COEN 350: Network Security

COEN 350: Network Security

E-Commerce Issues

E-Commerce Issues

Table of Content HTTP Authentication Cookies

HTTP Authentication HTTP

Basically very simple. GET: Used to read a website. POST: Sends data to a website.

Some data has security implications FROM field contains email.

But not by default, only if browser is configured that way.

Used for spiders (crawlers) so that admins can complain about spider behavior.

HTTP Authentication

HTTP Some data has security implications

AUTHORIZATION field: Contains authentication data.

COOKIE field: See below

REFERRER (REFERER) field: Contains the URL of the page from which the

client came.

HTTP Authentication

Authentication URL allow username / password data. HTTP1.1 has two authentication

mechanisms. Can use SSL, integrated as HTTPS.

HTTP Authentication

URL Authentication

HTTP Authentication

URL authentication Can be abused in phishing

expeditions.

HTTP Authentication Native HTTP

provides a challenge / response framework.

HTTP Authentication

HTTP authenticator: A base 64 username / password

encoding: The username and the password in the

base 64 encoding Completely insecure.

Data is not humanly readable It is easy to decode. Even easier to replay authorization

HTTP Authentication HTTP authenticator:

Digest Authentication Challenge includes

The WWW-Authenticate field reads "Digest". The realm field gives the authentication realm. The nonce field contains a value to be used as a

nonce. The opaque field contains a value that the server

needs the client to pass back to it unchanged. The stale field indicates whether the previous

request was denied because the nonce was stale. The algorithm field specifies the hash algorithm to

be used, typically MD5. The qop or quality of protection field can contain

the value "auth" for authentication only or the value "auth-int" for both authentication and integrity protection.

HTTP Authentication HTTP authenticator:

Digest Authentication Response includes challenge values and

Client nonce Digest

Calculated by hash algorithm requested. From challenge data, username,

password, client nonce. (This prevents someone spoofing the

server to control all data in the digest.)

Cookies

HTTP is stateless. Good for requesting resources. Bad if server needs to update state

based on clients actions. Fat URLs change server state. Cookies maintain state at client site. E-commerce integrates both.

Cookies

How cookies work: Client contacts server. Server includes cookie in answer.

“Slapping a cookie”. Client stores cookie in cookie jar. Client goes to the same website:

Browser passes unexpired cookies along.

Cookies

Cookies: Permanent cookies

Valid for more than a single transaction. Session cookies

Deleted when browser is closed.

Cookies

Cookies Contain domain field. Example:

Alice visits www.scu.edu scu.edu slams her with

Set-cookie: user="Alice"; domain="scu.edu“ Alice visits cse.scu.edu

Browser includes the cookie in header of request because it matches the domain.

Cookies

Domain field Specifies to whom cookies will be sent. Limited to specific sites.

E.g. .com.ft or .edu is not allowed.

Path field Limits cookie sending to a given path.

path = “www.cse.scu.edu/~tschwarz/coen350_04”

Cookies

Cookie Versions Netscape Cookies= Version 0 Cookies RFC 2965 Cookies = Version 1

Cookies RFC 2965 : HTTP State Management

Mechanism.

Cookies

Version 0 cookies Set-Cookie: name=value [;

expires=date] [;path=path] [;domain=domain] [;secure].

Secure: only include this cookie with HTTPS (i.e. with SSL) requests.

Cookies Web Bugs

Web page can contain URL addressed resources.

Web bug: Typically 1 by 1 image.

Hence invisible. Ad from Ad server. Browser goes to the URL specified. Sends along cookies belonging to that URL Referrer field contains the referring URL.

Cookies

Spying Cookies

Cookies Unprotected Cookies

Servers need to protect themselves against users altering cookies.

Plain text cookies are simple to forge. Change state information such as prices

of items in a shopping cart. Gain unauthorized access by changing

the user-id. Encryption of cookies needs to be

understood and strong.