Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
2 December 2005
Web Technologies
Security, Privacy and Trust
Prof. Beat Signer
Department of Computer Science
Vrije Univer...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 2December 23, 2016
Security Aspects
 Authenticity
 know...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 3December 23, 2016
HTTP Authentication
 Native authentic...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 4December 23, 2016
Basic Access Authentication
Client Ser...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 5December 23, 2016
Base64 Encoding
 Base64 encoding can ...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 6December 23, 2016
Base64 Encoding Example
 Let us encod...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 7December 23, 2016
Web Server Configuration
 Example con...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 8December 23, 2016
Basic Access Authentication ...
 Basi...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 9December 23, 2016
Digest Access Authentication
 Passwor...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 10December 23, 2016
Digest Access Authentication ...
Clie...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 11December 23, 2016
Digest Access Authentication ...
 Th...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 12December 23, 2016
Transport Layer Security (TLS)
 Cryp...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 13December 23, 2016
Cryptography
 In cryptography a ciph...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 14December 23, 2016
Symmetric Key Cryptography
 A symmet...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 15December 23, 2016
Symmetric Key Cryptography ...
 One ...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 16December 23, 2016
Public Key (Asymmetric) Cryptography
...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 17December 23, 2016
Public Key (Asymmetric) Cryptography ...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 18December 23, 2016
RSA Cipher (Rivest, Shamir and Adlema...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 19December 23, 2016
Public Key (Asymmetric) Cryptography ...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 20December 23, 2016
Digital Signatures
 A digital signat...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 21December 23, 2016
Digital Certificates
 Information ab...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 22December 23, 2016
HTTP Secure (HTTPS)
 Secure version ...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 23December 23, 2016
Email Security
 Emails are generally...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 24December 23, 2016
Email SPAM
 Abuse of an electronic m...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 25December 23, 2016
Email SPAM ...
 Phishing attacks
 s...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 26December 23, 2016
Botnets
 Computers infected by malic...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 27December 23, 2016
Firewalls
 Software and hardware fir...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 28December 23, 2016
Privacy
 While users access informat...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 29December 23, 2016
Web Log
 Log entry created every tim...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 30December 23, 2016
Web Log
 Web logs can be combined wi...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 31December 23, 2016
Web Log File Analysis
 Site owner ca...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 32December 23, 2016
Cookies Revisited
 Persistent cookie...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 33December 23, 2016
Web Bugs
 User tracking based on the...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 34December 23, 2016
Other Services with Privacy Issues
 ...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 35December 23, 2016
Video: Google Analytics
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 36December 23, 2016
Google Analytics
 Very nice tool for...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 37December 23, 2016
Course Summary
1. Introduction
 hist...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 38December 23, 2016
Course Summary …
3. HTML5 and the Ope...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 39December 23, 2016
Course Summary …
5. CSS3 and Responsi...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 40December 23, 2016
Course Summary …
7. XML and Related T...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 41December 23, 2016
Course Summary …
9. Semantic Web
 se...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 42December 23, 2016
Course Summary …
11.Security, Privacy...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 43December 23, 2016
Exam
 Exams on January 26 and Februa...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 44December 23, 2016
Exam …
 You will have to register fo...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 45December 23, 2016
Exam …
 Remember to read the followi...
Beat Signer - Department of Computer Science - bsigner@vub.ac.be 46December 23, 2016
References
 David Gourley et al., HT...
2 December 2005
The End
Good Luck with the Exam!
Upcoming SlideShare
Loading in …5
×

Security, Privacy and Trust - Web Technologies (1019888BNR)

863 views

Published on

This lecture is part of a Web Technologies course given at the Vrije Universiteit Brussel.

