Web Security

Unit-2
Browser Security
E-Commerce Security
 Browser Security
• Web Browsers are the most commonly used Internet application.

• A web browser allows an information resource such as a web page, image,

video, or virtually any other type of content to be displayed on a computer
from a remote server in a seamless way.

• Many applications used today use web browsers as their interface, providing
a consistent and familiar user interface.

• The enormous popularity of the web browser also makes it an ideal target
for malicious individuals who wish to steal our data or interfere with our
everyday activities.

• Since everyone is a potential user of a web browser, it is important that

everyone learns about the risks associated with browsing unknown content
on the web

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 Aspects of Browser Security

• There are two aspects to browser security.

• One is to ensure employees are using the internet responsibly and
• that, no matter their device or location, their browsers are secure against
threats like malware, malicious redirects, and phishing.
• Some security weaknesses of a web browser include weak antivirus
and other defenses on the user’s device, unblocked popups,
malicious redirects, malicious browser extensions and unsafe plugins,
DNS attacks, and unsafe use of save passwords and form data.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 General Recommendations

• Keep your browser software up-to-date.

• Review your browser's security settings and preferences.
• Install a Chrome extension to protect them from some types of
malicious websites when browsing the web with Chrome
• If you do not need pop-ups, disable them or install software that will
prevent pop-up windows. Pop-ups can be used to run malicious
software on your computer.
• Install browser add-ons, plug-ins, toolbars, and extensions
sparingly and with care. Browser add-ons function by allowing code
to run on your computer. Add-ons from un-reputable sources can
pose potential risks to privacy and data security.

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 How to prevent from threat?

• There are two primary avenues for preventing these threats: adopting
technical solutions that can limit their impact, such as browser security
solutions and web filtering and, educating users to adopt safe browsing
practices.
• Weak Antivirus Software and Other Protections
• Redirects and Pop-up Ads
• Browser Extensions and Plugins
• Communication with DNS Servers
• Saved Passwords and Form Info
• Malicious File Downloads
• Phishing Attacks
• Browser Hijacking
• Cross-Site Scripting (XSS)
• Cookie Theft

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 How Does Browser Security Work?

• Browser security works by employing a variety of strategies and tools to

protect your internet browsing from potential threats.
• Visibility and Monitoring
• Risk Detection
• Policy and Access Enforcement
• Use HTTPS
• Keep Browsers Up-to-Date
• Use Unique Passwords
• Disable Auto-Complete for Forms
• Block Pop-ups and Ads
• Limit the Use of Cookies
•

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Types of Attacks
Against Computer
Systems (Cybercrime)

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 The E-commerce Security Environment

Figure 5.2
Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS
What Is Good E-commerce Security?

• To achieve highest degree of security

• New technologies
• Organizational policies and procedures
• Industry standards and government laws
• Other factors
• Time value of money
• Cost of security vs. potential loss
• Security often breaks at weakest link

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Table 5.3 Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS
Security Threats in the E-commerce Environment

•Three key points of vulnerability in e-commerce

environment:
1. Client
2. Server
3. Communications pipeline (Internet communications channels)

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

A Typical E-commerce Transaction

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Vulnerable Points in an E-commerce Transaction

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 Most Common Security Threats in the E-commerce
Environment
• Malicious code • Phishing
• Viruses • Deceptive online attempt to
• Worms obtain confidential information
• Trojan horses • E-mail scams
• Bots, botnets • Spoofing legitimate Web sites
• Unwanted programs • Use of information to commit
• Browser parasites fraudulent acts (access
• Adware checking accounts), steal
identity
• Spyware
• Denial of service (DoS) attack
• Social engineering
• Hackers flood site with useless
• Credit card fraud/theft traffic to overwhelm network
• Hackers target merchant servers;
• Distributed denial of service (DDoS)
use data to establish credit under
attack
false identity

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Most Common Security Threats in the
E-commerce Environment (cont.)

• Sniffing • Cybervandalism:
• Eavesdropping program that • Intentionally disrupting,
monitors information traveling defacing, destroying Web site
over a network • Data breach
• Insider jobs • When organizations lose
• Poorly designed server and client control over corporate
software information to outsiders
• Social network security • Spam/junk Web sites
• Mobile platform threats • Hacking
• Same risks as any Internet • Hackers vs. crackers
device • Types of hackers: White, black,
• Malware, botnets, grey hats
vishing/smishing • Spoofing

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Technology Solutions

• Protecting Internet communications

• Encryption
• Securing channels of communication
• SSL, VPNs
• Protecting networks
• Firewalls
• Protecting servers and clients

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Tools Available to Achieve Site Security

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Encryption

• Encryption
•Transforms data into cipher text readable only by sender
and receiver
•Secures stored information and information transmission
•Provides 4 of 6 key dimensions of e-commerce security:
• Message integrity
• Nonrepudiation
• Authentication
• Confidentiality

