Exploiting the User - PowerPoint PPT Presentation

exploiting the user n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Exploiting the User PowerPoint Presentation
Download Presentation
Exploiting the User

play fullscreen
1 / 14
Exploiting the User
59 Views
Download Presentation
todd-coffey
Download Presentation

Exploiting the User

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Exploiting the User Privacy and Security Concerns with HTTP Cookies Presentation by: Robert Bobek

  2. Introduction • What are HTTP Cookies? • We need some understanding of HTTP first! • Hypertext Transfer Protocol (HTTP) is the communication protocol used to transfer data on the Internet. • HTTP is a request /reply protocol • Stateless Protocol! • Breaks Web Applications! • So, what are HTTP Cookies? • Cookies have become and attractive solution to solve this problem • Textual piece of information

  3. HTTP Cookies – First Party • HTTP Cookies are either First Party or Third Party • Web Applications use First-Party Cookies for many purposes • User session tracking • Personalization of profiles • Auto-complete fields

  4. Security Concerns • Executing basic attacks on First Party Cookies • Browser history fishing • Cookie theft and data extraction • Easily accomplished on • Public terminals • Single user-account OS configurations

  5. Security Concerns • Executing Advanced attacks on First Party Cookies • Cookie Theft (packet sniffing) • Cookie Poisoning • Cross-Site Cooking • Used to hijack sessions

  6. HTTP Cookies – Third Party • Cookies sent by servers that are located outside the domain of the Web Site that the User was visiting. • Companies such as DoubleClick raise privacy concerns! • Use third party cookies • Occurs without users attention Bus. C ad loaded Business A Bus. B ad loaded DoubleClick Business C Bus. A ad loaded Business B Bus. A ad loaded

  7. CookiesCard • “Mobile Cookies Management on a Smart Card” created by Alvin T.S. Chan • Motivation; • General Security and Privacy problems • Removing Machine-Cookie dependency • Cookies held on Smart Card Technology • Secured by PIN Authentication

  8. CookiesCard Architecture Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43.

  9. CookiesCard • The CookiesCard is an effective solution but it is still suffering from minor drawbacks • Smart Readers Technology not very popular • Proxy must reside with the browser • No Cookies Management Interface

  10. CookiesCard 1.1 • The CookiesCard can be improved using the following suggestions • Replace Smart Card Technology with USB Flash devices • Affordable • Popular • Ultra-portable • Running Proxy Server from USB Flash device • Localhost left untouched • Control Panel Interface created as a 3rd module • Can be accessed through another listening port

  11. CookiesCard 1.1 Architecture Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. (modified by Rob Bobek) • Cryptainer Mobileprovides on the fly encryption/decryption technology on mobile devices • Does not require installing device drivers on the host machine to decrypt • Uses Blowfish encryption algorithm • Free Download!

  12. Conclusion • CookiesCard 1.1better but not perfect!

  13. References • David M. Kristol. "HTTP Cookies: Standards, Privacy, and Politics". ACM Transactions on Internet Technology. November 2001/Vol. 1, No. 2. Pages 151-198. • Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. • The Cookie Controversy – Cookies and Internet Privacy. http://www.cookiecentral.com/ccstory/cc3.htm • Wikipedia on HTTP Cookie http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookies • CookieCentral http://www.cookiecentral.com • Cryptainer Mobile can be downloaded at http://www.cypherix.com/cryptainerle/

  14. Questions?