Scribd
Upload
49 views

Lecture 21-Web Evaluation & Web Security-Compressed

The document discusses evaluating websites and web security. It provides criteria for evaluating websites such as domain extension, authorship, content, purpose, and design. It also covers client side security risks from active content and revealing personal information when browsing. It discusses server side security risks from bugs, misconfiguration, and open architecture. Finally, it explains how SSL encryption works to secure data transmission and authentication between a client and server.

Uploaded by

Abad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
49 views

Lecture 21-Web Evaluation & Web Security-Compressed

The document discusses evaluating websites and web security. It provides criteria for evaluating websites such as domain extension, authorship, content, purpose, and design. It also covers client side security risks from active content and revealing personal information when browsing. It discusses server side security risks from bugs, misconfiguration, and open architecture. Finally, it explains how SSL encryption works to secure data transmission and authentication between a client and server.

Uploaded by

Abad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

INTERNET TECHNOLOGIES

(457CSS-3)
LECTURE 21: WEB
EVALUATION & WEB SECURITY
(Course Learning Outcome) CLO#6:
Evaluate a web site.
Web Evaluation
Ø Doing Internet research requires judgment from the
users
Ø Not all information on the Web is reliable
§ Some information is biased
§ Some information is incorrect
§ Some information is insufficient
§ Some information is outright fabrication
Choose your sources wisely
• No editorial process
• Anyone can publish
• Your project or paper is only as good as the research
you use
Web Evaluation Criteria
• Domain extension
• Authorship
• Content
• Purpose
• Design – stability
Domain extension
• .com – commercial – anyone can obtain
• .net - commercial
• .org – organization – may have bias
• .gov – governmental – some are not updated
• .edu – educational –from colleges, schools – often the best sites for research
Authorship
• Who is the author or responsible institution?
• Is there a bibliography?
• Is there a contact person?
• What are the credentials of the author or institution?
Content
• Is the information current?
• Is the information accurate?
• Is there enough information?
• Are spelling and grammar correct?
• Are links to additional information provided?
• Do all links work properly?
• Is there a search function or index?
Purpose
• Is the site’s purpose clearly stated?
• Does the site promote biases?
• Is the viewpoint of the author partisan to certain beliefs?
Design and stability

• Is the information easy to use?


• Is the design appealing ?
• Are there distracting graphics and fonts?
• Does the page load quickly and easily?
Web Security: Client Side Security

vRisks:
– Crashes the browser, damages the user's system, breaches the user's
privacy, or merely creates an annoyance.
– The misuse of personal information knowingly or unknowingly
provided by the end-user.
Web Security: Client Side Security (Cont.)

vActive content, such as ActiveX controls and Java applets:


§ Introduces the possibility that Web browsing will introduce
viruses or other malicious software into the user's system,
Ø by web browsers providing a pathway to bypass the firewall system
and enter the local area network.
Web Security: Client Side Security (Cont.)

vEven without active content:


§ Still introduces the possibility of releasing personal
information,
Ø the very act of browsing leaves an electronic record of
the user's surfing history, from which unscrupulous
individuals can reconstruct a very accurate profile of the
user's tastes and habits.
Web Security: Server Side Security

Ø Risk: Allow unauthorized remote users to:


§ Steal confidential documents.
§ Execute commands on the server host machine to modify the system.
§ Gain information about the Web server's host machine to break into the
system.
§ Launch denial-of-service attacks, rendering the machine temporarily
unusable.
Web Security: Server Side Security (Cont.)

