DOCSLIB.ORG

Web Security: Sessions; CSRF; Start on Authentication

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Web Security: Sessions; CSRF; Start on Authentication Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3 due on Thur, Nov 17 Recall: Cookie scope GET … Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (when to send) ; scope path = (when to send) secure = (only send over SSL); expires = (when expires) ; HttpOnly • EXpires is expiration date • Delete cookie by setting “expires” to date in past • HttpOnly: cookie cannot be accessed by Javascript, but only sent by browser Recall: What scope a server may set for a cookie domain: any domain-suffiX of URL-hostname, except TLD [top-level domains, e.g. ‘.com’] example: host = “login.site.com” allowed domains disallowed domains login.site.com user.site.com .site.com othersite.com .com path: can be set to anything Recall: When browser sends cookie Server GET //URL-domain/URL-path Cookie: NAME = VALUE A cookie with domain = example.com, and path = /some/path/ will be included on a request to http://foo.example.com/some/path/subdirectory/hello.tXt Client side read/write: document.cookie Setting a cookie in Javascript: document.cookie = “name=value; expires=…; ” Reading a cookie: alert(document.cookie) prints string containing all cookies available for document (based on [protocol], domain, path) Deleting a cookie: document.cookie = “name=; expires= Thu, 01-Jan-00” document.cookie often used to customize page in Javascript Viewing/deleting cookies in Browser UI FirefoX: Tools -> page info -> security -> view cookies Sessions Sessions A sequence of requests and responses from one browser to one (or more) sites n Session can be long (Gmail - two weeks) or short (e.g., banking) n without session mgmt: users would have to constantly re-authenticate Session management: n Authorize user once; n All subsequent requests are tied to user Pre-history: HTTP auth HTTP request: GET /indeX.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ https://cs161.berkeley.edu Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ= What problems can you see with this moDel? HTTP auth problems Hardly used in commercial sites n User cannot log out other than by closing browser w What if user has multiple accounts? w What if multiple users on same computer? n Site cannot customize password dialog n Confusing dialog to users n Easily spoofed Session tokens Browser Web Site GET /indeX.html set anonymous session token GET /books.html anonymous session token POST /do-login check Username & password creDentials elevate to a logged-in session token POST /checkout logged-in session token ValiDate token Storing session tokens: Lots of options (but none are perfect) • Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb • Embedd in all URL links: https://site.com/checkout ? SessionToken=kh7y3b • In a hidden form field: <input type=“hidden” name=“sessionid” value=“kh7y3b”> Can you see problems with these? Storing session tokens: problems • Browser cookie: browser sends cookie with every request, even when it should not (see CSRF attack) • Embed in all URL links: token leaks via HTTP Referer header (your browser tells a site which previous site it visited last in the Referer header, which may contain session tokens) • In a hidden form field: short sessions only Best answer: a combination of all of the above. Cross Site Request Forgery RN Release Notes RNRNRN ReleaseRelease Notes NotesNotes What Changed From 2010 to 2013? WhatWhat Changed From 2010 toto 2013?2013? WhatThe threat Changed landscape for From applications 2010 security to constantly2013? changes. Key factors in this evolution are advances made by attackers, ThetheTheThe releasethreat threatthreat landscape oflandscape new technologies for for applications applications with security new security weaknesses constantly constantlyconstantly as changes. changes.wellchanges. as Keymore Key Key factors factors builtfactors in in defenses,thisin this this evolution evolution evolution and arethe are are advances deployment advances advances made made madeof byincreasingly by attackeby attacke attackers, rs, rs, thecomplexthethe release releaserelease systems. of ofof new new Totechnologies technologies keep pace, with wewith periodicallynew newnew weaknesses weaknessesweaknesses update as as aswellthe wellwell OWASPas as asmore more more Top built built built 10. in in defenses,Inin defenses, thisdefenses, 2013 and and release,and the the the deployment deployment wedeployment made ofthe ofincreasingly of followingincreasingly increasingly changes: complex complexcomplex systems. systems. To To keep keep pace, pace, we we periodically periodically update updateupdate the thethe OWASP OWASPOWASP Top Top Top 10. 