1 Internet Privacy - At Home and At Work: A Tutorial Presented by Dr. Robert J. Boncella Professor...
-
date post
20-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of 1 Internet Privacy - At Home and At Work: A Tutorial Presented by Dr. Robert J. Boncella Professor...
1
Internet Privacy - At Home and At Work: A Tutorial
Presented
by
Dr. Robert J. Boncella
Professor of CIS
CIS Department and School of Business
Washburn University
Topeka, Kansas
2
Internet Privacy - At Home
3
Client Server
This is a request
This is a response
Client/Server Computing
4
Web Basics• Uniform Resource Identifier (URI)• Uniform Resource Locator (URL)• Uniform Resource Name (URN)• URL/URN Syntax
– protocol://host[:port]/url-path– protocol://username:password@host/url-path
• Protocol Examples– http://host[:port]/path/resource_name[#section][?query_string]
– ftp://username:password@host[:port]/path
• Examples– http://www.webcrawler.com:80/cgi-bin/WebQuery?searchText=servlets
– ftp://[email protected]/
5
HTTP Protocol• Client sends a request to a server• Server sends a response to client• Connectionless
– Client: • Opens connection to server• Sends request
– Server• Responds to request• Closes connection
• Stateless– Client/Server have no memory of prior
connections– Server cannot distinguish one client request
from another client
6
Request Line
Blank Line
Body(Present in only some
messages)
Request headers
Entity headers
General headers
Request message
Status Line
Blank Line
Body(Present in only some
messages)
Response headers
Entity headers
General headers
Response message
HTTP Protocol
7
Request Type
(method)URL HTTP version
Space Space
Request Line Syntax
GET /login.html HTTP/1.0
POST /login.html HTTP/1.0
GET /login.html?username=zzbonc&password=demo1 HTTP/1.0
generated by the URL:http://www.washburn.edu/login.html?username=zzbonc&password=demo1
8
HTTP version Status Code Status phrase
Space Space
Status Line Format in Response Message
HTTP/1.0 200 OK
HTTP/1.0 401 Unauthorized
HTTP/1.0 404 Not Found
9
Header name:
Header Value
Space
Header Format
Several Types of Headers:General- provides general information about the message
Request - specifies client’s configuration and preferred document format
Response - specifies the server’s configuration and information about the response
Entity - information about the body of the document
10
Client Server
Request (Get Method)
GET /usr/bin/image1 HTTP/1.1Accept: image/gifAccept: image/jpeg
ResponseHTTP/1.1 200 OKDate: Mon, 08-Jan-01 13:15:14 GMTServer: ChallengerMIME-version: 1.0Content-length: 2048
(Body of document)
11
Client Server
Request (Head method)
HEAD usr/user/file1.html HTTP/1.1Accept: */*
ResponseHTTP/1.1 200 OKDate: Mon, 08-Jan-01 13:15:14 GMTServer: ChallengerMIME-version: 1.0Content-type: text/htmlContent-length: 1020
12
Client Server
Request (Post Method)
POST /cgi-bin/doc.pl HTTP/1.1Accept: *.*Accept: image/gifAccept: image/jpegContent-length: 50
(Input information)
ResponseHTTP/1.1 200 OKDate: Mon, 08-Jan-01 13:15:14 GMTServer: ChallengerMIME-version: 1.0Content-length: 2000
(Body of the document)
13
HTTP and Privacy
• Privacy Threats– Server Log Files– Proxy Log Files– Referer Header– Cookies– Web Bugs
• Privacy Assurance– Anonymizing Proxies– Cookie Cutters
14
Server Log Files
• The name & IP address of the client computer• The time of the request• The URL that was requested• The time it took to send the resource• If HTTP authentication used; the username of the
user of the client will recorded• Any errors that occurred• The referer link • The kind of web browser that was used
Each time a client requests a resource the server of that resource may record the following in its log files:
Same info may be recorded in a Proxy Server’s log file
15
Cookies• Used to solve the “Statelessness” of the HTTP
Protocol• Used to store and retrieve user-specific
information on the web• When an HTTP server responds to a request it
may send additional information that is stored by the client - “state information”
• When client makes a request to this server the client will return the “cookie” that contains its state information
• State information may be a client ID that can be used as an index to a client data record on the server
16
HTTP Header Syntax for a CookieSet-Cookie: <name>=<value>; expires=<Date>; domain=<Domain_Name>; Path=<Path>; secure
Response Example:
HTTP/1.0 200 OKServer: Netscape-Enterprise/2.01Content Type: text/htmlContent Length: 87Set-Cookie: userID=1234; domain=mysite.org path=/cookie_info
Request Example:
GET /login.html HTTP/1.0User-Agent: Mozilla/4.02 [en] (Win95; I)Accept: image/gif, image/jpeg, */*Cookie userID=1234;color=blue
17
Attributes of the Cookie Header
• <NAME>=<VALUE> The only required name/value pair is the cookie name and its value e.g. Set-Cookie: custID=12345
• expires=<DATE> Indicates when cookie is no longer valid. When a cookie expires it should be removed from storage. If no date is specified then cookie expires at end of user session.
