Application Security: (April 10, 2013) © Abdou Illia – Spring 2013
2 Learning Objectives Discuss security
3 operation SMTP to Send Sending Client Receiving Client Sender’s SMTP Server (port 25) Local POP Server (port 110) Receiver’s SMTP Server (port 25) Local POP Server (port 110) POP to dwnld sends using stand-alone -client to 2) client connects to SMTP server at mail.source.com (port 25) to pass the message. 3)SMTP server breaks address in two parts (receiver and destination.com). If destination.com is same as source.com, SMTP server uses delivery agent to pass message to Local POP server. If not, message is sent to receiver’s SMTP server. 4)Receiver’s SMTP server uses delivery agent to pass message to Local POP server. 5)When receiver connect, they download message to local computer. Simple Mail Transfer Protocol (SMTP) to transmit mail in real time to a user’s mail server or between mail servers Post Office Protocol –POP- to download mail to receiver when the receiver capable of downloading mail If SMTP server at source.com can’t connect to server at destination.com, message goes in a waiting queue at source.com. Server will periodically try to send (like every 15 minutes). After 4 hrs, server send an to sender with a notice
4 operation SMTP to Send Sending Client Receiving Client Sender’s SMTP Server (port 25) Local POP Server (port 110) Receiver’s SMTP Server (port 25) Local IMAP Server (port 143) IMAP to read, search, etc. Internet Mail Access Protocol (IMAP) is more advanced mail protocol: The remains on server transmit mail in real time to a user’s mail server or between mail server and not downloaded to receiver’s computer Mails can be organized in folders on server. Mails can be read from any computer. Can download s’ copy to work off-line without erasing from server. User can reply offline. The next time user connects, the replies are sent
5 Security issues Given what you know about operation and s in general, what are the main security and privacy issues associated with E- mail service?.
6 Security issues Given what you know about spams and sending inappropriate content (abusive , harassment, etc.), what can be done to control these issues?
7 Security: Filtering filtering can be done at all three levels Extrusion filtering: filtering for sending intellectual property out of corporation.
8 Security: Encryption Encryption Not widely used because of lack of clear standards IETF has not been able to settle upon a single standard because of in-fighting Three standards are used SSL/TLS S/MIME PGP
9 Security Encryption SSL/TLS only requires a digital certificate for servers. End-to-end encryption only if all parties involved use SSL/TLS. Secure/Multipurpose Internet Mail -S/MIME- uses digital signatures, which require receiver to know sender’s public key. PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C’s list of public keys