1

Internet Privacy - At Home and At Work: A Tutorial

Presented

by

Dr. Robert J. Boncella

Professor of CIS

CIS Department and School of Business

Washburn University

Topeka, Kansas

2

Internet Privacy - At Home

3

Client Server

This is a request

This is a response

Client/Server Computing

4

Web Basics• Uniform Resource Identifier (URI)• Uniform Resource Locator (URL)• Uniform Resource Name (URN)• URL/URN Syntax

– protocol://host[:port]/url-path– protocol://username:password@host/url-path

• Protocol Examples– http://host[:port]/path/resource_name[#section][?query_string]

– ftp://username:password@host[:port]/path

• Examples– http://www.webcrawler.com:80/cgi-bin/WebQuery?searchText=servlets

– ftp://anonymous@ftp.netscape.com/

5

HTTP Protocol• Client sends a request to a server• Server sends a response to client• Connectionless

– Client: • Opens connection to server• Sends request

– Server• Responds to request• Closes connection

• Stateless– Client/Server have no memory of prior

connections– Server cannot distinguish one client request

from another client

6

Request Line

Blank Line

Body(Present in only some

messages)

Request headers

Entity headers

General headers

Request message

Status Line

Blank Line

Body(Present in only some

messages)

Response headers

Entity headers

General headers

Response message

HTTP Protocol

7

Request Type

(method)URL HTTP version

Space Space

Request Line Syntax

GET /login.html HTTP/1.0

POST /login.html HTTP/1.0

GET /login.html?username=zzbonc&password=demo1 HTTP/1.0

generated by the URL:http://www.washburn.edu/login.html?username=zzbonc&password=demo1

8

HTTP version Status Code Status phrase

Space Space

Status Line Format in Response Message

HTTP/1.0 200 OK

HTTP/1.0 401 Unauthorized

HTTP/1.0 404 Not Found

9

Header name:

Header Value

Space

Header Format

Several Types of Headers:General- provides general information about the message

Request - specifies client’s configuration and preferred document format

Response - specifies the server’s configuration and information about the response

Entity - information about the body of the document

10

Client Server

Request (Get Method)

GET /usr/bin/image1 HTTP/1.1Accept: image/gifAccept: image/jpeg

ResponseHTTP/1.1 200 OKDate: Mon, 08-Jan-01 13:15:14 GMTServer: ChallengerMIME-version: 1.0Content-length: 2048

(Body of document)

11

Client Server

Request (Head method)

HEAD usr/user/file1.html HTTP/1.1Accept: */*

ResponseHTTP/1.1 200 OKDate: Mon, 08-Jan-01 13:15:14 GMTServer: ChallengerMIME-version: 1.0Content-type: text/htmlContent-length: 1020

12

Client Server

Request (Post Method)

POST /cgi-bin/doc.pl HTTP/1.1Accept: *.*Accept: image/gifAccept: image/jpegContent-length: 50

(Input information)

ResponseHTTP/1.1 200 OKDate: Mon, 08-Jan-01 13:15:14 GMTServer: ChallengerMIME-version: 1.0Content-length: 2000

(Body of the document)

13

HTTP and Privacy

• Privacy Threats– Server Log Files– Proxy Log Files– Referer Header– Cookies– Web Bugs

• Privacy Assurance– Anonymizing Proxies– Cookie Cutters

14

Server Log Files

• The name & IP address of the client computer• The time of the request• The URL that was requested• The time it took to send the resource• If HTTP authentication used; the username of the

user of the client will recorded• Any errors that occurred• The referer link • The kind of web browser that was used

Each time a client requests a resource the server of that resource may record the following in its log files:

Same info may be recorded in a Proxy Server’s log file

15

Cookies• Used to solve the “Statelessness” of the HTTP

Protocol• Used to store and retrieve user-specific

information on the web• When an HTTP server responds to a request it

may send additional information that is stored by the client - “state information”

• When client makes a request to this server the client will return the “cookie” that contains its state information

• State information may be a client ID that can be used as an index to a client data record on the server

16

HTTP Header Syntax for a CookieSet-Cookie: <name>=<value>; expires=<Date>; domain=<Domain_Name>; Path=<Path>; secure

Response Example:

HTTP/1.0 200 OKServer: Netscape-Enterprise/2.01Content Type: text/htmlContent Length: 87Set-Cookie: userID=1234; domain=mysite.org path=/cookie_info

Request Example:

GET /login.html HTTP/1.0User-Agent: Mozilla/4.02 [en] (Win95; I)Accept: image/gif, image/jpeg, */*Cookie userID=1234;color=blue

17

Attributes of the Cookie Header

• <NAME>=<VALUE> The only required name/value pair is the cookie name and its value e.g. Set-Cookie: custID=12345

• expires=<DATE> Indicates when cookie is no longer valid. When a cookie expires it should be removed from storage. If no date is specified then cookie expires at end of user session.

18

Attributes of the Cookie Header• domain=<DOMAIN> If the domain of a client

request matches the domain attribute of a cookie, then the request’s path is compared to the cookie’s path attribute. If there is a match, the cookie is transmitted to the server along with the request.