18
Attributes of the Cookie Header• domain=<DOMAIN> If the domain of a client
request matches the domain attribute of a cookie, then the request’s path is compared to the cookie’s path attribute. If there is a match, the cookie is transmitted to the server along with the request.
• path=<PATH> The path attribute indicates the URLs within a domain for which the cookie is valid. If no path attribute is set in the Set-Cookie header, the path is assumed to be the same as the resource that is being returned by the server.
• secure The secure attribute indicates that this cookie should be sent via a secure connection.
19
Web Bugs• Used to determine a client browsing profile based on their
“clickstream”• As a web page is rendered by a browser each URL on the
page causes a request to be sent by the client– <IMG SRC “http://ad.doubleclick.net/ … ” WIDTH=1 HEIGHT=1 BORDER=0>
• Suppose every page rendered by a client requests the same URL (located on the same server)
• Among other info, the GET method contains the cookie issued to the client by the server of that URL and the referer header.
• The referer info can be extracted by the server and associated with that cookie.
20
ClientBrowser
My_Brwsr
Server BServer C
WBS Server A
Cookie: My_BrwsrPg A - Server APg B - Server BPg C - Server C
1. Render page2. Click on URL
Page B cnts- URLs & Img Src- WebBug Img@ WBS. TRKSTRM.COM
Page A cnts- URLs & Img Src- WebBug Img @ WBS. TRKSTRM.COM
Page C cnts- URLs & Img Src- WebBug Img@ WBS. TRKSTRM.COM
Req: Page_B.html
Req: Page_A.html
Res: Page_A.html
Req:
WebBug IMG-Referer Header- Any cookie for TRKSTRM.COM
Res:
WebBug Img-Cookie to client Browser on 1st Req.
Res: Page_B.html
Res: Page_C.html
Req: Page_C.html
Web Bug Process
21
Are Cookies Anonymous?
• A click stream can be associated with a specific cookie on a server.
• Cookies may be associated with a paticular client, based on IP address but are assumed to not be associated with a particular user.
• E-mail readers can render web pages (e.g. MS Outlook, Netscape Messenger)
• Suppose a user receives a junk e-mail containing a web bug modified to contain user’s e-mail address
22
Are Cookies Anonymous?
This URL in the e-mail
<img src=“http://www.somedomain.com/[email protected]>
Generates this request to the server of the Web Bug
GET /[email protected] HTTP/1.1User-Agent: Mozilla/4.7 [en] (WIN98; I)…Cookie: userID=1234
23
Privacy Assurance• Anonymizing Proxies
– work like normal proxy servers– but they scrub any identification from the request (e.g.
cookies, referer header contents, IP address of host making the request)
– no log files are kept regarding a host’s use of the proxy server
• Advantages– effective and transparent
• Disadvantges– Slow web response time– cookies unavailable– may not support SSL– Need to trust anonymizer
24
Privacy Assurance• Cookie Cutters
– Browsers offer options for cookies• accept all
• reject all
• warn before accepting
• only accept cookies that are offered by the site of the rendered page i.e.do not accept web bugs
– If “accept all cookies” chosen user can remain somewhat private by doing a clean sweep - remove files containing cookies, history, and clear cache
25
Internet Privacy - At Work
26
Why Do Web Surveillance• Employee Productivity
• Wasted Bandwidth
• Computer Security– Viruses and Trojan Horses
• Legal Issues– Illegal Use of Commercial Software– Hostile Work Environment– Pornography in the Workplace– Sexually Explicit E-mail
27
Items For Web Surveillance
• Web Browsing & Cookies
• E-mail Use
• Active Content (e.g. Java Applets & Active X )
• Malicious Mobile Code – Trojan Horses, Viruses, Macros, Executable Scripts
• Failed Logon Attempts
• “Access Denied” Events
28
How To Do Web Surveillance
• Web Proxies– Offer Inspection & Restriction– Drawback is Slower Response Time
• E-mail Context & Content Scan– Used to Monitor and Filter E-mails– Filter Malicious Code (e.g. .vbs attachments)– Monitor Content for
• Racist or Sexually Harassing Content
29
How To Do Web Surveillance• Intrusion Detection Systems
– Host Based• track user keystrokes
– Networked Based• application keystrokes per user
– Internal Firewalls • monitor access & use of a organization’s intranet
• Remote Control Progams– allows control of remote host and redirect display– e.g. pcAnywhere or Citrix’s ICA Client
30
Employees and Web Surveillance• Web Surveillance Is Effective & Accepted If
Employee Is Aware of an Institution’s Policy For Web Surveillance
• Corporations Must Provide an Acceptable Use Policy (AUP) for Computing Resources That Contains An Internet Access Policy (IAP)
• IAP, As Well As AUP, Should Specified, in Plain Language What Is Acceptable and Not Acceptable
• IAP Should Provide Specific Examples of Do’s and Don’ts
31
Internet Privacy - Final Comment
• Even Though the WEB Feels Anonymous
• IT IS NOT!!
• Users Need To Be Aware of Restrictions on Their Privacy