Published in: Education

Security, Privacy and Trust - Web Technologies (1019888BNR)

  1. 1. 2 December 2005 Web Technologies Security, Privacy and Trust Prof. Beat Signer Department of Computer Science Vrije Universiteit Brussel http://www.beatsigner.com
  2. 2. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 2December 23, 2016 Security Aspects  Authenticity  knowing the sender or receiver of data - who is trying to access data on a web server - who is offering a service - who sent an email - …  Privacy  keeping information private - protect credit card information that is sent to a server - protect information sent in emails - …  Integrity  ensuring that information is not changed when transferred
  3. 3. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 3December 23, 2016 HTTP Authentication  Native authentication functionality offered by HTTP  instead of directly sending a response for a given request, the server can always respond with an authentication challenge (401 status code)  HTTP is extensible to support different authentication protocols and offers the following two standard protocols  basic access authentication - simple Base64 encoding of the string <username>:<password>  digest access authentication  Protected resources can be grouped in security realms with different sets of authorised users or groups of users
  4. 4. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 4December 23, 2016 Basic Access Authentication Client Server GET /wise/exam.pdf HTTP/1.0 Client Server Client Server Client Server ask password try to access a protected resource HTTP/1.0 401 Authorization Required WWW-Authenticate: Basic realm="WISE" GET /wise/exam.pdf HTTP/1.0 Authorization: Basic YmVhdDpydWxleg== HTTP/1.0 200 OK Content-type: application/pdf Internet
  5. 5. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 5December 23, 2016 Base64 Encoding  Base64 encoding can be used to represent binary data in a portable format (alphabet)  used by MIME for content transfer encoding  used to embed binary data in XML files (e.g. in XML-RPC)  note that Base64 encoded data needs more space  Takes a sequence of bytes (8-bit) and breaks it into 6-bit chunks  padding with 0s to make it a multiple of 24 (LCM of 6 and 8)  complete 6-bit padding chunks are represented by the special character '='  Each 6-bit chunk is then represented by a character from a 64-character alphabet
  6. 6. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 6December 23, 2016 Base64 Encoding Example  Let us encode the string 'No' to Base64  padding to 24 bit  lookup of 6-bit chunks in index table  use '=' for completely padded 6-bit chunks val 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 char A B C D E F G H I J K L M N O P val 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 char Q R S T U V W X Y Z a b c d e f val 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 char g h i j k l m n o p q r s t u v val 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 char w x y z 0 1 2 3 4 5 6 7 8 9 + / 01001110 N o 01101111 00000000 19 38 60 T m 8 = Base64 index table Text Bit Pattern Index Base64 padding
  7. 7. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 7December 23, 2016 Web Server Configuration  Example configuration for an Apache HTTP Server  Create a new password file (using the –c parameter)  Put an .htaccess file with the configuration into the directory that has to be protected  alternatively add information to httpd.conf #htpasswd -c /usr/local/apache/admin/passwords nelson New password: nelson123 Re-type new password: nelson123 Adding password for user nelson AuthType Basic AuthName "WISE" AuthUserFile /usr/local/apache/admin/passwords Require user nelson
  8. 8. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 8December 23, 2016 Basic Access Authentication ...  Basic access authentication is not secure  username and password are sent almost in "cleartext" - Base64 value can be very easily decoded  easy to do replay attacks - simply reuse the Base64-encoded username and the password  Potential solutions  combine the basic access authentication with an encrypted data transfer (e.g. via TLS/SSL) - does not necessarily prevent replay attacks  use of alternative digest access authentication
  9. 9. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 9December 23, 2016 Digest Access Authentication  Password is no longer sent in cleartext  only a one-way digest that is computed out of the password (one-way hash function) is sent to the server  Message Digest #5 (MD5) is a popular digest function  What about digest replay attacks?  server sends a special token (nonce) that changes frequently  client adds the nonce to the password before computing the MD5 - any changes of the nonce result in changes of the digest which helps to prevent replay attacks h1 = MD5(username:realm:password) h2 = MD5(httpMethod:requestedURI) response = MD5(h1:nonce:h2) Computed response based on MD5
