Upload
cory-griffin
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
COMP2121COMP2121Internet TechnologyInternet Technology
Richard HensonRichard Henson
April 2011April 2011
Week 11: Online Shopping Week 11: Online Shopping WebsitesWebsites
ObjectivesObjectives– Explain the processes that need to be present in Explain the processes that need to be present in
any online trading websiteany online trading website– Explain how information can be sent securely Explain how information can be sent securely
through the Internetthrough the Internet– Apply principles of online shopping processes to Apply principles of online shopping processes to
the creation of a real-world shopping websitethe creation of a real-world shopping website
Components of Components of a a Business Transaction Business Transaction
In a nutshell:In a nutshell:– 1.1. Buyer selects goods or serviceBuyer selects goods or service– 2.2. Buyer and seller agree a priceBuyer and seller agree a price– 3.3. Buyer makes paymentBuyer makes payment
Web Pages to simulate the Web Pages to simulate the Business transactionBusiness transaction
1. 1. Buyer selects goods or serviceBuyer selects goods or service– a. “Front end” web pages provide a. “Front end” web pages provide
information about products/service(s) for information about products/service(s) for salesale
– b. Customer clicks to select b. Customer clicks to select products/service(s) they want to buyproducts/service(s) they want to buy
Web Pages to simulate the Web Pages to simulate the Business transactionBusiness transaction
2. 2. Buyer and seller agree a priceBuyer and seller agree a price – a. system presents order to customer, a. system presents order to customer,
including prices and extras (e.g.. VAT)including prices and extras (e.g.. VAT)– b. customer either:b. customer either:
» agrees with order (“buy now”)agrees with order (“buy now”)» goes back to shopping pages and changes goes back to shopping pages and changes
selection then agrees with orderselection then agrees with order» rejects offer outright and closes the transactionrejects offer outright and closes the transaction
Web Pages to simulate the Web Pages to simulate the Business transactionBusiness transaction
3. Buyer makes payment3. Buyer makes payment– a. buyer provides details (or selects a. buyer provides details (or selects
existing ID if they have purchased from existing ID if they have purchased from here before)here before)
– b. system presents on-screen invoice b. system presents on-screen invoice (customer info, product info, order no)(customer info, product info, order no)
– c. buyer accepts/rejects invoicec. buyer accepts/rejects invoice– d. buyer taken to payment system to make d. buyer taken to payment system to make
their online paymenttheir online payment
After-Sales ServiceAfter-Sales Service
Essential if the vendor wants the Essential if the vendor wants the customer to come back for more…customer to come back for more…
– face-face?face-face?
– on line?on line?
Security of Customer Data Security of Customer Data
Two types of data to be secured:Two types of data to be secured:– financial data (let off that one… but in financial data (let off that one… but in
practice a secure connection does need to practice a secure connection does need to exist)exist)
– personal data (no let out there – the personal data (no let out there – the customer will expect the on-line vendor to customer will expect the on-line vendor to adhere to the law…)adhere to the law…)
What is the Law?What is the Law?
Called the Called the Data Protection ActData Protection Act– EU directive in 1981EU directive in 1981– UK law:UK law:
» created in 1984created in 1984» revised in 1998revised in 1998» tightened in 2008…tightened in 2008…» heavy financial penalties imposed in 2010!!!heavy financial penalties imposed in 2010!!!
Secure http (http-s)Secure http (http-s)
IETF set up WTS (Web Transaction Security) IETF set up WTS (Web Transaction Security) in 1995 to:in 1995 to:– look at proposals for a secure version of httplook at proposals for a secure version of http– ensure secure embedding of any emerging ensure secure embedding of any emerging
protocol with HTMLprotocol with HTML
Proposals agreed in 1999Proposals agreed in 1999– defined as:defined as:
» RFC #2659 – secure HTML documentsRFC #2659 – secure HTML documents» RFC #2660 – the secure protocol itselfRFC #2660 – the secure protocol itself
SSL SSL ((Secure Sockets LayerSecure Sockets Layer))
Developed by Netscape in 1995Developed by Netscape in 1995– purpose: to allow browsers to participate in purpose: to allow browsers to participate in
secure Internet transactionssecure Internet transactions– soon became most commonly used soon became most commonly used
protocol for e-commerce transactionsprotocol for e-commerce transactions– still not been defeated by hackers (so still not been defeated by hackers (so
far…)far…)
Feature of SSLFeature of SSL
Excellent upper layer security:Excellent upper layer security:– RSA (well established standard) public key RSA (well established standard) public key
en/decryption of http packets en/decryption of http packets at the at the session layer (OSI 5)session layer (OSI 5)
– Application data then already secure for Application data then already secure for sending/receiving sending/receiving between Internet hostsbetween Internet hosts
– PKI-compatibility means that digital PKI-compatibility means that digital certificates are supported as wellcertificates are supported as well
Extending SSLExtending SSL From level 5, down to level 4…From level 5, down to level 4…
– called TLS (Transport Layer Secure)called TLS (Transport Layer Secure)
SSL standard submitted by Netscape to SSL standard submitted by Netscape to IETF (internet Engineering Task Force) for IETF (internet Engineering Task Force) for further developmentfurther development– working party set up in 1996working party set up in 1996– worked with Netscape to standardise SSL v3.0worked with Netscape to standardise SSL v3.0
» RFC draft same yearRFC draft same year
– agreed standard RFC #2246agreed standard RFC #2246
Secure HTTP, SSL and TLSSecure HTTP, SSL and TLS Together, HTTPS/SSL/TLS can provide Together, HTTPS/SSL/TLS can provide
a secure interface between TCP (level a secure interface between TCP (level 4) and HTML (level 7)4) and HTML (level 7)– very secure conduit for message transfer very secure conduit for message transfer
across the Internet…across the Internet…
Secure http in PracticeSecure http in Practice Enhancement of http:Enhancement of http:
– works with SSL/TLS and the PKIworks with SSL/TLS and the PKI– ensures security of HTML data sent through the ensures security of HTML data sent through the
InternetInternet Normally… when a browser requests a web Normally… when a browser requests a web
page…page…– normally, just downloadednormally, just downloaded
HOWEVER, if the page is held on a HTTP-S HOWEVER, if the page is held on a HTTP-S serverserver– it can only be downloaded using the https it can only be downloaded using the https
protocol!!!protocol!!!
