS-HTTP (secure HTTP) – extension of (secure HTTP) – extension of
HTML that encrypts the text of an HTML that encrypts the text of an HTTP message before it is sentHTTP message before it is sent
Packet SniffersPacket Sniffers
Software that will read network packets Software that will read network packets not meant for the machine it runs onnot meant for the machine it runs on
Packets travel between network cardsPackets travel between network cards Network cards pass packets that are Network cards pass packets that are
addressed to their machine up to the addressed to their machine up to the operating system and drop all others – OS operating system and drop all others – OS knows what to do with packets knows what to do with packets
Packet sniffers put network cards in Packet sniffers put network cards in promiscuous mode – read packets not promiscuous mode – read packets not meant for themmeant for them
EncryptionEncryption
How does it work?How does it work? Encryption - hmmmmEncryption - hmmmm
There are different methods:There are different methods: Main idea is there is an encrypt and a Main idea is there is an encrypt and a
decrypt functions that work in the decrypt functions that work in the following manner:following manner: Encrypt ( key, plaintext ) => ciphertextEncrypt ( key, plaintext ) => ciphertext Decrypt ( key, ciphertext ) => plaintextDecrypt ( key, ciphertext ) => plaintext
Ciphertext is not understandable by Ciphertext is not understandable by anyone who doesn’t have the right KEYanyone who doesn’t have the right KEY
Types of CryptographyTypes of Cryptography
Symmetric:Symmetric: Caesar cipher – shift cryptographyCaesar cipher – shift cryptography Cryptogram - substitution cryptoCryptogram - substitution crypto One time padOne time pad
Asymmetric:Asymmetric: Public/PrivatePublic/Private PGP (email)PGP (email)
How do these work?How do these work? SymmetricSymmetric
Both parties need the same key to encrypt/decryptBoth parties need the same key to encrypt/decrypt Problem – how do we get keys to each other in a Problem – how do we get keys to each other in a
secure manner: turns into a sort chicken and egg secure manner: turns into a sort chicken and egg problemproblem
AsymmetricAsymmetric Solves this problem – Solves this problem –
WITH REALLY BEAUTIFUL MATH: WITH REALLY BEAUTIFUL MATH: involves a involves a publicly available key that anyone can use to publicly available key that anyone can use to encrypt but only the holder of the (shhh!) secret encrypt but only the holder of the (shhh!) secret key can decryptkey can decrypt
Creates a new problem (no free lunch) – how do I Creates a new problem (no free lunch) – how do I know that the public key that you are advertising is know that the public key that you are advertising is really yours - hmmmreally yours - hmmm
Solution – Digital Solution – Digital CertificatesCertificates
These are digital verifications that These are digital verifications that bind a NAME, or other important bind a NAME, or other important identification with a Public Keyidentification with a Public Key
Your browser can then do some Your browser can then do some magic to verify these to some magic to verify these to some standardstandard
Page 306
Section CChapter
6Web Page Web Page Extensions, Scripts, Extensions, Scripts, and Programsand Programs
What is a digital certificate?
Digital certificateDigital certificate – electronic – electronic attachment to a file that verifies the attachment to a file that verifies the identity of its sourceidentity of its source
Certificate authorityCertificate authority – company – company that supplies digital certificatesthat supplies digital certificates
Page 307
Section CChapter
6Web Page Web Page Extensions, Scripts, Extensions, Scripts, and Programsand Programs
How does a digital certificate work?
If your security is set to “medium”, If your security is set to “medium”, browser displays a warning message to browser displays a warning message to alert you that an ActiveX component is alert you that an ActiveX component is trying to install itselftrying to install itself
Your browser reads the certificate, Your browser reads the certificate, displays the name of the person or displays the name of the person or company that signed it, and verifies company that signed it, and verifies that the component was not altered that the component was not altered since it was signedsince it was signed
Page 307
Section CChapter
6Web Page Web Page Extensions, Scripts, Extensions, Scripts, and Programsand Programs
How does a digital certificate work?
SSL and SHTTPSSL and SHTTP SSL: SSL:
A networking technology which uses A networking technology which uses public/private key to encrypt packets going public/private key to encrypt packets going over internet wiresover internet wires
Can be used in situations other than web Can be used in situations other than web sessionssessions
SHTTP: SHTTP: Public/private key technology used to send Public/private key technology used to send
web pages in encrypted formweb pages in encrypted form HTTPS:HTTPS:
Only send information that you want to Only send information that you want to remain secret during a remain secret during a https:// https:// session.session.
Page 313
Section DChapter
6E-CommerceE-Commerce
Can the data in the HTTP message be intercepted in transit?
Securing your credit card number Securing your credit card number solves only half of the security problemsolves only half of the security problem
SETSET (Secure Electronic Transaction – (Secure Electronic Transaction – security method that relies on security method that relies on cryptography and digital certificates to cryptography and digital certificates to ensure that transactions are legitimate ensure that transactions are legitimate as well as secureas well as secure Endorsed by major players in the e-Endorsed by major players in the e-
commerce arenacommerce arena
Page 314-315
Section DChapter
6E-CommerceE-Commerce
Credit Card Security: How can online credit card transactions get hacked?
Fake StorefrontsFake Storefronts – Trojan horse site – Trojan horse site Intercepted packetsIntercepted packets – uses packet – uses packet
snifferssniffers Database break-insDatabase break-ins – unauthorized – unauthorized
access of customer databasesaccess of customer databases Dishonest employeesDishonest employees Always-on connectionsAlways-on connections
Page 315
Section DChapter
6E-CommerceE-Commerce
What steps can I take to safeguard my credit card number?
Only foolproof method – don’t use itOnly foolproof method – don’t use it To reduce probability of online credit To reduce probability of online credit
card fraud, make sure that you deal with card fraud, make sure that you deal with legitimate merchantslegitimate merchants
One-time-use credit cardOne-time-use credit card numbers – numbers – allow customers to make purchases while allow customers to make purchases while keeping their actual card numbers hiddenkeeping their actual card numbers hidden Provided by your credit card provider’s Web Provided by your credit card provider’s Web
sitesite
Last ThoughtsLast Thoughts Security is a multifaceted computer issueSecurity is a multifaceted computer issue
There is security pertaining to your computer – There is security pertaining to your computer –
without the networkwithout the network The network adds a new layer of security issuesThe network adds a new layer of security issues The WEB adds a new layer The WEB adds a new layer
Security ProtocolsSecurity Protocols People in the computer field try to come up with People in the computer field try to come up with
procedures that ensure computer security at procedures that ensure computer security at different levels – hard to get right different levels – hard to get right
Security User InterfacesSecurity User Interfaces How to get the computer user to enforce How to get the computer user to enforce
security policies on her own machine - security policies on her own machine - MY MY RESEARCH INTERESTRESEARCH INTEREST