  10. 10. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 10December 23, 2016 Digest Access Authentication ... Client Server GET /wise/exam.pdf HTTP/1.0 Client Server Client Server Client Server ask password HTTP/1.0 401 Unauthorized WWW-Authenticate: Digest realm="WISE", qop="auth,auth-int" nonce="6G543RED" GET /wise/exam.pdf HTTP/1.0 Authorization: Digest username="nelson", realm="WISE", nonce="6G543RED", qop="auth", response="HF779RW47R7HF", ... HTTP/1.0 200 OK Authorization-Info: nextnonce="7HZT7F6" ... Internet try to access a protected resource
  11. 11. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 11December 23, 2016 Digest Access Authentication ...  The Authorization-Info: nextnonce="..." is used to send the next nonce in advance  client can send the computed hash value already with the original request (preemptive authorization)  The quality of protection (qop) field is used to negotiate different protection mechanisms  auth - authentification  auth-int - authentification and message integrity protection - add an MD5 of the body
  12. 12. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 12December 23, 2016 Transport Layer Security (TLS)  Cryptographic protocol to ensure secure network communication  successor of the Secure Socket Layer (SSL) protocol  situated at the TCP/IP Application Layer or OSI Presentation Layer  Types of authentification  unilateral authentification - only server authentification  mutual authentification - client and server authentification TCP/IP stack Transport Application Link Internet TLS/SSL
  13. 13. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 13December 23, 2016 Cryptography  In cryptography a cipher (coding scheme) is used in combination with a key to create a ciphertext out of a plaintext  Cryptanalysis tries to get information out of the ciphertext without having access to the secret information (key) MEET ME AT NOON PHHW PH DW QLLQ MEET ME AT NOONcipher (encoder) cipher (decoder)ciphertext key key plaintext plaintext
  14. 14. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 14December 23, 2016 Symmetric Key Cryptography  A symmetric key cipher uses the same key for the encoding and decoding of a plaintext message  Many existing symmetric key ciphers  DES, Triple DES, Blowfish, Rijndael/AES, ...  The algorithms are often common knowledge and the key is the only secret thing  key has to be kept secret  Brute force attack (enumeration attack) tries all keys  The key length defines the number of potential keys  e.g. 128 bit key considered safe today - can change with more powerful machines
  15. 15. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 15December 23, 2016 Symmetric Key Cryptography ...  One problem of symmetric key cryptography is that we have to secretly share the common key before we can exchange any messages  this has to be repeated with different keys for any two partners willing to establish a secret communication  how should we establish the exchange over the Internet? - initially only an insecure channel is available  where should we secretly store all those keys?
  16. 16. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 16December 23, 2016 Public Key (Asymmetric) Cryptography  Instead of a single key, public key cryptography uses an asymmetric pair of keys  publicly available key for the encoding  secret key for the decoding  Each party has only a single public key which is used by everybody to encode messages to this party  only the receiver can decode message with their private key MEET ME AT NOON hJ7FHDu KJF Z8e fsdlgi MEET ME AT NOONcipher (encoder) cipher (decoder)ciphertext public key B private key B plaintext plaintext A B
  17. 17. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 17December 23, 2016 Public Key (Asymmetric) Cryptography ...  Public key cryptography can be used to establish secure Internet connections to any computer around the world without having to secretly share a key beforehand  An asymmetric public key cipher has to ensure that an attacker cannot compute the private key based on any information they can intercept  public key  ciphertext (with corresponding plaintext) - can easily be created by any party by using the public key  A well known public key algorithm is the RSA cipher
  18. 18. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 18December 23, 2016 RSA Cipher (Rivest, Shamir and Adleman)  Public-key cipher that can be used for encryption as well as signing  published in 1978 by Rivest, Shamir and Adleman while they were at MIT  The public and private keys are generated based on two large distinct prime numbers  the potential attacker will know about the product of the two prime numbers but nothing about the numbers themselves  use modular arithmetic for the encoding/decoding  as long as the attacker is not able to do a factorisation into the two prime numbers, RSA is assumed to be secure Adi Shamir, Ron Rivest and Len Adleman
