1 / 31

Internet Privacy - At Home and At Work: A Tutorial

Internet Privacy - At Home and At Work: A Tutorial. Presented by Dr. Robert J. Boncella Professor of CIS CIS Department and School of Business Washburn University Topeka, Kansas. Internet Privacy - At Home. Server. Client. This is a request. This is a response.

nellis
Download Presentation

Internet Privacy - At Home and At Work: A Tutorial

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Privacy - At Home and At Work: A Tutorial Presented by Dr. Robert J. Boncella Professor of CIS CIS Department and School of Business Washburn University Topeka, Kansas

  2. Internet Privacy - At Home

  3. Server Client This is a request This is a response Client/Server Computing

  4. Web Basics • Uniform Resource Identifier (URI) • Uniform Resource Locator (URL) • Uniform Resource Name (URN) • URL/URN Syntax • protocol://host[:port]/url-path • protocol://username:password@host/url-path • Protocol Examples • http://host[:port]/path/resource_name[#section][?query_string] • ftp://username:password@host[:port]/path • Examples • http://www.webcrawler.com:80/cgi-bin/WebQuery?searchText=servlets • ftp://anonymous@ftp.netscape.com/

  5. Client sends a request to a server Server sends a response to client Connectionless Client: Opens connection to server Sends request Server Responds to request Closes connection Stateless Client/Server have no memory of prior connections Server cannot distinguish one client request from another client HTTP Protocol

  6. Status Line Request Line General headers General headers Request headers Response headers Entity headers Entity headers BlankLine BlankLine Body (Present in only some messages) Body (Present in only some messages) Request message Response message HTTP Protocol

  7. Space Space HTTP version Request Type (method) URL Request Line Syntax GET /login.html HTTP/1.0 POST /login.html HTTP/1.0 GET /login.html?username=zzbonc&password=demo1 HTTP/1.0 generated by the URL: http://www.washburn.edu/login.html?username=zzbonc&password=demo1

  8. Space Space Status phrase HTTP version Status Code Status Line Format in Response Message HTTP/1.0 200 OK HTTP/1.0 401 Unauthorized HTTP/1.0 404 Not Found

  9. Space Header name Header Value : Header Format Several Types of Headers: General- provides general information about the message Request - specifies client’s configuration and preferred document format Response - specifies the server’s configuration and information about the response Entity - information about the body of the document

  10. Server Client Request (Get Method) GET /usr/bin/image1 HTTP/1.1 Accept: image/gif Accept: image/jpeg Response HTTP/1.1 200 OK Date: Mon, 08-Jan-01 13:15:14 GMT Server: Challenger MIME-version: 1.0 Content-length: 2048 (Body of document)

  11. Server Client Request (Head method) HEAD usr/user/file1.html HTTP/1.1 Accept: */* Response HTTP/1.1 200 OK Date: Mon, 08-Jan-01 13:15:14 GMT Server: Challenger MIME-version: 1.0 Content-type: text/html Content-length: 1020

  12. Server Client Request (Post Method) POST /cgi-bin/doc.pl HTTP/1.1 Accept: *.* Accept: image/gif Accept: image/jpeg Content-length: 50 (Input information) Response HTTP/1.1 200 OK Date: Mon, 08-Jan-01 13:15:14 GMT Server: Challenger MIME-version: 1.0 Content-length: 2000 (Body of the document)

  13. HTTP and Privacy • Privacy Threats • Server Log Files • Proxy Log Files • Referer Header • Cookies • Web Bugs • Privacy Assurance • Anonymizing Proxies • Cookie Cutters

  14. Server Log Files Each time a client requests a resource the server of that resource may record the following in its log files: • The name & IP address of the client computer • The time of the request • The URL that was requested • The time it took to send the resource • If HTTP authentication used; the username of the user of the client will recorded • Any errors that occurred • The referer link • The kind of web browser that was used Same info may be recorded in a Proxy Server’s logfile

  15. Cookies • Used to solve the “Statelessness” of the HTTP Protocol • Used to store and retrieve user-specific information on the web • When an HTTP server responds to a request it may send additional information that is stored by the client - “state information” • When client makes a request to this server the client will return the “cookie” that contains its state information • State information may be a client ID that can be used as an index to a client data record on the server

  16. HTTP Header Syntax for a Cookie Set-Cookie: <name>=<value>; expires=<Date>; domain=<Domain_Name>; Path=<Path>; secure Response Example: HTTP/1.0 200 OK Server: Netscape-Enterprise/2.01 Content Type: text/html Content Length: 87 Set-Cookie: userID=1234; domain=mysite.org path=/cookie_info Request Example: GET /login.html HTTP/1.0 User-Agent: Mozilla/4.02 [en] (Win95; I) Accept: image/gif, image/jpeg, */* Cookie userID=1234;color=blue

  17. Attributes of the Cookie Header • <NAME>=<VALUE> The only required name/value pair is the cookie name and its value e.g. Set-Cookie: custID=12345 • expires=<DATE> Indicates when cookie is no longer valid. When a cookie expires it should be removed from storage. If no date is specified then cookie expires at end of user session.

