COMP2121COMP2121Internet TechnologyInternet Technology

Richard HensonRichard Henson

April 2011April 2011

Week 11: Online Shopping Week 11: Online Shopping WebsitesWebsites

ObjectivesObjectives– Explain the processes that need to be present in Explain the processes that need to be present in

any online trading websiteany online trading website– Explain how information can be sent securely Explain how information can be sent securely

through the Internetthrough the Internet– Apply principles of online shopping processes to Apply principles of online shopping processes to

the creation of a real-world shopping websitethe creation of a real-world shopping website

Components of Components of a a Business Transaction Business Transaction

In a nutshell:In a nutshell:– 1.1. Buyer selects goods or serviceBuyer selects goods or service– 2.2. Buyer and seller agree a priceBuyer and seller agree a price– 3.3. Buyer makes paymentBuyer makes payment

Web Pages to simulate the Web Pages to simulate the Business transactionBusiness transaction

1. 1. Buyer selects goods or serviceBuyer selects goods or service– a. “Front end” web pages provide a. “Front end” web pages provide

information about products/service(s) for information about products/service(s) for salesale

– b. Customer clicks to select b. Customer clicks to select products/service(s) they want to buyproducts/service(s) they want to buy

Web Pages to simulate the Web Pages to simulate the Business transactionBusiness transaction

2. 2. Buyer and seller agree a priceBuyer and seller agree a price – a. system presents order to customer, a. system presents order to customer,

including prices and extras (e.g.. VAT)including prices and extras (e.g.. VAT)– b. customer either:b. customer either:

» agrees with order (“buy now”)agrees with order (“buy now”)» goes back to shopping pages and changes goes back to shopping pages and changes

selection then agrees with orderselection then agrees with order» rejects offer outright and closes the transactionrejects offer outright and closes the transaction

Web Pages to simulate the Web Pages to simulate the Business transactionBusiness transaction

3. Buyer makes payment3. Buyer makes payment– a. buyer provides details (or selects a. buyer provides details (or selects

existing ID if they have purchased from existing ID if they have purchased from here before)here before)

– b. system presents on-screen invoice b. system presents on-screen invoice (customer info, product info, order no)(customer info, product info, order no)

– c. buyer accepts/rejects invoicec. buyer accepts/rejects invoice– d. buyer taken to payment system to make d. buyer taken to payment system to make

their online paymenttheir online payment

After-Sales ServiceAfter-Sales Service

Essential if the vendor wants the Essential if the vendor wants the customer to come back for more…customer to come back for more…

– face-face?face-face?

– on line?on line?

Security of Customer Data Security of Customer Data

Two types of data to be secured:Two types of data to be secured:– financial data (let off that one… but in financial data (let off that one… but in

practice a secure connection does need to practice a secure connection does need to exist)exist)

– personal data (no let out there – the personal data (no let out there – the customer will expect the on-line vendor to customer will expect the on-line vendor to adhere to the law…)adhere to the law…)

What is the Law?What is the Law?

Called the Called the Data Protection ActData Protection Act– EU directive in 1981EU directive in 1981– UK law:UK law:

» created in 1984created in 1984» revised in 1998revised in 1998» tightened in 2008…tightened in 2008…» heavy financial penalties imposed in 2010!!!heavy financial penalties imposed in 2010!!!

Secure http (http-s)Secure http (http-s)

IETF set up WTS (Web Transaction Security) IETF set up WTS (Web Transaction Security) in 1995 to:in 1995 to:– look at proposals for a secure version of httplook at proposals for a secure version of http– ensure secure embedding of any emerging ensure secure embedding of any emerging

protocol with HTMLprotocol with HTML

Proposals agreed in 1999Proposals agreed in 1999– defined as:defined as:

» RFC #2659 – secure HTML documentsRFC #2659 – secure HTML documents» RFC #2660 – the secure protocol itselfRFC #2660 – the secure protocol itself

SSL SSL ((Secure Sockets LayerSecure Sockets Layer))

Developed by Netscape in 1995Developed by Netscape in 1995– purpose: to allow browsers to participate in purpose: to allow browsers to participate in

secure Internet transactionssecure Internet transactions– soon became most commonly used soon became most commonly used

protocol for e-commerce transactionsprotocol for e-commerce transactions– still not been defeated by hackers (so still not been defeated by hackers (so

far…)far…)

Feature of SSLFeature of SSL

Excellent upper layer security:Excellent upper layer security:– RSA (well established standard) public key RSA (well established standard) public key

en/decryption of http packets en/decryption of http packets at the at the session layer (OSI 5)session layer (OSI 5)

– Application data then already secure for Application data then already secure for sending/receiving sending/receiving between Internet hostsbetween Internet hosts

– PKI-compatibility means that digital PKI-compatibility means that digital certificates are supported as wellcertificates are supported as well

Extending SSLExtending SSL From level 5, down to level 4…From level 5, down to level 4…

– called TLS (Transport Layer Secure)called TLS (Transport Layer Secure)

SSL standard submitted by Netscape to SSL standard submitted by Netscape to IETF (internet Engineering Task Force) for IETF (internet Engineering Task Force) for further developmentfurther development– working party set up in 1996working party set up in 1996– worked with Netscape to standardise SSL v3.0worked with Netscape to standardise SSL v3.0