  19. 19. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 19December 23, 2016 Public Key (Asymmetric) Cryptography ...  A drawback of asymmetric public key cryptography is the fact that the algorithms are much slower than symmetric ciphers  Hybrid solutions combine public key with symmetric key cryptography  the public key encryption is only used in the setup phase to securely exchange a pair of symmetric keys  afterwards a secure channel is established based on the symmetric keys  Security of public key cryptography?  new developments (e.g. quantum computing) might break public key cryptography
  20. 20. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 20December 23, 2016 Digital Signatures  A digital signature can be used for two purposes  to prove the authenticity of a message  to guarantee that a message has not been changed during the transfer (integrity)  Sender creates a plaintext digest, encodes it with the private key and adds it as a signature to the message  the receiver creates the same digest and compares it with the decoded signature cipher cipher private key A public key A plaintext plaintextplaintext signature digest digest digest same? A B
  21. 21. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 21December 23, 2016 Digital Certificates  Information about a person/company that is digitally signed by a certificate authority (CA)  owner's name  validity time  signature of the CA  owner's public key
  22. 22. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 22December 23, 2016 HTTP Secure (HTTPS)  Secure version of HTTP  combines HTTP with asymmetric, symmetric and certificate- based cryptography  HTTP sent over TLS/SSL  HTTPS protocol is selected by the https:// URL prefix  Browser connects to the HTTPS default port (port 443)  Initial SSL handshake - negotiate protocol versions - negotiate common cipher - authentication - generate temporary symmetric session keys
  23. 23. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 23December 23, 2016 Email Security  Emails are generally sent as unencrypted plain text  An email is stored on multiple intermediary servers before reaching its target  relatively easy to intercept  would you also put anything you write in an email on a postcard?  Note that the sender of an email can easily be faked  If we want to fix these problems we have to use third- party tools such as Pretty Good Privacy (PGP)  privacy - strong encryption  authentication - digital signatures
  24. 24. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 24December 23, 2016 Email SPAM  Abuse of an electronic messaging system (email) to deliver unwanted messages  A major part of all SPAM is sent by only a few hundred spammers  It is estimated that SPAM costs businesses more than 100 billion dollars per year  SPAM is illegal in many countries and some spammers have already been sentenced to jail  "Solutions"  SPAM filters  micropayments for emails
  25. 25. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 25December 23, 2016 Email SPAM ...  Phishing attacks  send emails that look like coming from an official authority and contain a request for sensitive data (e.g. password)  send emails with links to websites that look like official companies (e.g. your homebank)  Spammers often use botnets to send their SPAM
  26. 26. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 26December 23, 2016 Botnets  Computers infected by malicious software become part of a large botnet that can be remotely controlled  the largest botnets contain more than 1 million machines  An attacker can buy part of such a botnet to perform various harmful tasks including  the distribution of SPAM  distributed denial of service attacks (DDOS)  Distributed denial of service attacks are a very powerful weapon as it has for example been shown when Estonia was attacked in May 2007  cannot easily be detected and filtered by firewalls since the traffic is created by many different machines
  27. 27. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 27December 23, 2016 Firewalls  Software and hardware firewalls introduce artifical "bottlenecks" that have to be passed by all the traffic  block specific ports  filter and block content  protect private intranets from incoming Internet traffic - often only a subnetwork (demilitarised zone) is connected to the Internet Internet Client Server Firewall
  28. 28. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 28December 23, 2016 Privacy  While users access information over the Internet, there is a continuous logging of their requests  Each server stores information about clients who accessed specific resources  Data mining techniques can be used to combine this logging information and create user profiles  can for example be used for user-targeted advertising  Users also "deliberately" publish personal information  e.g. on Facebook  Published information often cannot be easily deleted  e.g. still accessible via Internet Archive (http://www.archive.org)
  29. 29. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 29December 23, 2016 Web Log  Log entry created every time a web server is accessed  A log entry typically contains information about  IP address of the requesting machine  accessed URL  request time  refer link (previous page accessed by the client) - sent as part of the HTTP Request  browser type  errors that occured  ...