10. 10. In In thisIn this this 2013 2013 2013 release, release, release, we we wemade made made the the the following following following changes: changes: changes: 1) Broken Authentication and Session Management moved up in prevalence based on our data set. We believe this is probably 1)1)1) BrokenbecauseBrokenBroken Authentication Authenticationthis area is being and and lookedSession Session at Management Managementharder,Management not becausemoved movedmoved up these upup in in prevalencein prevalence issuesprevalence are based actually based based on on onmoreour our our data prevalent.data data set. set. set. We We We Thisbelieve believe believe caused this this this isRisks probablyis is probably probablyA2 and becauseA3becausebecause to switch this this area places. area is isbeing being looked looked at at harder, harder,harder, not notnot because becausebecause these thesethese issues issues issues are are are actually actually actually more more more prevalent. prevalent. prevalent. This This This caused caused caused Risks Risks Risks A2 A2 andA2 and and A3 A3A3 to toto switch switch places. places. 2) Cross -Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe 2)2)2) CrossthisCrossCross is-Site -because-Site Request Request CSRF Forgery Forgery has been (CSRF) (CSRF) in the moved movedmoved OWASP down downdown Top in in inprevalence10 prevalenceprevalence for 6 years, based basedbased and on organizationson on our our our data data data set set set fromand from from framework 2010 2010 2010-A5-A5- A5to developersto 2013to 2013 2013-A8.-A8.- A8.We have We Webelieve believe focused believe thisonthisthis it is isenoughis because becausebecause to CSRF CSRFsignificantly has has been been reduce in in the thethe OWASPthe OWASPOWASP number Top TopTop 10 of 1010 forCSRF forfor 6 6years,6vulnerabilities years,years, and and and organizations organizations organizations in real world and and and applications.framework framework framework developers developers developers have have have focused focused focused on onon it it itenough enough to to significantly significantly reduce reduce the thethe number numbernumber of of ofCSRF CSRFCSRF vulnerabilities vulnerabilitiesvulnerabilities in inrealin real real world world world applications. applications. applications. 3) We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive: 3)3)3) We WeWe broadened broadened Failure Failure to to Restrict Restrict URL URL Access AccessAccess from fromfrom the thethe 2010 20102010 OWASP OWASPOWASP Top Top Top 10 10 10to to beto be bemore more more inclusive: inclusive: inclusive: + 2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function +++ 2010level2010- A8:access-A8: Failure Failure control. to to Restrict RestrictThere URLare URL manyAccess AccessAccess ways is isnowis nownowto 2013specify 20132013-A7:- -A7:whichA7: Missing MissingMissing function Function Function Function is being Level Level Level accessed, Access Access Access Control Controlnot Control just – to –the – to cover to URL.cover cover all all of all offunction of function function levellevellevel access accessaccess control. control. There There are areare many manymany ways waysways to to tospecify specifyspecify which whichwhich function function function is isbeing is being being accessed, accessed, accessed, not not not just just just the the the URL. URL. URL. 4) We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure: 4) 4)4) WeWeWe merged merged and and broadened broadened 2010 2010-A7--A7 & &&2010 20102010-A9--A9A9 to to toCREATE: CREATE:CREATE: 2013 2013 2013-A6:--A6:A6: Sensitive Sensitive Sensitive Data Data Data Exposure Exposure Exposure: : : – This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 - Insufficient Transport ––– ThisThis new new category category was was created created by byby merging mergingmerging 2010 20102010-A7--A7A7 – Insecure–– InsecureInsecure Cryptographic Cryptographic Cryptographic Storage Storage Storage & &2010 & 2010 2010-A9-A9- A9- Insufficient - -Insufficient Insufficient Transport Transport Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data LayerLayer Protection, Protection, plus plus adding adding browser browserbrowser side sideside sensitive sensitivesensitive data datadata risks risks risks as as aswell. well. well. This This This new new new category category category covers covers covers sensitive sensitive sensitive data data data protection
Load more

Recommended publications
  • Browser Security Information