» RFC draft same yearRFC draft same year

– agreed standard RFC #2246agreed standard RFC #2246

Secure HTTP, SSL and TLSSecure HTTP, SSL and TLS Together, HTTPS/SSL/TLS can provide Together, HTTPS/SSL/TLS can provide

a secure interface between TCP (level a secure interface between TCP (level 4) and HTML (level 7)4) and HTML (level 7)– very secure conduit for message transfer very secure conduit for message transfer

across the Internet…across the Internet…

Secure http in PracticeSecure http in Practice Enhancement of http:Enhancement of http:

– works with SSL/TLS and the PKIworks with SSL/TLS and the PKI– ensures security of HTML data sent through the ensures security of HTML data sent through the

InternetInternet Normally… when a browser requests a web Normally… when a browser requests a web

page…page…– normally, just downloadednormally, just downloaded

HOWEVER, if the page is held on a HTTP-S HOWEVER, if the page is held on a HTTP-S serverserver– it can only be downloaded using the https it can only be downloaded using the https

protocol!!!protocol!!!

Secure Server CertificatesSecure Server Certificates

Also, the https protocol will not allow Also, the https protocol will not allow downloading until the web server has downloading until the web server has been approved…been approved…

» And this will only happen if the web server has And this will only happen if the web server has been authenticated and certificated by a valid been authenticated and certificated by a valid server certificate server certificate

Certification & Authentication handled Certification & Authentication handled by a PKI-affiliated body (e.g. Verisign)by a PKI-affiliated body (e.g. Verisign)– therefore considered to be very securetherefore considered to be very secure

Implementation of Implementation of Secure HTTPSecure HTTP

Like http, a client-server protocolLike http, a client-server protocol– Server end:Server end:

» PKI-compliant Web Server configured to provide PKI-compliant Web Server configured to provide https accesshttps access

» valid server certificate to authenticate server to valid server certificate to authenticate server to clientclient

– Client endClient end» browser needs to be able to identify & browser needs to be able to identify &

authenticate secure http traffic:authenticate secure http traffic: URL header https://URL header https:// ““lock” sign at bottom of screenlock” sign at bottom of screen

The Server CertificateThe Server Certificate Encryption and identity checking both require Encryption and identity checking both require

the owner of the server to obtain and install the owner of the server to obtain and install one of these…one of these…– more expensive than a personal certificatemore expensive than a personal certificate– Verisign a suitable source…Verisign a suitable source…

The SSL Certificate has to be:The SSL Certificate has to be:– downloaded from source websitedownloaded from source website– installed onto the relevant web serverinstalled onto the relevant web server– authenticated by a named individual authenticated by a named individual

(administrator?) at the server end(administrator?) at the server end

Installing a Server Certificate Installing a Server Certificate into IISinto IIS

A “wizard” drives the whole processA “wizard” drives the whole process– need administrator access to IIS in “webserver” need administrator access to IIS in “webserver”

modemode– access the “directory security” tabaccess the “directory security” tab– click on “server certificate”…click on “server certificate”…

» and the process beginsand the process begins

Once the certificate is installed, Once the certificate is installed, developments of a secure website can begin developments of a secure website can begin in specific foldersin specific folders

The Client-end and httpsThe Client-end and https IF the web server is properly configured for IF the web server is properly configured for

https…https…– (Optionally) username/password protected(Optionally) username/password protected– Viewable Server Certificate installed…Viewable Server Certificate installed…

THEN, via username/password authenticationTHEN, via username/password authentication– the client browser will allow https access via the the client browser will allow https access via the

webweb– clickable “lock” symbol appears below the web clickable “lock” symbol appears below the web

page displaypage display Otherwise, a “not authorised” message will be Otherwise, a “not authorised” message will be

displayeddisplayed

Self-signed and SSL CertificatesSelf-signed and SSL Certificates

Commercial SSL certificates will usually be Commercial SSL certificates will usually be recognised silently by browsers, with no pop-recognised silently by browsers, with no pop-up or alertup or alert

““Self-signed” certificatesSelf-signed” certificates will almost always will almost always produce a “pop up” on the browser produce a “pop up” on the browser – shows that identity has been asserted… shows that identity has been asserted… but not but not

proved…proved… by the server owner by the server owner– If the user can trust the owner, they are likely to be If the user can trust the owner, they are likely to be

offered the option to recognise this certificate like offered the option to recognise this certificate like a commercial certificate in future (effectively a commercial certificate in future (effectively silencing the alert)silencing the alert)

Organisation Signed Organisation Signed Server CertificatesServer Certificates

Also likely to result in an alert that Also likely to result in an alert that names the organisationnames the organisation– organisation has an existing relationship organisation has an existing relationship

with most of the users of the site (e.g. they with most of the users of the site (e.g. they may be employees)may be employees)

– can instruct them to configure their can instruct them to configure their browsers to silently recognise certificates browsers to silently recognise certificates signed by their own organisationsigned by their own organisation

Personal Data and httpsPersonal Data and https

Without https… (or other means of Without https… (or other means of protection)protection)– personal data is fair game for anyone on personal data is fair game for anyone on

the Internet that knows the seller’s IP the Internet that knows the seller’s IP address!!!address!!!

– customers really should be aware of this…customers really should be aware of this…

Thanks for listening…