World Wide Web. Hypertext

Transcription

1 World Wide Web HTTP, HTTPS SSL, TLS URL, Hypertext WWW s and Browsers Proxy, Plugin, Cookie Hypertext The WWW implementation of documents which include hyperlinks referencing other documents on the system. Hyperlink: An element in an electronic document that links to another place in the same document or to an entirely different document, or to a different resource. Hyperlink source code format: <a href= target URL" title="link title">link label</a> Example: Source code: <a href= title= Department > Computer Science</a> Appearance in a browser, usually: Computer Science Effects: Mouse cursor over it Mouse click over it World Wide Web World Wide Web (WWW) Also called the Web A hypertext system that operates over the An -server hypertext distributed information retrieval system Originated from the High-Energy Physics laboratories in Geneva, Switzerland (CERN, an acronym for the lab name in French) Original idea started from CERN by Tim Berners-Lee WWW standards produced as recommendations by the World Wide We Consortium(W3C) A W3C standard goes through the stages Working Draft Last Call Proposed Recommendation Candidate Recommendation Recommendation A Recommendation may be updated Separately-published Errata A new edition of the Recommendation Reference: 1

2 HTTP HyperText Transfer Protocol (HTTP) The primary method for communication on the WWW A request/response protocol between s and servers An HTTP initiates a request typically connecting to TCP/IP port 80 of the server Sends a request string The server would then respond with the requested file (or error message) File preceded by an HTTP Header, with information on» the server» the document being sent The connection is then generally torn down This protocol is Stateless - treats each request as an independent transaction Simple pull-type transactions, in ASCII Not secure Returned information HTML page Successful return Error codes, Failure return Example error codes Code 403 Forbidden Code 404 File not found Code 408 Request timeout Code 414 Request URL too large Code 415 Unsupported media type Code 500 Internal server error Code 504 Gateway timeout Code 505 HTTP version not supported Web Market Shares Apache Microsoft SunONE NCSA Other 2

3 Apache Project An effort to develop and maintain an open-source HTTP server A project of the Apache Software Foundation The foundation: Foundation members, by invitation only: To provide a secure, efficient and extensible server In a collaborative, consensus based development process Most recent server version: Downloading an Apache server, documentation: HTTPS The secure version of HTTP Invented by Netscape Communications Corporation Encrypts the session data using either the SSL (Secure Socket Layer) protocol or the TLS (Transport Layer Security) protocol, with default TCP/IP port 443 Provides authentication and encrypted communication Authentication: to confirm the sender being the true claimed, e.g. using digital certificate by trusted third party (TTP) Encryption-decryption: using a cipher (encryptiondecryption algorithm) with symmetric or asymmetric (related public and private) keys In Web pages, the URL begins with Refrence: Encryption and decryption Symmetric cryptography Same key for encryption and decryption would be efficient As long as the key is pre-agreed and secure Not suitable for the Web Asymmetric-key cryptography (also called Public-key cryptography) Using a pair of related public and private keys. Encryption and decryption are asymmetric. From a public key, one cannot figure out the corresponding private key. Much more computationally expensive than symmetric-key cryptography. 3

4 Public-key cryptography to encrypted transmission Client Plain text document Public-key cryptography Client to server encrypted transmission Client Plain text document decryption encryption Cipher encryption Cipher Encrypted text Cipher site A Public Key Cipher site A Private Key decryption Encrypted text site A Public Key Plain text document site A site A Private Key site A Plain text document Another view of public-key cryptography Only the designated server can decrypt. Only the designated server could have sent it. Cannot decrypt received from non-designated server. Authentication Certificates issued by Certificate Authorities (CAs), sent together with message: Digital signature of the CA CA name Owner name Unique serial number Version number Expiration date Public key Owner digital signature: private key encrypted owner information Details on the certificate format: Receiver action Decrypt the sender signature with the provided public key Compare description on the certificate with the decrypted signature, authenticated if match The public key is used for later transmission too 4

