Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

Buyer beware: Online shopping hazards detailed by UMass Amherst computer scientist

20.02.2006


To present at AAAS meeting in St. Louis



Consumers who shop online may be risking their privacy with every purchase, contends University of Massachusetts Amherst computer scientist Kevin Fu. His research suggests that a confluence of factors, including the widespread use of cookies and demand for quick and easy transactions, results in Web sites that are often insecure.

"Much Web security rests on illusion and hope," says Fu, who will discuss how Web sites leak private information on Saturday, Feb. 18 at the American Association for the Advancement of Science meeting in St. Louis.


Most Web users have heard of cookies, the small chunks of information that a Web server sends to a browser to identify the user at a later date. Cookies are stored on the browser computer’s hard drive and each time a user revisits a site the cookie is sent back to the server, telling it, "Hi, it’s me again."

"Cookies are insecure, no matter what you do," says Fu. While they aren’t that dangerous when used for things like storing preferences on personalized Web pages (they are how Yahoo remembers that a user wants science headlines displayed, for example) they are also employed to authenticate users who are shopping online. It’s these so-called "authentication cookies" that are often exploitable, says Fu.

Cookies work by replaying the same information. While they may be associated with a password to start, the cookie is how a site remembers a user, and allows them to skip a log-in page. So someone who has accessed a series of cookies on a hard drive can look for a pattern and then backtrack to come up with the algorithm that generated them. "It’s the kind of thing a bored teenager could do in a few hours," says Fu.

Cookies aren’t the only problem, says Fu. Every Web site has its own method of authenticating users, and there is no set standard for Web site security--even that little padlock icon doesn’t mean much, he says. Many sites use what Fu calls "home-brew cryptography," a security system that’s set up by someone lacking the expertise to do so. In recent years some companies have begun selling off-the-shelf encryption toolkits. These can be more secure, says Fu, but many are "just smoke and mirrors."

Unless a security system has "open design," meaning how it works is public information, it probably isn’t worth much, says Fu. The best log-in methods don’t employ cookies, but use what’s known as client certificates in SSL or "secure socket layer." These are akin to a signet ring, says Fu. The user authenticates who they are by stamping the wax with their seal. They never actually send the ring itself to the site--which is what cookies do. These systems are often used at universities, allowing students to access grades online, for example.

Why aren’t client certificates used elsewhere? They are cumbersome, says Fu, and retailers want to offer quick, easy shopping. Cookies get the most sales in the shortest time, and if no one is attacking, they work just fine. Being able to order something quickly provides short-term fulfillment, and the long-term cost to privacy isn’t very tangible.

There are steps that companies can take to prevent attackers from breaking their authentication schemes, says Fu. Prohibiting guessable passwords, for example, or only using temporary cookies that expire when the user exits the browser. A cryptographic system with a public protocol that can be reviewed for flaws will likely be more secure than a system with a private one.

Fu does shop online. "There isn’t much of an alternative for consumers. Even if you shop by phone, the attendant often enters your data on the same Web page you are trying to avoid," he says. A CEO, a doctor or someone with access to the records of others should especially care about secure log-ins.

"There’s a lot of legacy to this, too," he adds, "The set-up is too entrenched at this point--too many hours and too much money would be required to change things. But the company that figures out how to do so will be very successful."

Kevin Fu | EurekAlert!
Further information:
http://www.cs.umass.edu

More articles from Information Technology:

nachricht Metamolds: Molding a mold
20.08.2018 | Institute of Science and Technology Austria

nachricht Robots as Tools and Partners in Rehabilitation
17.08.2018 | Albert-Ludwigs-Universität Freiburg im Breisgau

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: It’s All in the Mix: Jülich Researchers are Developing Fast-Charging Solid-State Batteries

There are currently great hopes for solid-state batteries. They contain no liquid parts that could leak or catch fire. For this reason, they do not require cooling and are considered to be much safer, more reliable, and longer lasting than traditional lithium-ion batteries. Jülich scientists have now introduced a new concept that allows currents up to ten times greater during charging and discharging than previously described in the literature. The improvement was achieved by a “clever” choice of materials with a focus on consistently good compatibility. All components were made from phosphate compounds, which are well matched both chemically and mechanically.

The low current is considered one of the biggest hurdles in the development of solid-state batteries. It is the reason why the batteries take a relatively long...

Im Focus: Color effects from transparent 3D-printed nanostructures

New design tool automatically creates nanostructure 3D-print templates for user-given colors
Scientists present work at prestigious SIGGRAPH conference

Most of the objects we see are colored by pigments, but using pigments has disadvantages: such colors can fade, industrial pigments are often toxic, and...

Im Focus: Unraveling the nature of 'whistlers' from space in the lab

A new study sheds light on how ultralow frequency radio waves and plasmas interact

Scientists at the University of California, Los Angeles present new research on a curious cosmic phenomenon known as "whistlers" -- very low frequency packets...

Im Focus: New interactive machine learning tool makes car designs more aerodynamic

Scientists develop first tool to use machine learning methods to compute flow around interactively designable 3D objects. Tool will be presented at this year’s prestigious SIGGRAPH conference.

When engineers or designers want to test the aerodynamic properties of the newly designed shape of a car, airplane, or other object, they would normally model...

Im Focus: Robots as 'pump attendants': TU Graz develops robot-controlled rapid charging system for e-vehicles

Researchers from TU Graz and their industry partners have unveiled a world first: the prototype of a robot-controlled, high-speed combined charging system (CCS) for electric vehicles that enables series charging of cars in various parking positions.

Global demand for electric vehicles is forecast to rise sharply: by 2025, the number of new vehicle registrations is expected to reach 25 million per year....

All Focus news of the innovation-report >>>

Anzeige

Anzeige

VideoLinks
Industry & Economy
Event News

LaserForum 2018 deals with 3D production of components

17.08.2018 | Event News

Within reach of the Universe

08.08.2018 | Event News

A journey through the history of microscopy – new exhibition opens at the MDC

27.07.2018 | Event News

 
Latest News

A novel synthetic antibody enables conditional “protein knockdown” in vertebrates

20.08.2018 | Life Sciences

Metamolds: Molding a mold

20.08.2018 | Information Technology

It’s All in the Mix: Jülich Researchers are Developing Fast-Charging Solid-State Batteries

20.08.2018 | Power and Electrical Engineering

VideoLinks
Science & Research
Overview of more VideoLinks >>>