  30. 30. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 30December 23, 2016 Web Log  Web logs can be combined with other information  e.g. login information can be used to reveal a user's identity  Refer link  enables access to potentially private information  e.g. if previous request was an HTML form request using the GET method then all the data will be available as part of the URL XXX.XXX.XXX.193 - - [02/Dec/2009:05:50:40 +0100] "GET /knives-shun-c-81_114-l-en.html?gclid=CLOFucf5tp4CFc5L5Qod8jQzpA HTTP/1.1" 200 65478 "http://guelph.kijiji.ca/f-Shun-Classifieds-W0QQKeywordZShunQQisSearchFormZtrue" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15" XXX.XXX.XXX.116 - - [02/Dec/2009:05:50:42 +0100] "GET /images/Jamie%20Oliver/flavourShakerSchwarz.jpg HTTP/1.1" 200 3594 "http://www.tenera.ch/kenwood-pasta-roller-at970a-for-lasagne-base-unit-p-1314-l-en.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" XXX.XXX.XXX.139 - - [02/Dec/2009:05:52:19 +0100] "GET /stylesheet.css HTTP/1.1" 200 10185 "http://www.tenera.ch/kai-seki-magoroku-redwood- nakirimesser-165-cm-p-1433-l-de.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )" XXX.XXX.XXX.139 - - [02/Dec/2009:05:52:19 +0100] "GET /kai-seki-magoroku-redwood-nakirimesser-165-cm-p-1433-l-de.html HTTP/1.1" 200 60636 "http://www.google.ch/search?hl=de&source=hp&q=seki+magoroku&meta=&aq=0&oq=seki+ma" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )" XXX.XXX.XXX.139 - - [02/Dec/2009:05:52:21 +0100] "GET /images/pixel_trans.gif HTTP/1.1" 200 43 "http://www.tenera.ch/kai-seki-magoroku-redwood- nakirimesser-165-cm-p-1433-l-de.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )" ... web log with refer links
  31. 31. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 31December 23, 2016 Web Log File Analysis  Site owner can use various tools to analyse the log files  e.g. Webalizer  How much information do we give away when accessing a website?  What is happening with the logged data?  combined with other information to reveal IP addresses?  combined with log files from other sites? - user profiling  intended use of data should be mentioned in the privacy policy
  32. 32. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 32December 23, 2016 Cookies Revisited  Persistent cookies can be used to track a user over time  similar to IP address but more precise  Third-party cookies can be used to build an anonymous user profile  if a website contains elements that have to be accessed from another server (e.g. banner ads), then the server can set a cookie - the third-party server creates a unique resource URL for every page on which the resource has been embedded - the user can be tracked on any site that uses the same service (e.g. banner ads) and an anonymous user profile can be created  Cookies should not be used for authentication  can be modified by a user to forge identity (cookie poisoning)
  33. 33. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 33December 23, 2016 Web Bugs  User tracking based on the same idea as with third-party cookies  Embed a small object (e.g. 1 pixel image) in a webpage and get informed every time the webpage is accessed  request containing the IP address is sent to the server  The web bugs approach cannot only be used for webpages but also for other resources such as email, Word documents etc.  if the user reads an email containing an embedded HTML web bug, the server knows when the email has been read but also gets information about the IP address of the mail client
  34. 34. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 34December 23, 2016 Other Services with Privacy Issues  Google Earth shows a lot of sensitive information  e.g. military bases etc.  Google Street View shows not only streets and buildings but also citizens  privacy of individuals might be violated since they are shown at strange places or in weird situations  since the blurring of faces and number plates does not always work, some countries would like to stop the service  Many other free services from Google as well as other companies harvest personal information and use it, for example, for customer-targeted advertising
  35. 35. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 35December 23, 2016 Video: Google Analytics
  36. 36. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 36December 23, 2016 Google Analytics  Very nice tool for web administrators to analyse their web traffic  easy to "install" over the Web  website administrators have to add a piece of JavaScript code to their website - similar to web bug approach shown earlier  Google gets information about site visitors  While a user can normally choose to use a free service (e.g. Gmail) or not, the user has no choice when it comes to the tracking via Google Analytics  How save is the captured data?  what if somebody manages to steal the data?
  37. 37. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 37December 23, 2016 Course Summary 1. Introduction  history of the Web - Memex, Xanadu and various hypertext systems  ARPANET and TCP/IP  World Wide Web 2. Web Architectures  HTTP protocol and session management  client-server architectures, proxies, tunnels and gateways  caching  client-side processing - JavaScript, Java Applets, ...  server-side processing - CGI, Java Servlets, JavaServer Pages (JSP), ...