  18. Attributes of the Cookie Header • domain=<DOMAIN> If the domain of a client request matches the domain attribute of a cookie, then the request’s path is compared to the cookie’s path attribute. If there is a match, the cookie is transmitted to the server along with the request. • path=<PATH> The path attribute indicates the URLs within a domain for which the cookie is valid. If no path attribute is set in the Set-Cookie header, the path is assumed to be the same as the resource that is being returned by the server. • secure The secure attribute indicates that this cookie should be sent via a secure connection.

  19. Web Bugs • Used to determine a client browsing profile based on their “clickstream” • As a web page is rendered by a browser each URL on the page causes a request to be sent by the client • <IMG SRC “http://ad.doubleclick.net/ … ” WIDTH=1 HEIGHT=1 BORDER=0> • Suppose every page rendered by a client requests the same URL (located on the same server) • Among other info, the GET method contains the cookie issued to the client by the server of that URL and the referer header. • The referer info can be extracted by the server and associated with that cookie.

  20. Server C Server B Req: Page_B.html Res: Page_C.html Res: Page_B.html Req: Page_C.html Req: WebBug IMG -Referer Header - Any cookie for TRKSTRM.COM Client Browser My_Brwsr Req: Page_A.html Server A WBS Res: Page_A.html Res: WebBug Img -Cookie to client Browser on 1st Req. Web Bug Process Page C cnts - URLs & Img Src - WebBug Img@ WBS. TRKSTRM.COM Page B cnts - URLs & Img Src - WebBug Img@ WBS. TRKSTRM.COM 1. Render page 2. Click on URL Cookie: My_Brwsr Pg A - Server A Pg B - Server B Pg C - Server C Page A cnts - URLs & Img Src - WebBug Img @ WBS. TRKSTRM.COM

  21. Are Cookies Anonymous? • A click stream can be associated with a specific cookie on a server. • Cookies may be associated with a paticular client, based on IP address but are assumed to not be associated with a particular user. • E-mail readers can render web pages (e.g. MS Outlook, Netscape Messenger) • Suppose a user receives a junk e-mail containing a web bug modified to contain user’s e-mail address

  22. Are Cookies Anonymous? This URL in the e-mail <img src=“http://www.somedomain.com/webbug.gif?e-mail=thisuser@theirdomain.com> Generates this request to the server of the Web Bug GET /webbug.gif?e-mail=thisuser@theirdomain.com HTTP/1.1 User-Agent: Mozilla/4.7 [en] (WIN98; I) … Cookie: userID=1234

  23. Privacy Assurance • Anonymizing Proxies • work like normal proxy servers • but they scrub any identification from the request (e.g. cookies, referer header contents, IP address of host making the request) • no log files are kept regarding a host’s use of the proxy server • Advantages • effective and transparent • Disadvantges • Slow web response time • cookies unavailable • may not support SSL • Need to trust anonymizer

  24. Privacy Assurance • Cookie Cutters • Browsers offer options for cookies • accept all • reject all • warn before accepting • only accept cookies that are offered by the site of the rendered page i.e.do not accept web bugs • If “accept all cookies” chosen user can remain somewhat private by doing a clean sweep - remove files containing cookies, history, and clear cache

  25. Internet Privacy - At Work

  26. Why Do Web Surveillance • Employee Productivity • Wasted Bandwidth • Computer Security • Viruses and Trojan Horses • Legal Issues • Illegal Use of Commercial Software • Hostile Work Environment • Pornography in the Workplace • Sexually Explicit E-mail

  27. Items For Web Surveillance • Web Browsing & Cookies • E-mail Use • Active Content (e.g. Java Applets & Active X ) • Malicious Mobile Code • Trojan Horses, Viruses, Macros, Executable Scripts • Failed Logon Attempts • “Access Denied” Events

  28. How To Do Web Surveillance • Web Proxies • Offer Inspection & Restriction • Drawback is Slower Response Time • E-mail Context & Content Scan • Used to Monitor and Filter E-mails • Filter Malicious Code (e.g. .vbs attachments) • Monitor Content for • Racist or Sexually Harassing Content

  29. How To Do Web Surveillance • Intrusion Detection Systems • Host Based • track user keystrokes • Networked Based • application keystrokes per user • Internal Firewalls • monitor access & use of a organization’s intranet • Remote Control Progams • allows control of remote host and redirect display • e.g. pcAnywhere or Citrix’s ICA Client

  30. Employees and Web Surveillance • Web Surveillance Is Effective & Accepted If Employee Is Aware of an Institution’s Policy ForWeb Surveillance • Corporations Must Provide an Acceptable Use Policy (AUP) for Computing Resources That Contains An Internet Access Policy (IAP) • IAP, As Well As AUP, Should Specified, in Plain Language What Is Acceptable and Not Acceptable • IAP Should Provide Specific Examples of Do’s and Don’ts

  31. Internet Privacy - Final Comment • Even Though the WEB Feels Anonymous • IT IS NOT!! • Users Need To Be Aware of Restrictions on Their Privacy

More Related