internet privacy at home and at work a tutorial
Download
Skip this Video
Download Presentation
Internet Privacy - At Home and At Work: A Tutorial

Loading in 2 Seconds...

play fullscreen
1 / 31

Internet Privacy - At Home and At Work: A Tutorial - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Internet Privacy - At Home and At Work: A Tutorial. Presented by Dr. Robert J. Boncella Professor of CIS CIS Department and School of Business Washburn University Topeka, Kansas. Internet Privacy - At Home. Server. Client. This is a request. This is a response.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Internet Privacy - At Home and At Work: A Tutorial' - nellis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
internet privacy at home and at work a tutorial

Internet Privacy - At Home and At Work: A Tutorial

Presented

by

Dr. Robert J. Boncella

Professor of CIS

CIS Department and School of Business

Washburn University

Topeka, Kansas

client server computing

Server

Client

This is a request

This is a response

Client/Server Computing
web basics
Web Basics
  • Uniform Resource Identifier (URI)
  • Uniform Resource Locator (URL)
  • Uniform Resource Name (URN)
  • URL/URN Syntax
  • Protocol Examples
    • http://host[:port]/path/resource_name[#section][?query_string]
    • ftp://username:[email protected][:port]/path
  • Examples
    • http://www.webcrawler.com:80/cgi-bin/WebQuery?searchText=servlets
    • ftp://[email protected]/
http protocol
Client sends a request to a server

Server sends a response to client

Connectionless

Client:

Opens connection to server

Sends request

Server

Responds to request

Closes connection

Stateless

Client/Server have no memory of prior connections

Server cannot distinguish one client request from another client

HTTP Protocol
http protocol6

Status Line

Request Line

General headers

General headers

Request headers

Response headers

Entity headers

Entity headers

BlankLine

BlankLine

Body

(Present in only some messages)

Body

(Present in only some messages)

Request message

Response message

HTTP Protocol
request line syntax

Space

Space

HTTP version

Request Type

(method)

URL

Request Line Syntax

GET /login.html HTTP/1.0

POST /login.html HTTP/1.0

GET /login.html?username=zzbonc&password=demo1 HTTP/1.0

generated by the URL:

http://www.washburn.edu/login.html?username=zzbonc&password=demo1

status line format in response message

Space

Space

Status phrase

HTTP version

Status Code

Status Line Format in Response Message

HTTP/1.0 200 OK

HTTP/1.0 401 Unauthorized

HTTP/1.0 404 Not Found

header format

Space

Header name

Header Value

:

Header Format

Several Types of Headers:

General- provides general information about the message

Request - specifies client’s configuration and preferred document format

Response - specifies the server’s configuration and information about the response

Entity - information about the body of the document

slide10

Server

Client

Request (Get Method)

GET /usr/bin/image1 HTTP/1.1

Accept: image/gif

Accept: image/jpeg

Response

HTTP/1.1 200 OK

Date: Mon, 08-Jan-01 13:15:14 GMT

Server: Challenger

MIME-version: 1.0

Content-length: 2048

(Body of document)

slide11

Server

Client

Request (Head method)

HEAD usr/user/file1.html HTTP/1.1

Accept: */*

Response

HTTP/1.1 200 OK

Date: Mon, 08-Jan-01 13:15:14 GMT

Server: Challenger

MIME-version: 1.0

Content-type: text/html

Content-length: 1020

slide12

Server

Client

Request (Post Method)

POST /cgi-bin/doc.pl HTTP/1.1

Accept: *.*

Accept: image/gif

Accept: image/jpeg

Content-length: 50

(Input information)

Response

HTTP/1.1 200 OK

Date: Mon, 08-Jan-01 13:15:14 GMT

Server: Challenger

MIME-version: 1.0

Content-length: 2000

(Body of the document)

http and privacy
HTTP and Privacy
  • Privacy Threats
    • Server Log Files
    • Proxy Log Files
    • Referer Header
    • Cookies
    • Web Bugs
  • Privacy Assurance
    • Anonymizing Proxies
    • Cookie Cutters
server log files
Server Log Files

Each time a client requests a resource the server of that resource may record the following in its log files:

  • The name & IP address of the client computer
  • The time of the request
  • The URL that was requested
  • The time it took to send the resource
  • If HTTP authentication used; the username of the user of the client will recorded
  • Any errors that occurred
  • The referer link
  • The kind of web browser that was used

Same info may be recorded in a Proxy Server’s logfile

cookies
Cookies
  • Used to solve the “Statelessness” of the HTTP Protocol
  • Used to store and retrieve user-specific information on the web
  • When an HTTP server responds to a request it may send additional information that is stored by the client - “state information”
  • When client makes a request to this server the client will return the “cookie” that contains its state information
  • State information may be a client ID that can be used as an index to a client data record on the server
http header syntax for a cookie
HTTP Header Syntax for a Cookie

Set-Cookie: <name>=<value>; expires=<Date>; domain=<Domain_Name>; Path=<Path>; secure

Response Example:

HTTP/1.0 200 OK

Server: Netscape-Enterprise/2.01

Content Type: text/html

Content Length: 87

Set-Cookie: userID=1234; domain=mysite.org path=/cookie_info

Request Example:

GET /login.html HTTP/1.0

User-Agent: Mozilla/4.02 [en] (Win95; I)