• path=<PATH> The path attribute indicates the URLs within a domain for which the cookie is valid. If no path attribute is set in the Set-Cookie header, the path is assumed to be the same as the resource that is being returned by the server.

• secure The secure attribute indicates that this cookie should be sent via a secure connection.

19

Web Bugs• Used to determine a client browsing profile based on their

“clickstream”• As a web page is rendered by a browser each URL on the

page causes a request to be sent by the client– <IMG SRC “http://ad.doubleclick.net/ … ” WIDTH=1 HEIGHT=1 BORDER=0>

• Suppose every page rendered by a client requests the same URL (located on the same server)

• Among other info, the GET method contains the cookie issued to the client by the server of that URL and the referer header.

• The referer info can be extracted by the server and associated with that cookie.

20

ClientBrowser

My_Brwsr

Server BServer C

WBS Server A

Cookie: My_BrwsrPg A - Server APg B - Server BPg C - Server C

1. Render page2. Click on URL

Page B cnts- URLs & Img Src- WebBug Img@ WBS. TRKSTRM.COM

Page A cnts- URLs & Img Src- WebBug Img @ WBS. TRKSTRM.COM

Page C cnts- URLs & Img Src- WebBug Img@ WBS. TRKSTRM.COM

Req: Page_B.html

Req: Page_A.html

Res: Page_A.html

Req:

WebBug IMG-Referer Header- Any cookie for TRKSTRM.COM

Res:

WebBug Img-Cookie to client Browser on 1st Req.

Res: Page_B.html

Res: Page_C.html

Req: Page_C.html

Web Bug Process

21

Are Cookies Anonymous?

• A click stream can be associated with a specific cookie on a server.

• Cookies may be associated with a paticular client, based on IP address but are assumed to not be associated with a particular user.

• E-mail readers can render web pages (e.g. MS Outlook, Netscape Messenger)

• Suppose a user receives a junk e-mail containing a web bug modified to contain user’s e-mail address

22

Are Cookies Anonymous?

This URL in the e-mail

<img src=“http://www.somedomain.com/webbug.gif?e-mail=thisuser@theirdomain.com>

Generates this request to the server of the Web Bug

GET /webbug.gif?e-mail=thisuser@theirdomain.com HTTP/1.1User-Agent: Mozilla/4.7 [en] (WIN98; I)…Cookie: userID=1234

23

Privacy Assurance• Anonymizing Proxies

– work like normal proxy servers– but they scrub any identification from the request (e.g.

cookies, referer header contents, IP address of host making the request)

– no log files are kept regarding a host’s use of the proxy server

• Advantages– effective and transparent

• Disadvantges– Slow web response time– cookies unavailable– may not support SSL– Need to trust anonymizer

24

Privacy Assurance• Cookie Cutters

– Browsers offer options for cookies• accept all

• reject all

• warn before accepting

• only accept cookies that are offered by the site of the rendered page i.e.do not accept web bugs

– If “accept all cookies” chosen user can remain somewhat private by doing a clean sweep - remove files containing cookies, history, and clear cache

25

Internet Privacy - At Work

26

Why Do Web Surveillance• Employee Productivity

• Wasted Bandwidth

• Computer Security– Viruses and Trojan Horses

• Legal Issues– Illegal Use of Commercial Software– Hostile Work Environment– Pornography in the Workplace– Sexually Explicit E-mail

27

Items For Web Surveillance

• Web Browsing & Cookies

• E-mail Use

• Active Content (e.g. Java Applets & Active X )

• Malicious Mobile Code – Trojan Horses, Viruses, Macros, Executable Scripts

• Failed Logon Attempts

• “Access Denied” Events

28

How To Do Web Surveillance

• Web Proxies– Offer Inspection & Restriction– Drawback is Slower Response Time

• E-mail Context & Content Scan– Used to Monitor and Filter E-mails– Filter Malicious Code (e.g. .vbs attachments)– Monitor Content for

• Racist or Sexually Harassing Content

29

How To Do Web Surveillance• Intrusion Detection Systems

– Host Based• track user keystrokes

– Networked Based• application keystrokes per user

– Internal Firewalls • monitor access & use of a organization’s intranet

• Remote Control Progams– allows control of remote host and redirect display– e.g. pcAnywhere or Citrix’s ICA Client

30

Employees and Web Surveillance• Web Surveillance Is Effective & Accepted If

Employee Is Aware of an Institution’s Policy For Web Surveillance

• Corporations Must Provide an Acceptable Use Policy (AUP) for Computing Resources That Contains An Internet Access Policy (IAP)

• IAP, As Well As AUP, Should Specified, in Plain Language What Is Acceptable and Not Acceptable

• IAP Should Provide Specific Examples of Do’s and Don’ts

31

Internet Privacy - Final Comment

• Even Though the WEB Feels Anonymous

• IT IS NOT!!

• Users Need To Be Aware of Restrictions on Their Privacy