To offer SSL secured access to his site rottenpotatoescom Bob generates a

To offer ssl secured access to his site

This preview shows page 474 - 476 out of 517 pages.

To offer SSL-secured access to his site rottenpotatoes.com , Bob generates a keypair consisting of a public part KU and a private part KP . He proves his identity using conventional means such as government-issued IDs to a certificate authority (CA) such as VeriSign. The CA then uses its own private key CP to sign an SSL certificate that states, in effect, “ rottenpotatoes.com has public key KU .” Bob installs the certificate on his server and enables his SaaS stack to accept SSL connections— usually trivial in a PaaS environment. Finally, he enables SSL in his Rails app by adding force_ssl to any controller to force all its actions to use SSL, or using the :only or :except filter options to limit which actions are affected. force_ssl is implemented as a before-filter that causes an immediate redirect from http:// site/action to https:// site/action . The CA’s public key CU is built into most Web browsers, so when Alice’s browser first connects to and requests the certificate, it can verify the CA’s signature and obtain Bob’s public key KU from the certificate. Alice’s browser then chooses a random string as the secret, encrypts it using KU , and sends it to rottenpotatoes.com , which alone can decrypt it using KP . This shared secret is then used to encrypt HTTP traffic using much faster symmetric-key cryptography for the duration of the session. At this point, any content sent via HTTPS is reasonably secure from eavesdroppers, and Alice’s browser believes the server it’s talking to is the genuine RottenPotatoes server, since only a server possessing KP could have completed the key exchange step. It’s important to recognize that this is the limit of what SSL can do. In particular, the server knows nothing about Alice’s identity, and no guarantees can be made about Alice’s data other than its privacy during transmission to RottenPotatoes. Cross-site request forgery. A CSRF attack (sometimes pronounced “sea-surf”) involves tricking the user’s browser into visiting a different web site for which the user has a valid cookie, and performing an illicit action on that site as the user. For example, suppose Alice has recently logged into her MyBank.com account, so her browser now has a valid cookie for MyBank.com showing that she is logged in. Now Alice visits a chat forum where malicious Mallory has posted a message with the following embedded “image”:
Image of page 474
1 <p>Here’s a risque picture of me: 2 <img src=""> 3 </p> When Alice views the blog post, or if she receives an email with this link embedded in it, her browser will try to “fetch” the image from this RESTful URI, which happens to transfer $5000 into Mallory’s account. Alice will see a “broken image” icon without realizing the damage. CSRF is often combined with Cross-site Scripting (see below) to perform more sophisticated attacks.
Image of page 475
Image of page 476

You've reached the end of your free preview.

Want to read all 517 pages?

  • Spring '19
  • Dr.Marcos

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes
A+ icon
Ask Expert Tutors