Accept: image/gif, image/jpeg, */*

Cookie userID=1234;color=blue

attributes of the cookie header
Attributes of the Cookie Header
  • <NAME>=<VALUE> The only required name/value pair is the cookie name and its value e.g. Set-Cookie: custID=12345
  • expires=<DATE> Indicates when cookie is no longer valid. When a cookie expires it should be removed from storage. If no date is specified then cookie expires at end of user session.
attributes of the cookie header18
Attributes of the Cookie Header
  • domain=<DOMAIN> If the domain of a client request matches the domain attribute of a cookie, then the request’s path is compared to the cookie’s path attribute. If there is a match, the cookie is transmitted to the server along with the request.
  • path=<PATH> The path attribute indicates the URLs within a domain for which the cookie is valid. If no path attribute is set in the Set-Cookie header, the path is assumed to be the same as the resource that is being returned by the server.
  • secure The secure attribute indicates that this cookie should be sent via a secure connection.
web bugs
Web Bugs
  • Used to determine a client browsing profile based on their “clickstream”
  • As a web page is rendered by a browser each URL on the page causes a request to be sent by the client
    • <IMG SRC “http://ad.doubleclick.net/ … ” WIDTH=1 HEIGHT=1 BORDER=0>
  • Suppose every page rendered by a client requests the same URL (located on the same server)
  • Among other info, the GET method contains the cookie issued to the client by the server of that URL and the referer header.
  • The referer info can be extracted by the server and associated with that cookie.
web bug process

Server C

Server B

Req:

Page_B.html

Res: Page_C.html

Res: Page_B.html

Req:

Page_C.html

Req:

WebBug IMG

-Referer Header

- Any cookie for

TRKSTRM.COM

Client

Browser

My_Brwsr

Req: Page_A.html

Server A

WBS

Res: Page_A.html

Res:

WebBug Img

-Cookie to client

Browser on 1st Req.

Web Bug Process

Page C cnts

- URLs & Img Src

- WebBug [email protected]

WBS. TRKSTRM.COM

Page B cnts

- URLs & Img Src

- WebBug [email protected]

WBS. TRKSTRM.COM

1. Render page

2. Click on URL

Cookie: My_Brwsr

Pg A - Server A

Pg B - Server B

Pg C - Server C

Page A cnts

- URLs & Img Src

- WebBug Img @

WBS. TRKSTRM.COM

are cookies anonymous
Are Cookies Anonymous?
  • A click stream can be associated with a specific cookie on a server.
  • Cookies may be associated with a paticular client, based on IP address but are assumed to not be associated with a particular user.
  • E-mail readers can render web pages (e.g. MS Outlook, Netscape Messenger)
  • Suppose a user receives a junk e-mail containing a web bug modified to contain user’s e-mail address
are cookies anonymous22
Are Cookies Anonymous?

This URL in the e-mail

<img src=“http://www.somedomain.com/[email protected]>

Generates this request to the server of the Web Bug

GET /[email protected] HTTP/1.1

User-Agent: Mozilla/4.7 [en] (WIN98; I)

Cookie: userID=1234

privacy assurance
Privacy Assurance
  • Anonymizing Proxies
    • work like normal proxy servers
    • but they scrub any identification from the request (e.g. cookies, referer header contents, IP address of host making the request)
    • no log files are kept regarding a host’s use of the proxy server
  • Advantages
    • effective and transparent
  • Disadvantges
    • Slow web response time
    • cookies unavailable
    • may not support SSL
    • Need to trust anonymizer
privacy assurance24
Privacy Assurance
  • Cookie Cutters
    • Browsers offer options for cookies
      • accept all
      • reject all
      • warn before accepting
      • only accept cookies that are offered by the site of the rendered page i.e.do not accept web bugs
    • If “accept all cookies” chosen user can remain somewhat private by doing a clean sweep - remove files containing cookies, history, and clear cache
why do web surveillance
Why Do Web Surveillance
  • Employee Productivity
  • Wasted Bandwidth
  • Computer Security
    • Viruses and Trojan Horses
  • Legal Issues
    • Illegal Use of Commercial Software
    • Hostile Work Environment
    • Pornography in the Workplace
    • Sexually Explicit E-mail
items for web surveillance
Items For Web Surveillance
  • Web Browsing & Cookies
  • E-mail Use
  • Active Content (e.g. Java Applets & Active X )
  • Malicious Mobile Code
    • Trojan Horses, Viruses, Macros, Executable Scripts
  • Failed Logon Attempts
  • “Access Denied” Events
how to do web surveillance
How To Do Web Surveillance
  • Web Proxies
    • Offer Inspection & Restriction
    • Drawback is Slower Response Time
  • E-mail Context & Content Scan
    • Used to Monitor and Filter E-mails
    • Filter Malicious Code (e.g. .vbs attachments)
    • Monitor Content for
      • Racist or Sexually Harassing Content
how to do web surveillance29
How To Do Web Surveillance
  • Intrusion Detection Systems
    • Host Based
      • track user keystrokes
    • Networked Based
      • application keystrokes per user
    • Internal Firewalls
      • monitor access & use of a organization’s intranet
  • Remote Control Progams
    • allows control of remote host and redirect display
    • e.g. pcAnywhere or Citrix’s ICA Client
employees and web surveillance
Employees and Web Surveillance
  • Web Surveillance Is Effective & Accepted If Employee Is Aware of an Institution’s Policy ForWeb Surveillance
  • Corporations Must Provide an Acceptable Use Policy (AUP) for Computing Resources That Contains An Internet Access Policy (IAP)
  • IAP, As Well As AUP, Should Specified, in Plain Language What Is Acceptable and Not Acceptable
  • IAP Should Provide Specific Examples of Do’s and Don’ts
internet privacy final comment
Internet Privacy - Final Comment
  • Even Though the WEB Feels Anonymous
  • IT IS NOT!!
  • Users Need To Be Aware of Restrictions on Their Privacy
ad