5 SSL(Secure Socket Layer) and TLS (Transport Layer Security) These protocols implement security over the Run below application protocols and above TCP transport protocol Application protocols, e.g., HTTP, SMTP, etc. References: ckets_layer About the two popular and similar protocols SSL by Netscape TLS, successor of SSL an IETF (International Engineering Task Force) standard protocol Provide, over the Endpoint authentication typically, the server is authenticated, but not the Communications privacy asymmetric cryptography HTTPS servers Apache-SSL Separate from the Apache project, due to government export restrictions Available in the US, via: Commercial SSL servers, based on Apache Stronghold, by Red Hat: Raven, by Covlant: What careful users should do To be sure of secure communication For financial or other crucial applications, deal only with https servers, i.e. URL with https protocol When receiving a warning about wrong certificate It could bear a name similar to the intended server. Your request may have been intercepted by a fake server. Continued communication may cause you trouble. What you should do Cancel current request Resubmit request Continue only if no more warning is received 5

6 Remember that security may still be violated at the server site Sever site could be broken into Human problems at server site Universal Resource Locator Universal Resource Locator (URL) Identification of web resources Web address In general case sensitive, but some servers allow otherwise Basic URL format Protocol:// host name:port number / path/ CS312_Announcements.html URL with additional elements Targeting somewhere inside the page apage.html which is tagged with the name tag para5 Displaying that line at the top of the browser file name :port number is optional in a URL, default 80. No space is allowed inside an URL. File name in an URL is optional. Additional elements may be added. g1=ab&arg2=5 Calling a procedure named procedurex, with parameter named arg1 associated with value ab and parameter named arg2 associated with value 5 URL ends at a directory, not a file or procedure call It delivers a default page if that is available directly under it. Typically: Unix: index.html Windows: default.htm The string following? is called a query string. 6

7 If the default page is not available then If the directory has execute- and read-permission for nobody (the Web server included), then delivers the directory, which the user can further browse if allowed to. If the directory has no read permission for nobody then delivers error code 403 Forbidden. Some implementation variations regarding URL most modern browsers do not require and treat it as the default protocol most allow just using host name for homepage default to index.html, default.htm, etc. at root directory some allow the omission of using www for host machine name, if it is the host machine name most allow the omission of the slash at the end for a directory URL character encoding Only some characters are allowed in an URL Upper- and lowercase letters Numerals Characters: $_@>- Characters with special meanings: =;/#?:%&+. Reference: /html_ref_urlencode.asp All other characters are NOT allowed, except when expressed as % followed by two hexadecimal digits of its ASCII code, e.g. %2E for period %25 for the percent sign itself %20 for a space %7E for tilde %2F for slash Example: becomes: www%2ecs%2eodu %2Eedu%2F%7Eshen telnet to a web server telnet 80 After connection, can issue commands such as: GET /~shen/index.html The server will then deliver the file. The received file will be displayed as a plain text file, the html source code, since we are not using a browser. 7

8 An example session isis:/home/shen> telnet Trying telnet: Unable to connect to remote host: Connection refused isis:/home/shen> telnet 80 Trying Connected to xenon.cs.odu.edu Escape character is '^]'. get /~shen/interdb/framed/textbooks.html The previous telnet session amounts to using a Web browser and give URL: ml A Web browser knows the default port number, telnet does not. After connection, can issue other commands. We illustrated the get command. Most installations disallow telnet to a web browser from the outside. Must give the port number. telnet does not assume the default Port number. Part of the display of the file returned from the Web server: <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso "> <META NAME="Author" CONTENT="Stewart Shen"> <META NAME="GENERATOR" CONTENT="Mozilla/4.01 [en] (WinNT; I) [Netscape]"> <TITLE>Textbooks</TITLE> </HEAD> <BODY> <CENTER><I><FONT COLOR="#FF0000"><FONT SIZE=+2>CS495/595 Database</FONT></FONT></I></CENTER> <CENTER><I><FONT COLOR="#FF0000"><FONT SIZE=+2>Textbooks and Printed References</FONT></FONT></I></CENTER> <P>This course emphasizes active learning and places no limit for ambitious students with broad background as to how far to go. The textbooks listed below are not all required for every student. They are to be used to supplement the references listed above and should be used according to a student's Proxy Proxy server a server for s to make indirect network connections to other network services various purposes provides the resource, possibly by connecting to the specified server, or by serving it from a cache (server-side caching, web accelerator) a popular service, e.g. Google search engine, often uses many proxy servers network security firewalls use proxy servers to enforce security rules 8

