COMP2121 Internet Technology Richard Henson April 2011.

Slides:



Advertisements
Similar presentations
Chapter 17: WEB COMPONENTS
Advertisements

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 8 Web Security.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Course 201 – Administration, Content Inspection and SSL VPN
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
HIPS Procedures for Estate Agents / Suppliers. Updated August 2008HIPSworld guide - Estate Agent / Supplier 2 Content 1.Logging in to Our Home Information.
Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2012.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
COMP3123 Internet Security Richard Henson University of Worcester November 2010.
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Secure Socket Layer (SSL) and Secure Electronic Transactions (SET) Network Security Fall Dr. Faisal Kakar
Web Security : Secure Socket Layer Secure Electronic Transaction.
Building Security into Your System Bill Major Gregory Ponto.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
Payment Systems Unit 34: E-commerce M2 - Compare two different payment systems used in e-commerce systems.
ND e-commerce Carl Arrowsmith Session 14 Consumer Protection & Trust.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
COMP3371 Cyber Security Richard Henson University of Worcester November 2015.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
COMP3241 E-Commerce Technologies Richard Henson University of Worcester November 2014.
Understand Internet Security LESSON Security Fundamentals.
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
Networking E-commerce. E-commerce ► A general term used to describe the buying and selling of products or services over the Internet. ► This covers a.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
COMP3123 Internet Security Richard Henson University of Worcester November 2011.
TOPIC: HTTPS (Security protocol)
Setting and Upload Products
Data Virtualization Tutorial… SSL with CIS Web Data Sources
SSL Certificates for Secure Websites
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Chapter 8 Building the Transaction Database
How to Check if a site's connection is secure ?
Using SSL – Secure Socket Layer
Unit 8 Network Security.
Presentation transcript:

COMP2121 Internet Technology Richard Henson April 2011

Week 11: Online Shopping Websites n Objectives –Explain the processes that need to be present in any online trading website –Explain how information can be sent securely through the Internet –Apply principles of online shopping processes to the creation of a real-world shopping website

Components of a Business Transaction n In a nutshell: –1.Buyer selects goods or service –2.Buyer and seller agree a price –3.Buyer makes payment

Web Pages to simulate the Business transaction n 1. Buyer selects goods or service –a. “Front end” web pages provide information about products/service(s) for sale –b. Customer clicks to select products/service(s) they want to buy

Web Pages to simulate the Business transaction n 2. Buyer and seller agree a price –a. system presents order to customer, including prices and extras (e.g.. VAT) –b. customer either: »agrees with order (“buy now”) »goes back to shopping pages and changes selection then agrees with order »rejects offer outright and closes the transaction

Web Pages to simulate the Business transaction n 3. Buyer makes payment –a. buyer provides details (or selects existing ID if they have purchased from here before) –b. system presents on-screen invoice (customer info, product info, order no) –c. buyer accepts/rejects invoice –d. buyer taken to payment system to make their online payment

After-Sales Service n Essential if the vendor wants the customer to come back for more… –face-face? –on line?

Security of Customer Data n Two types of data to be secured: –financial data (let off that one… but in practice a secure connection does need to exist) –personal data (no let out there – the customer will expect the on-line vendor to adhere to the law…)

What is the Law? n Called the Data Protection Act –EU directive in 1981 –UK law: »created in 1984 »revised in 1998 »tightened in 2008… »heavy financial penalties imposed in 2010!!!

Secure http (http-s) n IETF set up WTS (Web Transaction Security) in 1995 to: –look at proposals for a secure version of http –ensure secure embedding of any emerging protocol with HTML n Proposals agreed in 1999 –defined as: »RFC #2659 – secure HTML documents »RFC #2660 – the secure protocol itself

SSL (Secure Sockets Layer) n Developed by Netscape in 1995 –purpose: to allow browsers to participate in secure Internet transactions –soon became most commonly used protocol for e-commerce transactions –still not been defeated by hackers (so far…)

Feature of SSL n Excellent upper layer security: –RSA (well established standard) public key en/decryption of http packets at the session layer (OSI 5) –Application data then already secure for sending/receiving between Internet hosts –PKI-compatibility means that digital certificates are supported as well

Extending SSL n From level 5, down to level 4… –called TLS (Transport Layer Secure) n SSL standard submitted by Netscape to IETF (internet Engineering Task Force) for further development –working party set up in 1996 –worked with Netscape to standardise SSL v3.0 »RFC draft same year –agreed standard RFC #2246

Secure HTTP, SSL and TLS n Together, HTTPS/SSL/TLS can provide a secure interface between TCP (level 4) and HTML (level 7) –very secure conduit for message transfer across the Internet…

Secure http in Practice n Enhancement of http: –works with SSL/TLS and the PKI –ensures security of HTML data sent through the Internet n Normally… when a browser requests a web page… –normally, just downloaded n HOWEVER, if the page is held on a HTTP-S server –it can only be downloaded using the https protocol!!!

Secure Server Certificates n Also, the https protocol will not allow downloading until the web server has been approved… »And this will only happen if the web server has been authenticated and certificated by a valid server certificate n Certification & Authentication handled by a PKI-affiliated body (e.g. Verisign) –therefore considered to be very secure

Implementation of Secure HTTP n Like http, a client-server protocol –Server end: »PKI-compliant Web Server configured to provide https access »valid server certificate to authenticate server to client –Client end »browser needs to be able to identify & authenticate secure http traffic: n URL header n “lock” sign at bottom of screen

The Server Certificate n Encryption and identity checking both require the owner of the server to obtain and install one of these… –more expensive than a personal certificate –Verisign a suitable source… n The SSL Certificate has to be: –downloaded from source website –installed onto the relevant web server –authenticated by a named individual (administrator?) at the server end

Installing a Server Certificate into IIS n A “wizard” drives the whole process –need administrator access to IIS in “webserver” mode –access the “directory security” tab –click on “server certificate”… »and the process begins n Once the certificate is installed, developments of a secure website can begin in specific folders

The Client-end and https n IF the web server is properly configured for https… –(Optionally) username/password protected –Viewable Server Certificate installed… n THEN, via username/password authentication –the client browser will allow https access via the web –clickable “lock” symbol appears below the web page display n Otherwise, a “not authorised” message will be displayed

Self-signed and SSL Certificates n Commercial SSL certificates will usually be recognised silently by browsers, with no pop- up or alert n “Self-signed” certificates will almost always produce a “pop up” on the browser –shows that identity has been asserted… but not proved… by the server owner –If the user can trust the owner, they are likely to be offered the option to recognise this certificate like a commercial certificate in future (effectively silencing the alert)

Organisation Signed Server Certificates n Also likely to result in an alert that names the organisation –organisation has an existing relationship with most of the users of the site (e.g. they may be employees) –can instruct them to configure their browsers to silently recognise certificates signed by their own organisation

Personal Data and https n Without https… (or other means of protection) –personal data is fair game for anyone on the Internet that knows the seller’s IP address!!! –customers really should be aware of this…

Thanks for listening…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.