Learning Center
Plans & pricing Sign in
Sign Out

Social Implications of the Internet


  • pg 1
									Internet Client Services:
      LO3 – Part 1

            Pauline Belford
HTTPS Protocol

       Pauline Belford
HTTP and Secure Transactions
When connecting to a website, your
browser uses the HTTP protocol.
HTTP doesn’t encrypt the data that it
    This means if your data is intercepted by a
     third party they can read it and use it.
Many transactions online need to be
    Banking
    Credit card transactions
    etc
HTTPS is syntactically identical to the http:
scheme normally used for accessing
resources using HTTP.
Using an https: URL indicates that HTTP
is to be used, but with a different default
port and an additional
encryption/authentication layer between
   This system was invented by Netscape.
      SSL and TLS Protocols
HTTPS is not really a separate protocol.
   It is the combination of a normal HTTP
    interaction over an encrypted Secure Socket
    Layer (SSL) or Transport Layer Security
    (TLS) transport mechanism.
Secure Socket Layer (SSL) and it’s
successor, Transport Layer Security
(TLS), are cryptographic protocols.
   There are slight differences between SSL 3.0
    and TLS 1.0, but the protocol remains
    substantially the same.
Encryption and Authentication
Encryption means that the data is
translated into code using some algorithm.
Anyone intercepting encrypted data would
find it hard to decode without the
encryption key.
Authentication is the act of ensuring that
the person or computer sending the
information is who they claim to be.
            SSL Phases
SSL/ TSL run below HTTP (Application
Layer) and above TCP (Transport Layer).

SSL involves a number of basic phases:

Peer negotiation for algorithm support.
Public Key Encryption – based key exchange
and Certificate – Based Authentication
Symmetric Cipher – based traffic encryption.
           How SSL Works
During the first phase, the client and
server negotiate which cryptographic
algorithms will be used.
   For public-key cryptography the algorithms
    include RSA, Diffie-Hellman, DSA & Fortezza.
   For symmetric ciphers: RC2, RC4, IDEA,
    DES, Triple DES or AES;
   For one-way hash functions: MD5 or SHA.
        How SSL Works
The SSL protocol exchanges records.
Each record can be optionally
compressed, encrypted and packed with a
message authentication code (MAC).
Each record has a content_type field that
specifies which upper level protocol is
being used.
          How SSL Works
When the connection starts, the record level
encapsulates another protocol, the handshake
protocol, which has content_type 22.
The client sends and receives several
handshake structures.
It sends a ClientHello message specifying the
list of cipher suites, compression methods and
the highest protocol version it supports.
It also sends random bytes which will be used
         How SSL Works
Then it receives a ServerHello, in which
the server chooses the connection
parameters from the choices offered by
the client earlier.
When the connection parameters are
known, client and server exchange
certificates (depending on the selected
public key cipher).
            How SSL Works
The server can request a certificate from
the client, so that the connection can be
mutually authenticated.
   Typically only the server is authenticated.
Client and server negotiate a common
secret called the “master secret”
   For example by encrypting a secret with a
    public key that is decrypted with the peer’s
    private key.
        How SSL Works
All other key data is derived from this
"master secret" (and the client- and
server-generated random values), which is
passed through a carefully designed
"Pseudo Random Function".
TLS / SSL Security Measures
TLS/SSL have a variety of security
Numbering all the records and using the
sequence number in the MACs.
Using a message digest enhanced with a
key (so only with the key can you check
the MAC).
   This is specified in RFC 2104.
TLS / SSL Security Measures
Protection against several known attacks
(including man in the middle attacks), like
those involving a downgrade of the
protocol to previous (less secure)
versions, or weaker cipher suites.
The message that ends the handshake
("Finished") sends a hash of all the
exchanged data seen by both parties.
TLS / SSL Security Measures
The pseudo random function splits the
input data into 2 halves and processes
them with different hashing algorithms
(MD5 and SHA), then XORs them
This way it protects itself in the event that
one of these algorithms is found
Is HTTPS Completely Secure?
The level of protection depends on the
correctness of the implementation by the web
browser and the server software and the actual
cryptographic algorithms supported.
A common misconception among credit card
users on the Web is that https fully protects their
card number from thieves.
   In reality, an encrypted connection to the Web server
    only protects the credit card number in transit
    between the user's computer and the server itself.
   It doesn't guarantee that the server itself is secure, or
    even that it hasn't already been compromised by an
             Online Security
Attacks on Web-sites that store customer
data are both easier and more common
than attempts to intercept data in transit.
Merchant sites are supposed to
immediately forward incoming transactions
to a financial gateway and retain only a
transaction number, but they often save
card numbers in a database.
   It is that server and database that is usually
    attacked and compromised by unauthorized
Email Protocols & Email
     Email Protocols (Recap)
Simple Mail Transfer Protocol (SMTP) has a
limited ability to queue mail messages at the
receiving end
   And therefore has to be used in conjunction with
    another protocol – e.g. POP3 or IMAP.
Both Post Office Protocol 3 (POP3) and Internet
Message Access Protocol (IMAP) allow
messages to be saved in an email server
mailbox and downloaded on request.
Typically SMTP is used for sending email, and
POP3 or IMAP are used to download email.
     Email Protocols (Recap)
With POP3, the emails are downloaded to
your local machine, and deleted from the
server (unless you tell it not to).
   They are stuck on your local machine. Not
    helpful if you check your email from several PCs.
With IMAP, your email stays on the server.
   You can check it from several machines.
   You can’t access it when not online, but you can
    download emails to a local machine if you want
    to read them when not connected.
          Email Attachments
Email clients allow you to send additional
files as attachments.
   Which are sent as separate files.
Email clients send data as plain text.
Email only works on text.
   It doesn’t understand other formats such as
Files in other formats must be converted
before sending (and converted back at the
other end).
       Conversion Protocols
The two protocols that are used to do this
   Multipurpose Internet Mail Extensions (MIME)
   Uuencode
One of these protocols – probably MIME -
will be built into the email client so that
attachments are converted automatically.
          Email Format
The basic format of Internet e-mail is
defined in RFC 2822, which is an updated
version of RFC 822.
These standards specify the familiar
formats for text e-mail headers and body
and rules pertaining to commonly used
header fields such as "To:", "Subject:",
"From:", and "Date:".
MIME defines a collection of e-mail headers for
specifying additional attributes of a message
including content type, and defines a set of
transfer encodings which can be used to
represent 8-bit binary data using characters from
the 7-bit ASCII character set.
MIME also specifies rules for encoding non-
ASCII characters in e-mail message headers,
such as "Subject:", allowing these header fields
to contain non-English characters.
MIME is extensible. Its definition includes a
method to register new content types and other
MIME attribute values.
             MIME Headers
MIME – Version
   The presence of this header indicates the
    message is MIME-formatted.
      E.g. MIME-Version: 1.0
Content – Type
   This header indicates the type and subtype of
    the message content.
      E.g. Content-type: text/plain
Content - Transfer – Encoding
   More on this later.
The combination of type and subtype is
generally called a MIME type
    although in modern applications, Internet media type
    is the favoured term, indicating its applicability outside
    of MIME messages.
A large number of file formats have registered
MIME types. Any text type has an additional
charset parameter that can be included to
indicate the character encoding. A very large
number of character encodings have registered
MIME charset names.
Although originally defined for MIME e-mail, the
content-type header and MIME type registry is
reused in other Internet protocols such as HTTP
and Session Initiation Protocol (SIP).
The MIME type registry is managed by the
Internet Assigned Numbers Authority (IANA).
Through the use of the multipart type, MIME
allows messages to have parts arranged in a
tree structure where the leaf nodes are any non-
multipart content type and the non-leaf nodes
are any of a variety of multipart types.
     Multipart Content-Type
This multipart (type/ subtype) mechanism
Simple text messages using text/plain (the
default value for "Content-type:")
Text plus attachments (multipart/mixed with a
text/plain part and other non-text parts). A MIME
message including an attached file generally
indicates the file's original name with the
"Content-disposition:" header, so the type of file
is indicated both by the MIME content-type and
the (usually OS-specific) filename extension.
    Multipart Content-Type
Reply with original attached
(multipart/mixed with a text/plain part and
the original message as a message/rfc822
Alternative content, such as a message
sent in both plain text and another format
such as HTML (multipart/alternative with
the same content in text/plain and
text/html forms)
Many other kinds of message constructs.
MIME RFC 2045 defines a set of methods
for representing binary data in ASCII text
The content-transfer-encoding MIME
header indicates the method that has been
Methods suitable for use with normal
SMTP include:
   7bit, quoted-printable, and base64.
         Multipart Messages
MIME can send files with multiple content
   E.g. a Powerpoint presentation that contains
You need to define the content type as
“multipart/ mixed” and define the
   e.g. boundary=“frontier”
Content type is then specified after each
Multipart Encoding Example

To top