9 Local Proxy Cache Remote Proxy Fire wall WWW browser Proxy Proxy Search engine A graphic user interface (GUI) for the Web A Web Typically free Most popular browsers MS Explorer Netscape Navigator Proxy Mozilla From Netscape, now by Mozilla Foundation Cross platform Browser and plus: HTML composer, Open source, fast, safer, some claim to be the best Free download: Some icons, menu items of a typical browser Home default page that can be changed URL field / protocol field Open Local vs. Web location 9

10 Displays the obtained document in formatted view scrollable searching in page May choose to view, instead: the document source text code the page information in different sizes Some other typical browser features Browsing hyperlink browsing path: forward and back, breaking a path history Many menus and icons - depending on the browser Stop and Reload icons Bookmarks or Favorites structured, manageable searchable personal tool bar or links Tools for managing many features and characteristics Web caching The stores copies of resources requested for improved efficiency may be managed Plugin or plug-in, a computer program that interacts with another program to provide a specific function Web browsers use plugins to display or play retrieved multimedia objects that they cannot handle by themselves typically for free download and installation Examples of plugins Adobe reader - for pdf files html RealPlayer many multimedia formats, streaming, i.e. playing while downloading e=cj&src=cj Macromedia Flash Player graphics animation, streaming /download.cgi?p1_prod_version=shockwaveflas h 10

11 Cookie (Persistent/Permanent) Cookie information regarding a browser, created by web servers visited differentiate between users only if they use different user accounts when revisiting a web server, corresponding information is extracted, then updated Example cookie files On my office computer, stored under C:\Documents and Settings\shen\Cookies shen@advertising[7].txt ACIDee !advertising.com/ *BASEGPSZTNM/1psaODntT RohFpH!advertising.com/ *C1UofPf2f_cs%3D1%2C1advertising.com/ * shen@ Apache www.redhat.com/ * Purposes of using cookies primarily for collecting information to identify users and to customize web pages may be used to monitor users' visits to different types of web sites for marketing purposes Session/Transient Cookie To maintain state between otherwise stateless HTTP transactions. to avoid repeated user-login to maintain information such as shopping cart The information is erased and not retained when the Web browser is closed Are Cookies safe? Generally safe just text files Cookie theft gathering of the user's cookie, sent to the attacker's website Cookie poisoning attacker can inject code resulting in a modification of the cookie, particularly session cookie, content Reference: 11

12 Dealing with cookies IE6.0: Tools -> Options -> Privacy: set desired level import cookies override automatic handling Netscape7.1: Edit -> Preferences -> Privacy & Security -> cookies set different options and levels Tools -> Cookie Manager: select option to remove specific cookies disallow resetting of deleted cookies Website Website (Web site) a collection of web pages the web pages are accessed from a homepage (a root URL) usually reside on the same server the pages are usually organized into a hierarchy, controlled by the hyperlinks at some websites, parts of it may be accessed only via a registration often organized by a person, an organization, or on a topic, or have a particular purpose Examples of website types education site government site download site game site business or commercial site database or information site community site weblog: for user postings wiki site: for people to contribute materials search engine 12

13 Summary remarks TCP/IP is the basis of the HTTP, HTTPS, SMTP, telnet, ftp, etc. are all application protocols above TCP/IP HTTPS uses SSL/TSL, between the above two layers, to achieve security SSL/TSL uses Digital Certificate for authentication, asymmetric encryption for secure transmission over the WWW uses many servers of different types Cookies are useful, generally safe, but may be abused 13