Document Sample
abrar Powered By Docstoc
					Web Security and Privacy
from users point of view


  Abrar Ahmed Khan
   Collection of networks that communicate
    -with a common set of protocols (tcp/ip)
   Collection of networks with
    -no central controlling authority
    -no common legal regulations as it has no borders
    -no standard acceptable usage
     Internet Security
There are two types of security issues
 Server side security

 These are the security issues regarding the Web
 hosting servers ,database servers and institutional
 servers. This is where a lot of work is being is done
 (both by security wise as well as hackers) because
 a lot of information is being stored at a single place.
 The financial losses can amount to billions of
      Internet Security
   Client Side Security
These are the computers that we use at homes which
  are very much part of internet and are customers
  to these Servers.
This is side where not much money is involved for
  security purposes, as users are dependent on the
  off the shelf products for their internet use like
  operating system security, browsers security.
      Client Side Security important?
   Client Side Security
Clients are millions of users and account to as
   customers to lot e businesses.
When ordinary people are involved there is issue of
   privacy. As we do business with companies they
   don't have to know information more than they
   should know and should not try to gather
   information about what we do and use it to any of
   their purposes.
       Different privacy and security
       attacks on end users
   Getting viruses through emails attachments and
    downloading from non reliable servers
   Making transactions with non certified web sites
   Denial of service by openning lot of applets and
    browser and killing down the system
   Java ,java scripts and Active X security holes which
    can be used to access systems.
   The ability to monitor your browsing habits
    and make changes to your system files
    through “cookies”.
     What is cookie?
A cookie is a mechanism developed by the Netscape
  Corporation to make up for stateless nature of
  HTTP protocol.
A cookie is simply an HTTP header that consists of a
  text-only string that gets entered into the memory
  of a browser. This string contains the domain,
  path, lifetime, and value of a variable that a
  website sets. If the lifetime of this variable is
  longer than the time the user spends at that site,
  then this string is saved to file for future reference.
    Why do sites use cookies?
There are many good reasons a given site
 would wish to use cookies. These range from
 the ability to personalize information (like
 Yahoo ) or to help tracking the shopping cart
 as you move around site (like Amazon).
 Cookies provide programmers with a
 convenient way to provide better service.
    The three wrong uses of cookies
   Cookies can be used collect information
    about us
    like what part of sites did we visit and what
    products we are searching in the site
    according to that different banner ads and
    pop up ads come up.
    The worse is the information is passed or
    mutually exchanged between web sites to
    more direct the advertisements.
Wrong use of cookies
A marketing internet company which advertised
  products on the internet. It had a network of
  websites for whom it advertised it used to
  collect information from different websites by
  placing its cookies and then analyzing the
  surfing habits and presenting the suitable ads
  for them. It network of websites become so
  large that it was nearly able to track every
  click on web. A civil suit was filed under
  privacy act against the company about $2
  million dollars was paid to plaintiffs
    Wrong uses of cookies
 The information in the cookie can be
  removed and can be used by different web
  site just posing themselves a original users.
A IE patch was released last year regarding
  spoofing of legitimate website and stealing
  of browser cookies set by them.
      Wrong uses of cookies
   The third wrong use is very latest to be able
    to access the file on the users computers
    using cookies
     “On march 29 2002,IE released a patch to
    stop use malicious script embedded in a
    cookie to be run in an area of users pc known
    as local computer zone where it could alter
    or delete files. Scripts embedded in cookies
    are supposed to be run in internet zone of
    the computer.”
      What does a cookie contain?
    Cookies transport from Server to Client and back
     as an HTTP header
    A cookie has 6 parameters that can be passed to
1.   The name of the cookie,
2.   The value of the cookie,
3.   The expiration date of the cookie,
4.   The path the cookie is valid for,
5.   The domain the cookie is valid for,
6.   The need for a secure connection to exist to use
     the cookie.
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

domain – the domain that created and that can read the
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

flag - A TRUE/FALSE value indicating if all machines within a
   given domain can access the variable. This value is set
   automatically by the browser, depending on the value you
  set for domain.
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

path - The path within the domain that the variable is valid
  for. It sets the URL path the cookie is valid within. Pages
  outside of that path cannot read or use the cookie.
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

Secure -The secure parameter is a flag indicating that a
  cookie should only be used under a secure server condition,
  such as SSL. Since most sites do not require secure
  connections, this is defaults to FALSE
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

expiration - The UNIX time that the variable will expire on.
  UNIX time is defined as the number of seconds since Jan 1,
  1970 00:00:00 GMT. If Expires is not set explicitly, then it
  defaults to end-of-session. The length of a session can vary
  depending on browsers and servers, but generally a session
  is the length of time that the browser is open for (even if
  the user is no longer at that site).
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

name - The name of the variable. It is also the name of the
  cookie itself.
      What does a cookie contain?
A very basic Example TRUE / FALSE 343432423 xyzpop 45767656576565655

value - The value of the variable. these are pieces of
  information that is collected by the website and stored in
  encrypted form on our systems. These can long and many
  variables giving information of our systems.
What information can cookie
take without any breaches?
   Every time you log on to a web site you give away a
    lot of information:

   Service provider.
   Operating System.
   Browser type.
   Screen resolution and amount of colors. (only in IE)
   CPU type.
   Your service provider's proxy server (if used).
   You IP address (again, this changes)
   What server you were on last
     Creating a Cookie
Creating a cookie generally involves duplicating the
  HTTP cookie header in a fashion so that the
  browser will store the name-value pair in memory.
  Some languages expect an exact HTTP header to
  be sent, while others will use built-in functions to
  help you speed the process along.
  Cookies can be creating many scripting languages
  java script , perl, asp, Vb script ,livewire etc
The script languages are powerful enough to access
  the files which are restricted by browser securities.
There's just need find a backdoor in browsers or
  operating systems to be able to access the systems
       Example How a cookie script
       will be in java script
JavaScript supplies a built-in object called document.cookie to
  handle cookie interaction. This object will store all the valid
  cookies for the given page the script is running on.
When you insert a value into document.cookie, a cookie will be
  created. The syntax is identical to that of the HTTP header:

 function setCookie (name, value, expires, path, domain,
{ document.cookie = name + "=" + escape(value) +
   ((expires) ? "; expires=" + expires : "") +
   ((path) ? "; path=" + path : "") +
   ((domain) ? "; domain=" + domain : "") +
   ((secure) ? "; secure" : ""); } </SCRIPT>
        Retrieval of cookies
To retrieve cookies with JavaScript, use document.cookie again.
function getCookie(name)
 var cookie = " " + document.cookie;
var search = " " + name + "=";
 var setStr = null; var offset = 0; var end = 0;
if (cookie.length > 0) { offset =
end = cookie.indexOf(";", offset)}
 setStr = unescape(cookie.substring(offset, end)); }
return(setStr); }
        Do we to stop cookies?
One good thing to hear the most of accesses of computers by using cookies
   has been stopped by updating browsers and 100’s of patches.
With a patch released to stop hackers able to delete a file not even 15
   days back we can see how venerable our systems are still to cookies.
They are only tracking device that we can take control of. It is easy to go
   into browser options and just blocking the cookies. But many websites
   don’t want that to happen it will loss in revenue as they not able track
   likes and dislikes of customer.
Many governments are planning cookie free internet especially European
   countries where they have stricter privacy laws.

My name :Abrar Ahmed Khan

Shared By: