Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP2121 Internet Technology Richard Henson April 2011.

Published byCory Griffin Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP2121 Internet Technology Richard Henson April 2011."— Presentation transcript:

1 COMP2121 Internet Technology Richard Henson April 2011

2 Week 11: Online Shopping Websites n Objectives –Explain the processes that need to be present in any online trading website –Explain how information can be sent securely through the Internet –Apply principles of online shopping processes to the creation of a real-world shopping website

3 Components of a Business Transaction n In a nutshell: –1.Buyer selects goods or service –2.Buyer and seller agree a price –3.Buyer makes payment

4 Web Pages to simulate the Business transaction n 1. Buyer selects goods or service –a. “Front end” web pages provide information about products/service(s) for sale –b. Customer clicks to select products/service(s) they want to buy

5 Web Pages to simulate the Business transaction n 2. Buyer and seller agree a price –a. system presents order to customer, including prices and extras (e.g.. VAT) –b. customer either: »agrees with order (“buy now”) »goes back to shopping pages and changes selection then agrees with order »rejects offer outright and closes the transaction

6 Web Pages to simulate the Business transaction n 3. Buyer makes payment –a. buyer provides details (or selects existing ID if they have purchased from here before) –b. system presents on-screen invoice (customer info, product info, order no) –c. buyer accepts/rejects invoice –d. buyer taken to payment system to make their online payment

7 After-Sales Service n Essential if the vendor wants the customer to come back for more… –face-face? –on line?

8 Security of Customer Data n Two types of data to be secured: –financial data (let off that one… but in practice a secure connection does need to exist) –personal data (no let out there – the customer will expect the on-line vendor to adhere to the law…)

9 What is the Law? n Called the Data Protection Act –EU directive in 1981 –UK law: »created in 1984 »revised in 1998 »tightened in 2008… »heavy financial penalties imposed in 2010!!!

10 Secure http (http-s) n IETF set up WTS (Web Transaction Security) in 1995 to: –look at proposals for a secure version of http –ensure secure embedding of any emerging protocol with HTML n Proposals agreed in 1999 –defined as: »RFC #2659 – secure HTML documents »RFC #2660 – the secure protocol itself

11 SSL (Secure Sockets Layer) n Developed by Netscape in 1995 –purpose: to allow browsers to participate in secure Internet transactions –soon became most commonly used protocol for e-commerce transactions –still not been defeated by hackers (so far…)

12 Feature of SSL n Excellent upper layer security: –RSA (well established standard) public key en/decryption of http packets at the session layer (OSI 5) –Application data then already secure for sending/receiving between Internet hosts –PKI-compatibility means that digital certificates are supported as well

13 Extending SSL n From level 5, down to level 4… –called TLS (Transport Layer Secure) n SSL standard submitted by Netscape to IETF (internet Engineering Task Force) for further development –working party set up in 1996 –worked with Netscape to standardise SSL v3.0 »RFC draft same year –agreed standard RFC #2246

14 Secure HTTP, SSL and TLS n Together, HTTPS/SSL/TLS can provide a secure interface between TCP (level 4) and HTML (level 7) –very secure conduit for message transfer across the Internet…

15 Secure http in Practice n Enhancement of http: –works with SSL/TLS and the PKI –ensures security of HTML data sent through the Internet n Normally… when a browser requests a web page… –normally, just downloaded n HOWEVER, if the page is held on a HTTP-S server –it can only be downloaded using the https protocol!!!

16 Secure Server Certificates n Also, the https protocol will not allow downloading until the web server has been approved… »And this will only happen if the web server has been authenticated and certificated by a valid server certificate n Certification & Authentication handled by a PKI-affiliated body (e.g. Verisign) –therefore considered to be very secure

17 Implementation of Secure HTTP n Like http, a client-server protocol –Server end: »PKI-compliant Web Server configured to provide https access »valid server certificate to authenticate server to client –Client end »browser needs to be able to identify & authenticate secure http traffic: n URL header https:// n “lock” sign at bottom of screen

18 The Server Certificate n Encryption and identity checking both require the owner of the server to obtain and install one of these… –more expensive than a personal certificate –Verisign a suitable source… n The SSL Certificate has to be: –downloaded from source website –installed onto the relevant web server –authenticated by a named individual (administrator?) at the server end

19 Installing a Server Certificate into IIS n A “wizard” drives the whole process –need administrator access to IIS in “webserver” mode –access the “directory security” tab –click on “server certificate”… »and the process begins n Once the certificate is installed, developments of a secure website can begin in specific folders

20 The Client-end and https n IF the web server is properly configured for https… –(Optionally) username/password protected –Viewable Server Certificate installed… n THEN, via username/password authentication –the client browser will allow https access via the web –clickable “lock” symbol appears below the web page display n Otherwise, a “not authorised” message will be displayed

21 Self-signed and SSL Certificates n Commercial SSL certificates will usually be recognised silently by browsers, with no pop- up or alert n “Self-signed” certificates will almost always produce a “pop up” on the browser –shows that identity has been asserted… but not proved… by the server owner –If the user can trust the owner, they are likely to be offered the option to recognise this certificate like a commercial certificate in future (effectively silencing the alert)

22 Organisation Signed Server Certificates n Also likely to result in an alert that names the organisation –organisation has an existing relationship with most of the users of the site (e.g. they may be employees) –can instruct them to configure their browsers to silently recognise certificates signed by their own organisation

23 Personal Data and https n Without https… (or other means of protection) –personal data is fair game for anyone on the Internet that knows the seller’s IP address!!! –customers really should be aware of this…

24 Thanks for listening…

Download ppt "COMP2121 Internet Technology Richard Henson April 2011."

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
CP3397 ECommerce.

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 8 Web Security.

Chapter 8 Web Security.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/1.1 200 OK.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

Similar presentations

Ads by Google