    Browser Security Information Customer security is important to us. Our top priority is to protect the privacy of your personal account information and your financial transactions FirstLine Mortgages is leading the way in Internet banking services and uses several layers of robust security technology to help ensure the confidentiality of transactions across the Internet. The first security level begins with your Web browser. When you access FirstLine Mortgages Internet Site , your browser is checked to ensure that it meets our minimum requirements. Additionally, we only allow customers with browsers that use 128-bit encryption (one of the highest levels of browser security available today) to bank on our web site. But, even with this validation, there are other precautions you should follow to maximize your protection. You have a responsibility to ensure your own security. The browser validation will verify the browser type you are using, your browser encryption level, the version of Netscape or Microsoft browser, as well as Javascript and cookies being enabled. To access -FirstLine Mortgages Internet site , you need to use: • a Netscape browser version 4.06 or better with a minimum 128-bit encryption technology • a Microsoft browser version 4.01 SP2 or better with a minimum 128-bit encryption technology • Javascript (please see below for more information about how to check and enable Javascript support) • Cookies (see below) If your browser does not meet all of these requirements, you will need to upgrade your browser to access the FirstLine Internet Site . To upgrade your browser, select the Netscape or Microsoft button below and download the latest browser version.
    [Show full text]
  • Web Security
    CSE343/443 Lehigh University Fall 2015 Web Security Presenter: Yinzhi Cao Slides Inherited and Modified from Prof. John Mitchell Reported Web Vulnerabilities "In the Wild" 1200 1000 800 Input Validation 600 CSRF XSS SQLi 400 200 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Web application vulnerabilities Goals of web security Safely browse the web n Users should be able to visit a variety of web sites, without incurring harm: w No stolen information (without user’s permission) w Site A cannot compromise session at Site B Secure web applications n Applications delivered over the web should have the same security properties we require for stand- alone applications Network security Network Attacker System Intercepts and controls network communication Alice Web security System Web Attacker Sets up malicious site visited by victim; no control of network Alice Web Threat Models Web attacker n Control attacker.com n Can obtain SSL/TLS certificate for attacker.com n User visits attacker.com w Or: runs attacker’s Facebook app Network attacker n Passive: Wireless eavesdropper n Active: Evil router, DNS poisoning Malware attacker n Attacker escapes browser isolation mechanisms and run separately under control of OS Malware attacker Browsers (like any software) contain exploitable bugs n Often enable remote code execution by web sites n Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware on 18,000 web pages (URLs) Even if browsers were bug-free, still lots of vulnerabilities
    [Show full text]
  • Web Application Security
    Web Application Security * Original slides were prepared by John Mitchell Goals of web security Safely browse the web n Users should be able to visit a variety of web sites, without incurring harm: w No stolen information w Site A cannot compromise session at Site B Support secure web applications n Applications delivered over the web should be able to achieve the same security properties as stand- alone applications Web security threat model System Web Attacker Sets up malicious site visited by victim; no control of network Alice Network security threat model Network Attacker System Intercepts and controls network communication Alice System Web Attacker Alice Network Attacker System Alice Web Threat Models Web attacker n Control attacker.com n Can obtain SSL/TLS certificate for attacker.com n User visits attacker.com w Or: runs attacker’s Facebook app, etc. Network attacker n Passive: Wireless eavesdropper n Active: Evil router, DNS poisoning Malware attacker n Attacker escapes browser isolation mechanisms and run separately under control of OS Malware attacker Browsers may contain exploitable bugs n Often enable remote code execution by web sites n Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware on 18,000 web pages (URLs) NOT OUR FOCUS Even if browsers were bug-free, still lots of vulnerabilities on the web n XSS, SQLi, CSRF, … WEB PROGRAMMING BASICS URLs Global identifiers of network-retrievable documents Example: http://columbia.edu:80/class?name=4995#homework Protocol Fragment
    [Show full text]
  • But Were Afraid to Ask!)
