the world wide webcs.armstrong.edu/rasheed/itec2010/slides18.pdf · web • web site consists of...
TRANSCRIPT
The World Wide Web
Web• Web site consists of simply of pages of text and images
• A web pages are render by a web browser
Retrieving a webpage online:
– Client open a web browser on the local machine
– The web browser need to determine the ip address of the web server that is hosting the webpage (www.amazon.com)
– Web browser contacted the DNS to reslove name space to IP addresses
Uniform Resource Locators (URL)
• The URL used by the web browser to identify a webpage
– http://www.example.com/directory/file.html
• The protocol used in the above example is the Hypertext
transfer protocol
• The domain name is www.example.com
• The web browser is requesting the content of file.html which
is stored in the directory folder of a web server
• file.html is a file that describe text and images using the html
(Hypertext markup language)format
Connecting to Web Server• URL is used by the HTTP to access web information on a remote machine
(web server)
Resolving name space to IP address:– The web browser check it DNS cache to resolve name space to IP address
– If no address is found the web browser send a DNS request
Client-server TCP connection:– The client make a TCP request on port 80 for HTTP
HTTP requests:– HTTP requests are encapsulated in the TCP packets
– HTTP request usually begin with commands such as POST or GET
Hypertext Mark up Language (HTML)
• Each HTTP response include a header
Information in the HTTP response header includes:
– Information about the web server
– Software type and version number (Apache, Google GWS)
– The size of the payload
– The main body of the webpage in HTML source code
HTTP Request
HTML Coding
HTML use a structural description of a document using special tags:
• Text formatting <i> text </i> for italics and <b> text </b> for bold
• Itemized lists is presented as:<ul> <li> first-item </li>
<li> second-item </li>
</ul>
• Hyperlinks is presented as:<a href=“web-page-URL”>Description of the other page</a>
• Embedding images:<img src=“URL-of –the-image”>
• Scripting code is represented as:<script> computer code </script>
HTML forms
• HTML forms allow user of the web to submit inputs to variables provided by the web server
• Server-side code is used by the web server to process user inputs
• Two methods to submit user inputted data:
– GET
– POST
– GET variables are recommended for querying a database
– POST variables are recommended when inserting or sending an email.
– The browser will promote the user if he wish to submit the information
HTML GET method
HTML code with a form
Vulnerabilities in HTTP
• HTTP request and response packets are send in clear text
• The lack of encryption allow an attacker to eavesdrop on the communication and capture the payload
• Therefore sensitive data should transmitted using HTTPS
HTTPS
• HTTPS uses the secure socket layer (SSL) or transport layer security to secure data in transit
Establishing a secure connection:
1. The browser provide the web server with a list of security primitives that are supported on the client machine.
� Hash function
� Crypto algorithms
2. The web server chooses the strongest cipher and hash that are supported by the client machine.
3. The web server send a certificate
Supported hash and cipher
Choose the strongest hash and cipher
Send a certificate
HTTPS Client HTTPS web server
HTTPS
1. Client verify the certificate
2. Client and web server generate a shared key
3. Symmetric encryption is used to transfer data
over the secure channel
Client send a random number E(R, Ps)
Shared key and MAC is used to encrypt
and verify the integrity of the data
HTTPS Client HTTPS web server
Server and client set a shared key
Web Server Certificate
• Certificates are used to enable a client to verify the identity of web site
• Certificates are digitally signed by a certificates authority (CA)
• A website obtain a certificate by submitting a certificate signing request
• The certificate include the following information:– Name of the CA
– Serial number of the certificate
– Experiation date
– Domain name of the web site
– Identifier of the public key scheme
– Public key
– Identifier of the crypto and hash algorithm
– Digital signature over the certificate data
Extended Validation Certificate
• Extended validation certificate can only be signed by high-profile CAs
• Extended validation certificate are designated in the CA field
Certificate Hierarchy • Low-level certificates are signed by intermediary CA
• Top-level certificate is known as root certificate
• Root certificates for top-level domain are called anchor point
• Anchor points are usually stored in the OS.
Invalid certificate
Dynamic Content• Web content could be:
– Static
– Dynamic
– Scripting languages allowed a computer code executed by a module of the browser
– Client-side scripting executed by the browser
– Server-side scripting executed by the server hiding the code from the user and only providing the user with the output
Document Object Model (DOM)
• The content of the web page can presented as in an organized way
• HTML code is presented in an object-oriented way
• Tags and page elements are represented as parent-child relationship
Java script
• Interactive and dynamic web browsing
capacities are introduced through a scripting
languages called java script