Ø Bugs in the Web server


Maxims:
– Buggy software opens up security holes;
– Large, complex programs contain bugs;
And,
– Web servers are large, complex programs.
Web Security: Server Side Security (Cont.)
► Misconfiguration problems in the Web server
§ A poorly configured Web server can punch a hole in the most carefully
designed firewall system.
► Open architecture of Web servers
§ It allows arbitrary CGI scripts to be executed on the server's side of the
connection in response to remote requests.

v Common Gateway Interface (CGI) offers a standard protocol for web


servers to execute programs that execute like Console applications running on
a server that generates web pages dynamically.
Web Security:
Security of Data in Transmission
ü Risk: Interception of network data sent from browser to
server or vice versa via network eavesdropping.
Ø Eavesdroppers can operate from any point on the pathway between
browser and server .
ü Reason: The TCP/IP protocol was not designed with security
in mind; hence it is vulnerable to network eavesdropping.
Secure Sockets Layer (SSL)

Ø SSL is the most used security protocol for authentication on


the Web.

Ø SSL secures data exchange between a client and a server by


encrypting it.
SSL Protocol
Ø SSL runs above TCP/IP and below higher-level protocols such as HTTP
or IMAP

Ø It uses TPC/IP on behalf of the higher-level protocols and allows:


– SSL-enabled server to authenticate itself to an SSL-enabled client
– Client to authenticate itself to the server
– Both machines to establish an encrypted connection
SSL protocol provides 3 main things:
Ø End Point Authentication
o The server is the actual party you wish to communicate with,
not someone faking their identity.
Ø Message Integrity
o The data exchange with the server has not been modified
along the way. If it is, it can be easily detected.
Ø Confidentiality
o Data is encrypted. A hacker cannot read your information
by simply looking at the packets on the network.
How SSL works
• Secure Web pages feature “https” in their URL instead of the usual
“http”
• The browser sees the https in the URL and initiates a connection to
the SSL port on the Web server
• The browser and the server begin the handshake phase
Handshake Phase
1. The server sends its digital certificate to the client (browser).
2. The browser accepts the server’s certificate. A collection of trusted certificate issuers,
called certification authorities, comes pre-loaded in popular browsers.
3. The server and the browser negotiate which algorithms to use for encryption. They
also decide on a Message Authentication Code (MAC) algorithm to use, which
provides data integrity protection.
4. The browser now generates two random numbers, one for encryption, and the other for
use in the MAC. The browser then encrypts each of these random numbers with the
server’s public key (obtained from the certificate), and sends the result to the server.
5. Since the server holds the private key corresponding to its public key, it decrypts the
random numbers successfully. Now both the client and the server have common keys.
The handshake is now complete: the server is authenticated and any
information exchanged between the browser and the server is protected.
SSL Uses
• SSL enables secure communication on an insecure network
such as the Internet
• Most web-based online purchases and monetary transactions are
now secured by SSL
– Online banking
– Credit card purchases
Advantages of SSL
Ø SSL it already built into browsers.
§ There is no need to install extra software

Ø The server the user wants to connect to has no significant reduction in speed
§ SSL was developed with server performance in mind.

Ø SSL can be used as an alternative for Virtual Private Network (VPN).


§ VPN creates a virtual pipeline from a client directly to the server.
§ SSL secures data transmitted through the web to the server.
Disadvantages of SSL
Ø The firewall cannot see the real content of the real content of the data,
because it’s encrypted.
• It is possible to hide a virus in the data transmitted.
Ø SSL security depends almost entirely upon the client.
• If the random numbers created by the client aren’t random enough, the session
is subject to decryption because an attacker could “guess” the key.
Tips for Your Web Security

Ø Risks can be minimized by always using the most recent browser version
and by only accepting transfers from sites you trust.

Ø A fixed IP address is a larger security risk.


ü Like cable, ADSL, fixed line
ü A modem with a dial-up connection is better.
Online Links
http://olinuris.library.cornell.edu/ref/research/webcrit.html
http://olinuris.library.cornell.edu/ref/research/webeval.html
http://libraries.dal.ca/using_the_library/evaluating_web_resou
rces/6_criteria_for_websites.html
http://www.library.kent.edu/page/10475
http://www.widener.edu/about/campus_resources/wolfgram_li
brary/needhelp/research/evaluationcriteria.aspx

You might also like