Embed Size (px)
DESCRIPTION
COEN 350: Network Security. E-Commerce Issues. E-Commerce Issues. Table of Content HTTP Authentication Cookies. HTTP Authentication. HTTP Basically very simple. GET:Used to read a website. POST: Sends data to a website. Some data has security implications FROM field contains email. - PowerPoint PPT Presentation
Citation preview
COEN 350: Network Security
E-Commerce Issues
E-Commerce Issues
Table of Content HTTP Authentication Cookies
HTTP Authentication HTTP
Basically very simple. GET: Used to read a website. POST: Sends data to a website.
Some data has security implications FROM field contains email.
But not by default, only if browser is configured that way.
Used for spiders (crawlers) so that admins can complain about spider behavior.
HTTP Authentication
HTTP Some data has security implications
AUTHORIZATION field: Contains authentication data.
COOKIE field: See below
REFERRER (REFERER) field: Contains the URL of the page from which the
client came.
HTTP Authentication
Authentication URL allow username / password data. HTTP1.1 has two authentication
mechanisms. Can use SSL, integrated as HTTPS.
HTTP Authentication
URL Authentication
HTTP Authentication
URL authentication Can be abused in phishing
expeditions.
HTTP Authentication Native HTTP
provides a challenge / response framework.
HTTP Authentication
HTTP authenticator: A base 64 username / password
encoding: The username and the password in the
base 64 encoding Completely insecure.
Data is not humanly readable It is easy to decode. Even easier to replay authorization
HTTP Authentication HTTP authenticator:
Digest Authentication Challenge includes
The WWW-Authenticate field reads "Digest". The realm field gives the authentication realm. The nonce field contains a value to be used as a
nonce. The opaque field contains a value that the server
needs the client to pass back to it unchanged. The stale field indicates whether the previous
request was denied because the nonce was stale. The algorithm field specifies the hash algorithm to
be used, typically MD5. The qop or quality of protection field can contain
the value "auth" for authentication only or the value "auth-int" for both authentication and integrity protection.
HTTP Authentication HTTP authenticator:
Digest Authentication Response includes challenge values and
Client nonce Digest
Calculated by hash algorithm requested. From challenge data, username,
password, client nonce. (This prevents someone spoofing the
server to control all data in the digest.)
Cookies
HTTP is stateless. Good for requesting resources. Bad if server needs to update state
based on clients actions. Fat URLs change server state. Cookies maintain state at client site. E-commerce integrates both.
Cookies
How cookies work: Client contacts server. Server includes cookie in answer.
“Slapping a cookie”. Client stores cookie in cookie jar. Client goes to the same website:
Browser passes unexpired cookies along.
Cookies
Cookies: Permanent cookies
Valid for more than a single transaction. Session cookies
Deleted when browser is closed.
Cookies
Cookies Contain domain field. Example:
Alice visits www.scu.edu scu.edu slams her with
Set-cookie: user="Alice"; domain="scu.edu“ Alice visits cse.scu.edu
Browser includes the cookie in header of request because it matches the domain.
Cookies
Domain field Specifies to whom cookies will be sent. Limited to specific sites.
E.g. .com.ft or .edu is not allowed.
Path field Limits cookie sending to a given path.
path = “www.cse.scu.edu/~tschwarz/coen350_04”
Cookies
Cookie Versions Netscape Cookies= Version 0 Cookies RFC 2965 Cookies = Version 1
Cookies RFC 2965 : HTTP State Management
Mechanism.
Cookies
Version 0 cookies Set-Cookie: name=value [;
expires=date] [;path=path] [;domain=domain] [;secure].
Secure: only include this cookie with HTTPS (i.e. with SSL) requests.
Cookies Web Bugs
Web page can contain URL addressed resources.
Web bug: Typically 1 by 1 image.
Hence invisible. Ad from Ad server. Browser goes to the URL specified. Sends along cookies belonging to that URL Referrer field contains the referring URL.
Cookies
Spying Cookies
Cookies Unprotected Cookies
Servers need to protect themselves against users altering cookies.
Plain text cookies are simple to forge. Change state information such as prices
of items in a shopping cart. Gain unauthorized access by changing
the user-id. Encryption of cookies needs to be
understood and strong.