Secure Server CertificatesSecure Server Certificates
Also, the https protocol will not allow Also, the https protocol will not allow downloading until the web server has downloading until the web server has been approved…been approved…
» And this will only happen if the web server has And this will only happen if the web server has been authenticated and certificated by a valid been authenticated and certificated by a valid server certificate server certificate
Certification & Authentication handled Certification & Authentication handled by a PKI-affiliated body (e.g. Verisign)by a PKI-affiliated body (e.g. Verisign)– therefore considered to be very securetherefore considered to be very secure
Implementation of Implementation of Secure HTTPSecure HTTP
Like http, a client-server protocolLike http, a client-server protocol– Server end:Server end:
» PKI-compliant Web Server configured to provide PKI-compliant Web Server configured to provide https accesshttps access
» valid server certificate to authenticate server to valid server certificate to authenticate server to clientclient
– Client endClient end» browser needs to be able to identify & browser needs to be able to identify &
authenticate secure http traffic:authenticate secure http traffic: URL header https://URL header https:// ““lock” sign at bottom of screenlock” sign at bottom of screen
The Server CertificateThe Server Certificate Encryption and identity checking both require Encryption and identity checking both require
the owner of the server to obtain and install the owner of the server to obtain and install one of these…one of these…– more expensive than a personal certificatemore expensive than a personal certificate– Verisign a suitable source…Verisign a suitable source…
The SSL Certificate has to be:The SSL Certificate has to be:– downloaded from source websitedownloaded from source website– installed onto the relevant web serverinstalled onto the relevant web server– authenticated by a named individual authenticated by a named individual
(administrator?) at the server end(administrator?) at the server end
Installing a Server Certificate Installing a Server Certificate into IISinto IIS
A “wizard” drives the whole processA “wizard” drives the whole process– need administrator access to IIS in “webserver” need administrator access to IIS in “webserver”
modemode– access the “directory security” tabaccess the “directory security” tab– click on “server certificate”…click on “server certificate”…
» and the process beginsand the process begins
Once the certificate is installed, Once the certificate is installed, developments of a secure website can begin developments of a secure website can begin in specific foldersin specific folders
The Client-end and httpsThe Client-end and https IF the web server is properly configured for IF the web server is properly configured for
https…https…– (Optionally) username/password protected(Optionally) username/password protected– Viewable Server Certificate installed…Viewable Server Certificate installed…
THEN, via username/password authenticationTHEN, via username/password authentication– the client browser will allow https access via the the client browser will allow https access via the
webweb– clickable “lock” symbol appears below the web clickable “lock” symbol appears below the web
page displaypage display Otherwise, a “not authorised” message will be Otherwise, a “not authorised” message will be
displayeddisplayed
Self-signed and SSL CertificatesSelf-signed and SSL Certificates
Commercial SSL certificates will usually be Commercial SSL certificates will usually be recognised silently by browsers, with no pop-recognised silently by browsers, with no pop-up or alertup or alert
““Self-signed” certificatesSelf-signed” certificates will almost always will almost always produce a “pop up” on the browser produce a “pop up” on the browser – shows that identity has been asserted… shows that identity has been asserted… but not but not
proved…proved… by the server owner by the server owner– If the user can trust the owner, they are likely to be If the user can trust the owner, they are likely to be
offered the option to recognise this certificate like offered the option to recognise this certificate like a commercial certificate in future (effectively a commercial certificate in future (effectively silencing the alert)silencing the alert)
Organisation Signed Organisation Signed Server CertificatesServer Certificates
Also likely to result in an alert that Also likely to result in an alert that names the organisationnames the organisation– organisation has an existing relationship organisation has an existing relationship
with most of the users of the site (e.g. they with most of the users of the site (e.g. they may be employees)may be employees)
– can instruct them to configure their can instruct them to configure their browsers to silently recognise certificates browsers to silently recognise certificates signed by their own organisationsigned by their own organisation
Personal Data and httpsPersonal Data and https
Without https… (or other means of Without https… (or other means of protection)protection)– personal data is fair game for anyone on personal data is fair game for anyone on
the Internet that knows the seller’s IP the Internet that knows the seller’s IP address!!!address!!!
– customers really should be aware of this…customers really should be aware of this…
Thanks for listening…