    05_576593 ch01.qxd 10/12/04 9:55 PM Page 9 Chapter 1 All You Ever Wanted to Know about JavaScript (But Were Afraid to Ask!) In This Chapter ᮣ Understanding a working definition of JavaScript ᮣ Dispelling common JavaScript misconceptions ᮣ Getting started with JavaScript tools ᮣ Finding information online aybe you’ve surfed to a Web site that incorporates really cool features, Msuch as ߜ Images that change when you move your mouse over them ߜ Slideshow animations ߜ Input forms with pop-up messages that help you fill in fields correctly ߜ Customized messages that welcome repeat visitors By using JavaScript and the book you’re reading right now you can create all these effects and many more! The Web page in Figure 1-1 shows you an example COPYRIGHTEDof the kinds of things that you canMATERIAL look forward to creating for your own site. A lot has changed since the previous edition of JavaScript For Dummies came out. Perhaps the biggest change is the evolution of DHTML, or dynamic HTML. DHTML refers to JavaScript combined with HTML and cascading style sheets, and it’s a powerful combination you can use to create even more breathtak- ingly cool Web sites than ever before. 05_576593 ch01.qxd 10/12/04 9:55 PM Page 10 10 Part I: Building Killer Web Pages for Fun and Profit Figure 1-1: JavaScript lets you add interactive features to your Web site quickly and easily. Along with this increased power comes increased complexity, unfortunately — but that’s where this new, improved, better-tasting edition of JavaScript For Dummies comes in! Even if you’re not a crackerjack programmer, you can use the techniques and sample scripts in this book to create interactive Web pages bursting with animated effects.
    [Show full text]
  • Web Security 1
    Web Security 1 Prof. Raluca Ada Popa Oct 16, 2017 Some content adapted from materials by David Wagner or Dan Boneh Today • We need to cover same-origin policy, cookie policy, CSRF and XSS, But do not need to cover weB injection • ScriBe: Dayeol • Presenter: Rohan, Michael HTTP (Hypertext Transfer Protocol) A common data communication protocol on the weB CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . </HTML> URLs GloBal identifiers of network-retrievaBle resources Example: http://safeBank.com:81/account?id=10#statement Protocol Hostname Query Fragment Port Path HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . </HTML> HTTP Request GET: no Method Path HTTP version Headers side effect GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, POST: image/jpeg, */* Accept-Language: en possiBle Connection: Keep-Alive User-Agent: Chrome/21.0.1180.75 (Macintosh; side effect Intel Mac OS X 10_7_4) Host: www.safebank.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . </HTML> HTTP Response HTTP version Status code
    [Show full text]
  • Php Server Http Referer
    Php Server Http Referer Dorian view partly if deprivable Gunter riled or dilacerates. Sometimes retired Randi wheedle her Klansman rather, but bright Aubrey sell unfriendly or remigrated iwis. Petrological and coldish Caleb announcing: which Ethelred is paraffinic enough? The new approach though has some view this request headers of injection in php people out on. Returns a typical usage of a newsletter, often responsible for? Restricting access that is file path info is possible thing about your visitor know where a video calls out there was? There view be some incompatibility going today with every particular setup. HTTPREFERER and parsestr in a Snippet MODX. Learn how Cloudflare handles HTTP request headers to appropriate origin web server and what headers Cloudflare adds to proxied requests. This do a tube while __DIR__ give the realpath. Specify an ssh session or more in a website out how would give you intend on his choice; servers using csrf token are you. In most reverse proxy setup the web server forwards the HTTP request it received from the. With Contact Form 7 you know capture this referer page and was it to. Static-only applications serve files through each WebFaction server's front-end. Is then any difference between sale a lead tracking? IfissetSERVER'HTTPREFERER' return false refererhost. The term Referer is used due only a spelling error its the original HTTP. Echo filegetcontents'httpmyotherdomaincom' I created an non Codeigniter script at myotherdomaincomindexphp and added this code. There it actually nine HTTP methods defined by the HTTP specification, but many love them affect not widely used or supported.
