1 / 21

COEN 350: Network Security

COEN 350: Network Security . E-Commerce Issues. E-Commerce Issues. Table of Content HTTP Authentication Cookies. HTTP Authentication. HTTP Basically very simple. GET: Used to read a website. POST: Sends data to a website. Some data has security implications FROM field contains email.

jessica-mcgowan
Download Presentation

COEN 350: Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 350: Network Security E-Commerce Issues

  2. E-Commerce Issues • Table of Content • HTTP Authentication • Cookies

  3. HTTP Authentication • HTTP • Basically very simple. • GET: Used to read a website. • POST: Sends data to a website. • Some data has security implications • FROM field contains email. • But not by default, only if browser is configured that way. • Used for spiders (crawlers) so that admins can complain about spider behavior.

  4. HTTP Authentication • HTTP • Some data has security implications • AUTHORIZATION field: • Contains authentication data. • COOKIE field: • See below • REFERRER (REFERER) field: • Contains the URL of the page from which the client came.

  5. HTTP Authentication • Authentication • URL allow username / password data. • HTTP1.1 has two authentication mechanisms. • Can use SSL, integrated as HTTPS.

  6. HTTP Authentication • URL Authentication

  7. HTTP Authentication • URL authentication • Can be abused in phishing expeditions.

  8. HTTP Authentication • Native HTTP provides a challenge / response framework.

  9. HTTP Authentication • HTTP authenticator: • A base 64 username / password encoding: • The username and the password in the base 64 encoding • Completely insecure. • Data is not humanly readable • It is easy to decode. • Even easier to replay authorization

  10. HTTP Authentication • HTTP authenticator: • Digest Authentication • Challenge includes • The WWW-Authenticate field reads "Digest". • The realm field gives the authentication realm. • The nonce field contains a value to be used as a nonce. • The opaque field contains a value that the server needs the client to pass back to it unchanged. • The stale field indicates whether the previous request was denied because the nonce was stale. • The algorithm field specifies the hash algorithm to be used, typically MD5. • The qop or quality of protection field can contain the value "auth" for authentication only or the value "auth-int" for both authentication and integrity protection.

  11. HTTP Authentication • HTTP authenticator: • Digest Authentication • Response includes challenge values and • Client nonce • Digest • Calculated by hash algorithm requested. • From challenge data, username, password, client nonce. • (This prevents someone spoofing the server to control all data in the digest.)

  12. Cookies • HTTP is stateless. • Good for requesting resources. • Bad if server needs to update state based on clients actions. • Fat URLs change server state. • Cookies maintain state at client site. • E-commerce integrates both.

  13. Cookies • How cookies work: • Client contacts server. • Server includes cookie in answer. • “Slapping a cookie”. • Client stores cookie in cookie jar. • Client goes to the same website: • Browser passes unexpired cookies along.

  14. Cookies • Cookies: • Permanent cookies • Valid for more than a single transaction. • Session cookies • Deleted when browser is closed.

  15. Cookies • Cookies • Contain domain field. • Example: • Alice visits www.scu.edu • scu.edu slams her with • Set-cookie: user="Alice"; domain="scu.edu“ • Alice visits cse.scu.edu • Browser includes the cookie in header of request because it matches the domain.

  16. Cookies • Domain field • Specifies to whom cookies will be sent. • Limited to specific sites. • E.g. .com.ft or .edu is not allowed. • Path field • Limits cookie sending to a given path. • path = “www.cse.scu.edu/~tschwarz/coen350_04”

  17. Cookies • Cookie Versions • Netscape Cookies= Version 0 Cookies • RFC 2965 Cookies = Version 1 Cookies • RFC 2965 : HTTP State Management Mechanism.

  18. Cookies • Version 0 cookies • Set-Cookie: name=value [; expires=date] [;path=path] [;domain=domain] [;secure]. • Secure: only include this cookie with HTTPS (i.e. with SSL) requests.

  19. Cookies • Web Bugs • Web page can contain URL addressed resources. • Web bug: • Typically 1 by 1 image. • Hence invisible. • Ad from Ad server. • Browser goes to the URL specified. • Sends along cookies belonging to that URL • Referrer field contains the referring URL.

  20. Cookies • Spying Cookies

  21. Cookies • Unprotected Cookies • Servers need to protect themselves against users altering cookies. • Plain text cookies are simple to forge. • Change state information such as prices of items in a shopping cart. • Gain unauthorized access by changing the user-id. • Encryption of cookies needs to be understood and strong.

More Related