  38. 38. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 38December 23, 2016 Course Summary … 3. HTML5 and the Open Web Platform  history of HTML  HTML5 principles and markup  HTML5 APIs - e.g. WebSockets, Geolocation, Drag and Drop, …  JavaScript Object Notation (JSON) 4. Web Application Frameworks  Model-View-Controller (MVC)  Apache Struts 2  Apache Flex, CakePHP, Ruby on Rails, ...  web content management systems
  39. 39. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 39December 23, 2016 Course Summary … 5. CSS3 and Responsive Web Design  CSS syntax and selectors  CSS inclusion and cascading  box model and layouting  responsive web design - media queries, breakpoints, … 6. JavaScript and jQuery  basic JavaScript concepts  JavaScript best practises  jQuery syntax and event handling
  40. 40. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 40December 23, 2016 Course Summary … 7. XML and Related Technologies  SAX (Simple API for XML) and DOM (Document Object Model)  XSL (XSLT)  XPath, XPointer and XLink  Document Type Definition (DTD) and XML Schema  XML-RPC, VoiceXML etc. 8. Web 2.0 Patterns and Technologies  main concepts and interactions  various Web 2.0 applications and social implications  asynchronous partial updates and RIAs - AJAX and JSON-RPC  service-oriented architectures (SOAs) - Big Web Services and RESTful Web Services
  41. 41. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 41December 23, 2016 Course Summary … 9. Semantic Web  semantic web stack - RDF and RDFS, OWL, SPARQL, ...  semantic web applications  (X)HTML extensions and HTML5 Microdata - Microformats, RDFa 10.Web Search and SEO  information retrieval concepts  web search engine architectures  Google PageRank algorithm  search engine optimisations (SEO) - e.g. white and black hat optimisations
  42. 42. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 42December 23, 2016 Course Summary … 11.Security, Privacy and Trust  HTTP Authentication - basic authentication, digest authentication and base64 encoding  symmetric key and public key cryptography - RSA cipher  digital signatures and digital certificates  TLS/SSL and HTTP Secure (HTTPS)  privacy issues
  43. 43. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 43December 23, 2016 Exam  Exams on January 26 and February 1, 2017  Each student will be assigned an examination slot of 20 minutes  5 minutes for questions about the assignment (6 ECTS)  15 minutes oral exam about different topics that have been covered in the course - note that there will be no specific preparation time  Overall grade = oral exam (60%) + assigment (40%)  students have some flexibility in distributing the grades for the assignment (±2 points)  Students following the 3 ECTS programme will only have an oral exam (100%) and no assigment
  44. 44. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 44December 23, 2016 Exam …  You will have to register for a specific examination via PointCarré (deadline December 23, 2016)  Submission of the assignment via PointCarré (dropbox)  deadline: December 23, 24:00 (UTC)  You can bring the copies of your solutions for the exercises with you as they might be used as a basis for discussion during the oral exam  The exam will cover all the content presented in the lectures as well as any additional information from the exercise sessions  includes the videos shown in some of the lectures
  45. 45. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 45December 23, 2016 Exam …  Remember to read the following paper as it forms part of the course material  Vannevar Bush, As We May Think, Atlanic Monthly, July 1945  Make sure that you can sketch basic architectures of web information systems  possible roles of different technologies  know how the things presented in different lectures fit together - e.g. security applied to varying architectures - e.g. web search for RIAs - …  Make sure that you understand the basic concepts  however, we might ask questions at any level of detail to evaluate your knowledge
  46. 46. Beat Signer - Department of Computer Science - bsigner@vub.ac.be 46December 23, 2016 References  David Gourley et al., HTTP: The Definitive Guide, O'Reilly Media, September 2002  Google Analytics Video  http://www.youtube.com/watch?v=rHeKRvo6OhI  R.L. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Authentication, Communications of the ACM, February 1978
  47. 47. 2 December 2005 The End Good Luck with the Exam!

×