    [Show full text]
  • Javascript Security
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / JavaScript: TCR / Powell & Schneider / 225357-6 / Chapter 22 Blind Folio 679 22 JavaScript Security ownloading and running programs written by unknown parties is a dangerous proposition. A program available on the Web could work as advertised, but then Dagain it could also install spyware, a backdoor into your system, or a virus, or exhibit even worse behavior such as stealing or deleting your data. The decision to take the risk of running executable programs is typically explicit; you have to download the program and assert your desire to run it by confirming a dialog box or double-clicking the program’s icon. But most people don’t think about the fact that nearly every time they load a Web page, they’re doing something very similar: inviting code—in this case, JavaScript—written by an unknown party to execute on their computer. Since it would be phenomenally annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you. A security policy is simply a set of rules governing what scripts can do, and under what circumstances. For example, it seems reasonable to expect browsers’ security policies to prohibit JavaScript included on Web pages downloaded from the Internet from having access to the files on your computer. If they didn’t, any Web page you visited could steal or destroy all of your files! In this chapter we examine the security policies browsers enforce on JavaScript embedded in Web pages.
    [Show full text]
  • Guideline for Securing Your Web Browser P a G E | 2
    CMSGu2011-02 CERT-MU SECURITY GUIDELINE 2011 - 02 Mauritian Computer Emergency Response Team Enhancing Cyber Security in Mauritius Guideline For Securing Your Web Browser National Computer Board Mauritius JuJunene 2011 2011 Version 1.7 IssueIssue No. No. 4 2 National Computer Board © Table of Contents 1.0 Introduction .......................................................................................................................... 7 1.1 Purpose and Scope ........................................................................................................... 7 1.2 Audience........................................................................................................................... 7 1.3 Document Structure.......................................................................................................... 7 2.0 Background .......................................................................................................................... 8 3.0 Types of Web Browsers ....................................................................................................... 9 3.1 Microsoft Internet Explorer .............................................................................................. 9 3.2 Mozilla Firefox ................................................................................................................. 9 3.3 Safari ................................................................................................................................ 9 3.4 Chrome ..........................................................................................................................
    [Show full text]
  • Browser Security
    Transcript of Episode #38 Browser Security Description: Steve and Leo discuss the broad topic of web browser security. They examine the implications of running "client-side" code in the form of interpreted scripting languages such as Java, JavaScript, and VBScript, and also the native object code contained within browser "plug- ins" including Microsoft’s ActiveX. Steve outlines the "zone-based" security model used by IE and explains how he surfs with high security under IE, only "lowering his shields" to a website after he’s had the chance to look around and decide that the site is trustworthy. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-038.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-038-lq.mp3 Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting. This is Security Now! with Steve Gibson, Episode 38 for May 4, 2006: Browser Security. Security Now! is brought to you by Astaro, makers of the Astaro Security Gateway, on the web at www.astaro.com. So finally the sun is shining in beautiful California. We have summer, or at least spring finally arrived. And, look, Steve Gibson’s wearing a tank top and shorts. No, he’s not. Steve Gibson: Well, it’s dry in Toronto, Leo. You were all chapped; I was all, like, chapped just after one day. Leo: I am. And, you know, they complain in Toronto that it’s too humid because they have the lake effect. But I guess it gets humid some other time because I – chapped is the word, exactly.
