Exploiting the User - PowerPoint PPT Presentation

About This Presentation
Title:

Exploiting the User

Description:

Proxy must reside with the browser. No Cookies Management Interface. CookiesCard 1.1 ... Running Proxy Server from USB Flash device. Localhost left untouched ... – PowerPoint PPT presentation

Number of Views:9
Avg rating:3.0/5.0
Slides: 15
Provided by: robb66
Category:

less

Transcript and Presenter's Notes

Title: Exploiting the User


1
Exploiting the User
Privacy and Security Concerns with HTTP Cookies
Presentation by Robert Bobek
2
Introduction
  • What are HTTP Cookies?
  • We need some understanding of HTTP first!
  • Hypertext Transfer Protocol (HTTP) is the
    communication protocol used to transfer data on
    the Internet.
  • HTTP is a request /reply protocol
  • Stateless Protocol!
  • Breaks Web Applications!
  • So, what are HTTP Cookies?
  • Cookies have become and attractive solution to
    solve this problem
  • Textual piece of information

3
HTTP Cookies First Party
  • HTTP Cookies are either First Party or Third
    Party
  • Web Applications use First-Party Cookies for many
    purposes
  • User session tracking
  • Personalization of profiles
  • Auto-complete fields

4
Security Concerns
  • Executing basic attacks on First Party Cookies
  • Browser history fishing
  • Cookie theft and data extraction
  • Easily accomplished on
  • Public terminals
  • Single user-account OS configurations

5
Security Concerns
  • Executing Advanced attacks on First Party Cookies
  • Cookie Theft (packet sniffing)
  • Cookie Poisoning
  • Cross-Site Cooking
  • Used to hijack sessions

6
HTTP Cookies Third Party
  • Cookies sent by servers that are located outside
    the domain of the Web Site that the User was
    visiting.
  • Companies such as DoubleClick raise privacy
    concerns!
  • Use third party cookies
  • Occurs without users attention

Bus. C ad loaded
Business A
Bus. B ad loaded
DoubleClick
Business C
Bus. A ad loaded
Business B
Bus. A ad loaded
7
CookiesCard
  • Mobile Cookies Management on a Smart Card
    created by Alvin T.S. Chan
  • Motivation
  • General Security and Privacy problems
  • Removing Machine-Cookie dependency
  • Cookies held on Smart Card Technology
  • Secured by PIN Authentication

8
CookiesCard Architecture
  • Graphic Reference Alvin T.S Chan. "Mobile
    Cookies Management on a Smart Card".
    Communications of the ACM.
  • November 2005/Vol.
    48, No. 11. Pages 38-43.

9
CookiesCard
  • The CookiesCard is an effective solution but it
    is still suffering from minor drawbacks
  • Smart Readers Technology not very popular
  • Proxy must reside with the browser
  • No Cookies Management Interface

10
CookiesCard 1.1
  • The CookiesCard can be improved using the
    following suggestions
  • Replace Smart Card Technology with USB Flash
    devices
  • Affordable
  • Popular
  • Ultra-portable
  • Running Proxy Server from USB Flash device
  • Localhost left untouched
  • Control Panel Interface created as a 3rd module
  • Can be accessed through another listening port

11
CookiesCard 1.1 Architecture
  • Cryptainer Mobile provides on the fly
    encryption/decryption technology on mobile
    devices
  • Does not require installing device drivers on the
    host machine to decrypt
  • Uses Blowfish encryption algorithm
  • Free Download!
  • Graphic Reference Alvin T.S Chan. "Mobile
    Cookies Management on a Smart Card".
    Communications of the ACM.
  • November 2005/Vol.
    48, No. 11. Pages 38-43. (modified by Rob Bobek)

12
Conclusion
  • CookiesCard 1.1better but not perfect!

13
References
  • David M. Kristol. "HTTP Cookies Standards,
    Privacy, and Politics". ACM Transactions on
    Internet Technology. November 2001/Vol. 1, No. 2.
    Pages 151-198.
  • Alvin T.S Chan. "Mobile Cookies Management on a
    Smart Card". Communications of the ACM. November
    2005/Vol. 48, No. 11. Pages 38-43.
  • The Cookie Controversy Cookies and Internet
    Privacy. http//www.cookiecentral.com/ccstory/cc3
    .htm
  • Wikipedia on HTTP Cookie
  • http//en.wikipedia.org/wiki/HTTP_cookieDrawbac
    ks_of_cookies
  • CookieCentral
  • http//www.cookiecentral.com
  • Cryptainer Mobile can be downloaded at
  • http//www.cypherix.com/cryptainerle/

14
Questions?
Write a Comment
User Comments (0)
About PowerShow.com