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Symmetric Key Encryption

•Sender and receiver use same digital key to encrypt

and decrypt message
•Requires different set of keys for each transaction
•Strength of encryption
• Length of binary key used to encrypt data

•Advanced Encryption Standard (AES)

• Most widely used symmetric key encryption
• Uses 128-, 192-, and 256-bit encryption keys

•Other standards use keys with up to 2,048 bits

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS
Public Key Encryption

•Uses two mathematically related digital keys

• Public key (widely disseminated)
• Private key (kept secret by owner)

•Both keys used to encrypt and decrypt message

•Once key used to encrypt message, same key
cannot be used to decrypt message
•Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Public Key Cryptography: A Simple Case

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Public Key Encryption using Digital Signatures
and Hash Digests

•Hash function:
• Mathematical algorithm that produces fixed-length number called
message or hash digest
•Hash digest of message sent to recipient along with
message to verify integrity
•Hash digest and message encrypted with recipient’s
public key
•Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Public Key Cryptography with Digital Signatures

• Figure 5.9 Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Digital Envelopes

•Address weaknesses of:

•Public key encryption
• Computationally slow, decreased transmission speed, increased
processing time
•Symmetric key encryption
• Insecure transmission lines
•Uses symmetric key encryption to encrypt
document
•Uses public key encryption to encrypt and
send symmetric key
Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS
Creating a Digital Envelope

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Digital Certificates and Public Key Infrastructure (PKI)

• Digital certificate includes:

• Name of subject/company
• Subject’s public key
• Digital certificate serial number
• Expiration date, issuance date
• Digital signature of CA
• Public Key Infrastructure (PKI):
• CAs and digital certificate procedures
• PGP

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Digital Certificates and Certification
Authorities

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Limits to Encryption Solutions

• Doesn’t protect storage of private key

• PKI not effective against insiders, employees
• Protection of private keys by individuals may be haphazard
• No guarantee that verifying computer of merchant is secure
• CAs are unregulated, self-selecting organizations

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Securing Channels of Communication

•Secure Sockets Layer (SSL):

•Establishes a secure, negotiated client-server session in
which URL of requested document, along with contents,
is encrypted
•Virtual Private Network (VPN):
•Allows remote users to securely access internal network
via the Internet

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Secure Negotiated Sessions Using SSL

• Figure 5.12

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Protecting Networks

• Firewall
• Hardware or software
• Uses security policy to filter packets
• Two main methods:
• Packet filters
• Application gateways
• Proxy servers (proxies)
• Software servers that handle all communications originating from or being
sent to the Internet

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Firewalls and Proxy Servers

• Figure 5.13

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Protecting Servers and Clients

• Operating system security enhancements

• Upgrades, patches

• Anti-virus software:
• Easiest and least expensive way to prevent threats to system integrity
• Requires daily updates

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

A Security Plan: Management Policies

■Risk assessment
■Security policy
■Implementation plan
❖Security organization
❖Access controls
❖Authentication procedures, including biometrics
❖Authorization policies, authorization management
systems
■Security audit

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

Developing an E-commerce Security Plan

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

The Role of Laws and Public Policy

•Laws that give authorities tools for identifying,

tracing, prosecuting cybercriminals:
• National Information Infrastructure Protection Act of 1996
• USA Patriot Act
• Homeland Security Act
•Private and private-public cooperation
• CERT Coordination Center
• US-CERT
•Government policies and controls on encryption
software
•OECD guidelines
Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS
Types of Payment Systems

•Cash • Stored value

• Funds deposited into account, from
• Most common form of which funds are paid out or
payment withdrawn as needed, e.g., debit
cards, gift certificates
• Instantly convertible into • Peer-to-peer payment systems
other forms of value
• Accumulating balance
•Checking transfer • Accounts that accumulate
expenditures and to which
• Second most common consumers make period payments
payment form in United • e.g., utility, phone, American
States Express accounts
•Credit/Debit Card
• Credit card associations
• Issuing banks
• Processing centers

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

How an Online Credit Transaction Works

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS

 E-commerce Payment Systems
• Digital wallets • Online stored value systems
• Emulates functionality of wallet • Based on value stored in a
by authenticating consumer, consumer’s bank, checking, or
storing and transferring value, credit card account
and securing payment process • PayPal
from consumer to merchant
• Early efforts to popularize • Smart cards
failed • Contact—use card reader
• Latest effort: Google Checkout • Contactless
• e.g., EZPass, Octopus card
• Digital cash (Hong Kong)
• Value storage and exchange • Radio Frequency ID (RFID)
using tokens • Near Field Communications
• Most early examples have (NFC)
disappeared; protocols and
practices too complex
• Digital accumulated balance payment:
• Digital checking: • Users accumulate a debit balance
• Extends functionality of existing for which they are billed at the end
checking accounts for use of the month
online • PaymentsPlus, BillMeLater
• PayByCheck, EBillMe

Dr. Dimple Chawla, Assistant Professor, VSIT-VIPS