COEN 350: Network Security E-Commerce Issues

Table of Content HTTP Authentication Cookies

HTTP Authentication HTTP Basically very simple. GET:Used to read a website. POST: Sends data to a website. Some data has security implications FROM field contains . But not by default, only if browser is configured that way. Used for spiders (crawlers) so that admins can complain about spider behavior.

HTTP Authentication HTTP Some data has security implications AUTHORIZATION field: Contains authentication data. COOKIE field: See below REFERRER (REFERER) field: Contains the URL of the page from which the client came.

HTTP Authentication Authentication URL allow username / password data. HTTP1.1 has two authentication mechanisms. Can use SSL, integrated as HTTPS.

HTTP Authentication URL Authentication

HTTP Authentication URL authentication Can be abused in phishing expeditions.

HTTP Authentication Native HTTP provides a challenge / response framework.

HTTP Authentication HTTP authenticator: A base 64 username / password encoding: The username and the password in the base 64 encoding Completely insecure. Data is not humanly readable It is easy to decode. Even easier to replay authorization

HTTP Authentication HTTP authenticator: Digest Authentication Challenge includes The WWW-Authenticate field reads "Digest". The realm field gives the authentication realm. The nonce field contains a value to be used as a nonce. The opaque field contains a value that the server needs the client to pass back to it unchanged. The stale field indicates whether the previous request was denied because the nonce was stale. The algorithm field specifies the hash algorithm to be used, typically MD5. The qop or quality of protection field can contain the value "auth" for authentication only or the value "auth- int" for both authentication and integrity protection.

HTTP Authentication HTTP authenticator: Digest Authentication Response includes challenge values and Client nonce Digest Calculated by hash algorithm requested. From challenge data, username, password, client nonce. (This prevents someone spoofing the server to control all data in the digest.)

Cookies HTTP is stateless. Good for requesting resources. Bad if server needs to update state based on clients actions. Fat URLs change server state. Cookies maintain state at client site. E-commerce integrates both.

Cookies How cookies work: Client contacts server. Server includes cookie in answer. “Slapping a cookie”. Client stores cookie in cookie jar. Client goes to the same website: Browser passes unexpired cookies along.

Cookies Cookies: Permanent cookies Valid for more than a single transaction. Session cookies Deleted when browser is closed.

Cookies Contain domain field. Example: Alice visits scu.edu slams her with Set-cookie: user="Alice"; domain="scu.edu“ Alice visits cse.scu.edu Browser includes the cookie in header of request because it matches the domain.

Cookies Domain field Specifies to whom cookies will be sent. Limited to specific sites. E.g..com.ft or.edu is not allowed. Path field Limits cookie sending to a given path. path = “

Cookies Cookie Versions Netscape Cookies= Version 0 Cookies RFC 2965 Cookies = Version 1 Cookies RFC 2965 : HTTP State Management Mechanism.

Cookies Version 0 cookies Set-Cookie: name=value [; expires=date] [;path=path] [;domain=domain] [;secure]. Secure: only include this cookie with HTTPS (i.e. with SSL) requests.

Cookies Web Bugs Web page can contain URL addressed resources. Web bug: Typically 1 by 1 image. Hence invisible. Ad from Ad server. Browser goes to the URL specified. Sends along cookies belonging to that URL Referrer field contains the referring URL.

Cookies Spying Cookies

Cookies Unprotected Cookies Servers need to protect themselves against users altering cookies. Plain text cookies are simple to forge. Change state information such as prices of items in a shopping cart. Gain unauthorized access by changing the user-id. Encryption of cookies needs to be understood and strong.