    [Show full text]
  • New Standards and Upcoming Technologies in Browser Security
    OWASP The OWASP Foundation AppSec Europe 2011 http://www.owasp.org New Standards and upcoming Technologies in Browser Security Tobias Gondrom Board member of OWASP London Chair of IETF Web Security WG [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Tobias Gondrom • 12 years information security experience • 10 years application development experience • Information Security & Risk Management, Research and Advisory, Director • Author of Standards on Digital Signatures and Secure Archiving • Chair of IETF Web Security Working Group http://datatracker.ietf.org/wg/websec/charter/ Member of the IETF Security Directorate • London OWASP chapter board member (former OWASP Germany chapter lead) www.owasp.org Browser Security • History • What’s the problem • Who & Why • What’s been done • When 3 Browser Security • History • What’s the problem • Who & Why • What’s been done • When 4 History • Internet/Arpanet Protocols were designed for robustness and exchanging information and cross reference of content… …. but not with security and active content in mind • We try to fix Application Security on the Application end ever since 5 Browser Security • History • What’s the problem • Who & Why • What’s been done • When 6 What’s the problem - OWASP Top 10 What’s the problem - OWASP Top 10 What’s the problem - No Clear separation between content and executed code - Relies on trust relationships (trust on first use / trusted source) - Weak channel protection - Authentication & leakage of credentials => Today, Web Applications try to fix this on the Application level with little support of the underlying infrastructure 9 What’s the problem Client Server Inform & Influence Security Posture 10 Think Big - What if we can….
    [Show full text]
  • Add Request Header Ie
    Add Request Header Ie Witted Roderigo sometimes advertizes his gelatiniser stutteringly and colludes so immaculately! Berk bedights her Ludwigshafen sprightly, she vitalize it incoherently. Coseismic and grammatical Ruben charts almost betweentimes, though Israel comport his micrurgy shaking. This allows older versions of Internet Explorer and Chrome to perform. Content-Security-Policy Header CSP Reference & Examples. Servlet Tutorial Specifying HTTP Response Headers. The developer tools in some form of events of giving hint of microsoft wants for example, javascript to add request has higher precedence than being annotated by adding searchbar and add a character may support. How can Add HTTP Security Headers in WordPress Tripwire. Authoritative guide to CORS Cross-Origin Resource Sharing. Security HTTP Headers Prevent XSS Attack Clickjacking. IE Tab Documentation IE Tab Run Internet Explorer inside. Fix on a unique identifiers that lets us a fresh from accessing information about this saves you to gateway caches will need to add request shortly and low bandwidth utilization. It's a shortcut for setting the header via the usual header notation http url. How a View HTTP Headers Cookies In Google Chrome. This wrong be truth with Chrome Firefox Safari and IE. It means of the error logs, if this request header by pointing one! Internet Explorer Open their Network tool using Ctrl4 You must manually start data collection using F5 Once and have some may simply warn-click on same name of any insulate to gleam the HTTP headers as well upon Request Method Response Status Code and HTTP version in relevant panels related to it. IIS allows you to break custom HTTP headers You groom have.
    [Show full text]
  • A Web Server Called Liso
    15-441/641: Computer Networks Project 1: A Web Server Called Liso TAs: Mingran Yang ([email protected]) Alex Bainbridge ([email protected]) September 29, 2019 1 Introduction In this class you wil learn about Computer Networks, from bits on a wire or radio (`the bottom') all the way up to the design of applications that run over networks (`the top)'. In this project, you will start from the top with an application we are all familiar with: a web server. You will use the Berkeley Sockets API to write a web server using a subset of the HyperText Transport Protocol (HTTP) 1:1 |RFC 2616 [2]. Your web server will also implement HyperText Transport Protocol Secure (HTTPS) via Transport Layer Security (TLS) as described in RFC 2818 [3]. Students enrolled under the 15-641 course number will implement the Common Gateway Interface (CGI) as described in RFC 3875 [4]. Reading an RFC is quite different from reading a news article, mystery novel, or even technical paper. Appendix B.2 has some tips read and use and RFC efficiently. RFCs are one of many ways the Internet declares `standards:' agreed upon algorithms, wire formats, and protocols for interoperability between different implementations of systems on a network. Without standards, software from one company would not be able to talk to software from another company and we would not have things like e-mail, the Web, or even the ability to route traffic between different companies or countries. Because your web server is compatible with these standards, you will, by the end of this project, be able to browse the content on your web server using standard browser like Chrome or Firefox.
    [Show full text]