RACC WEB 200
Web E-Commerce
Ch. 10 Lecture Notes

Objective #1: Explain various security measures for client computers.

  • Since http provides a stateless connection, a web server does not have a dedicated, continuous connection with the client computer that's viewing its web pages. In other words, the session between the web server and the client computer is called an open session. When a store customer clicks a hyperlink, the new web page is downloaded. When the store customer clicks another hyperlink on that page, the web server has no "memory" that the customer is the same customer that downloaded the previous page.
  • Cookies are small text files that are stored on a client computer or web server. They are mainly used to improve a web surfer's experience using a web site. In a way, they are used as variables that store a value specific to a particular customer. A customer's username, encrypted password, address, or other information can be stored in a cookie.
  • A persistent cookie is one that is stored on the client's computer in a designated place of the web browser (IE, Firefox, etc.) JavaScript is typically used to write and read persistent cookies.
  • Some persistent cookies are also considered to be third-party cookies since they are placed by a web site other than the one that is being visited. Ad placement services use third-party cookies to track users across web sites and the user's views of specific banners.
  • Some people disable or block persistent cookies in their browser settings so they cannot be relied upon by a web designer. Some users only block third-party cookies.
  • A session cookie is one that is stored on the web server itself. Session cookies are typically written and read with PHP, ASP, or a server-side dynamic scripting language.
  • A session cookie cannot be blocked by a web surfer since the cookie is created and stored on the web server. But session cookies cannot be used for some tasks such as automatically filling in a form with an address that was previously typed.
  • A web bug (aka clear GIFs) is an unnoticeable, transparent graphic (1 by 1 pixel) that is placed on a web site to track views of that page. Since the act of downloading a graphic (even a small graphic) makes an entry into a server statistics log, this information is valuable to advertisers and ad placement services. Third-party site's such as ad placement services regularly make agreements with companies to plant web bugs for this purpose.
  • Active content is a program that is included as part of web page and that performs some action. For example, games that are played on web pages are active content.
  • Active content can be created with Java applets, JavaScript, VBScript, Flash, and ActiveX controls.
    • JavaScript and VBScript are scripting languages that execute on the client computer. They typically cannot perform functions that are as sophisticated as programming languages like Java. But with low browser security settings, scripting languages have relatively open access to the client computer including files on the hard drive.
    • An applet is a Java computer program that's embedded into a web page. Java applets can perform very interactive processes. But Java applets execute in a "sandbox" that specifically keeps the applet from accessing parts of the client computer like the files on the hard drive.
    • ActiveX controls and components are executable programs similar to applets. There are lots of useful ActiveX controls that are easy to add to a web page even for those people with no computer programming skills. But ActiveX controls only work in the web browser Internet Explorer. There are no security restrictions on ActiveX controls like the sandbox with Java applets so they are particularly dangerous. If you simply visit a web page that contains an ActiveX control, it could do damage to your computer. For that reason, many people disable ActiveX or they set their IE preferences to be warned anytime an ActiveX control is to be downloaded as part of a web page.
    • Email attachments are very dangerous since they can be any executable program in disguise. An executable program can be more powerful and damaging than an applet or ActiveX control that's embedded in a web page. An executable program can be written in Visual Basic, C++, or other powerful programming languages and it's file extension can be manipulated to make it appear to be another kind of file. Even MS Word or MS Excel attachments can have Visual Basic macros embedded into them to cause damage to a computer when the Word or Excel file is opened. All attachments should be scanned by an updated virus protection program before they are opened or viewed.

Objective #2: List and explain measures that can enhance security in an ecommerce application.

  • A digital certificate (aka digital ID) is a program that is embedded in a web page that verifies the web site to be the actual web site that it claims to be. Digital certificates can also be attached to email messages to verify the sender's authenticity.
  • A digital certificate is signed in a way that the person who receives the certificate knows it is coming from a genuine source. Ecommerce websites use digital certicates so that their customers can trust that their data such as credit card numbers are being typed into the company's web page. Illegitimate web sites sometimes spoof real store websites to solicit customer information, passwords, and credit card numbers. The presence of a digital certificate can assure the customer that the real site is not being spoofed.
  • Digital certificates are issued by certification authority companies. Two well-known certification authorities are Thawte and VeriSign.
  • Secure Sockets Layer (SSL) protocol encrypts information that flows between the client computer and the web server. The presence of a locked padlock icon in a browser window as well as a web address that begins with https:// rather than http:// servers denotes an SSL connection.

Objective #3: Explain various threats to web sites.

  • Spoofing
  • Hijacking a DNS entry
  • Denial-of-service (DoS) attacks.
  • Wardriving wireless networks.

Objective #4: Explain how criminals use phishing attacks.

  • Phishing is a technique in which the criminal sends an email message. The message says that something is wrong with the account and that the customer should either log in or email his password back.
  • The body of the email usually contains a link that is not the link that it looks like. The underlined words in the link don't always match the website that is spelled. When the customer clicks this link, they go to the criminal's web site wich may be an HTML copy of the real website. If a customer follows this link and types in his username and password then his information has been compromised.