COMP3371 Practical Session 4 – “off the shelf” E-commerce
Nowadays, the Internet is taken for granted so much that it is assumed to be the perfect platform for doing business. However, a number of important additional components also need to be taken into account for it to be considered safe to use.
The first thing a business has to do is set up a website. They may wish to do this for marketing reasons even if they do not trade on the Internet.
Exercise 4(a): Investigating Web-site Providers
In this exercise, you will investigate some options for a start-up business to set up a website.
1. Go onto your favourite browser and use the keyword “web site providers”.
2. Choose one UK-based option (the business needs to comply with UK and EU privacy laws), and investigate the packages that are available for a small business website… assume no e-commerce yet, just a web site and hosting. Note the costs. What other criteria besides cost would you use in making a choice of website?
3. Now go back to your favourite browser and use “online business website”
4. As before, choose one UK-based option, and investigate the packages available for a small business… wishing to trade online. An even larger range of options will probably be available. As before, note the costs. As before, what other criteria would you use in making a choice?
5. Finally, try “online secure business website”. Compare the options available, costs involved, and the name of an associated merchant provider. You may find the costings, and comparisons, useful for assignment 1.
Any online trading website immediately invokes two important matters from the point of view of security: security of personal data, and security of financial data. Financial data needs to be dealt with through a merchant provider.
As previously explained, legislative authorities may need to be involved if the data is not protected; each of these types of data requires the use of PKI to protect the data.
In the next section, we’ll investigate invoking PKI through the use of https and SSL.
Exercise 4(b): Use of SSL in a website
Progressively, the Public Key Infrastructure (PKI) has become more and more prevalent on the world wide web.
PKI was developed originally to add a little security to the perceived anarchic nature of TCP/IP packet switching. It received backing from the likes of Microsoft, the US government, and the top universities whose staff and students contributed to creating the secure protocols.
However, the world wide web, which used anonymous (i.e. no authentication) http by default was enormously popular by the time PKI became fully onstream, in 1999, and it added a layer of complication to web activity that many users felt they could do without.
The most Important components of the PKI were SSL (Secure Sockets Layer) and https, the secure equivalent of http, which uses encryption to send data securely through the Internet. At the same time, a secure version of the level four TCP protocol that supports application player services was produced… known as TLS.
The secure upper layers of PKI with the OSI model are: https (level 6/7), SSL (level 5), TLS (level 4). A way to inform the browser that https (and therefore SSL) was being used was devised, and rolled out some time ago.
However, there is still some confusion among members of the public, who will be the e-commerce customers. Google chrome now uses colour coding to help users identify https. Another aspect is the Digital Certificate, details of which can be obtained from the browser URL header area. One way is by clicking on the lock symbol. This will be discussed in more detail in a future lecture.
1. Go to the amazon.co.uk website using Google Chrome. Is it https? How do you know? Does this surprise you?
2. Use the browser to find out who gave amazon (uk) their digital certificate? When will it expire?
3. What level of encryption is being used for client-server communications in this example? What is the certificate path? Is it top level, first level or second level?
4. Now go to the BBC website bbc.co.uk. Any difference? Why?
5. Click on “register” to go to a sign up page. Any difference now?
6. Take a look at the digital certificate. Who is the provider?
What level of encryption is being used this time? Level in certificate path? Keep a note of this and all subsequent certificate paths
7. Now go to tesco.com. Open or Secure?
8. Now navigate to Tesco Direct. Open or secure? Then Toys… open or secure?
9. Now click on a black Vertigo… and click to buy… open or secure?
10. Finally, click on the shopping cart. Open or secure? Who is the certificate provider? When will the certificate expire? Level in certificate path?
11. What about www.gov.uk? Open or secure? If the latter, who is the certificate provider? Level in certificate path?
12. Choose home pages for another three big name UK websites. http or https
Exercise 4(c): Development of new software for the Internet
All happens through RFCs (Requests for Comments). These are initially project proposals… which go through a long process of consideration via Internet-based contributors and finally get implemented (or not…)
1. Go to www.ietf.org
2. Find the reference to rfc pages. Then access the text file. Very long file… entries for all successful rfcs… first entry in 1969. How many entries altogether? When was the most recent?
3. Search for rfc 6520
This was the first rfc that actually failed on security grounds (and needed to be patched two years later!)
Exercise 4(d): Data Protection and the Small Business
The Information Commissioner has recently released a tool to make life easier for the small business wishing to comply with the current Data Protection Act. Doubtless, there will be another one released in good time before the GDPR becomes law in spring 2018:
1. Access the questionnaire:
https://ico.org.uk//for-organisations/improve-your-practices/data-protection-toolkit/index.html
Now go through the questions…
Anything here surprise you? If you had a business would you be able to respond positively to all these questions? What of the business in assignment 1?
RCH17 3