1、Unit 6 Security Issues of Electronic Commerce,学习指导:本章将介绍:电子商务中互联网的安全问题电子商务中客户机的安全电子商务中计算机网络通信信道的安全,6.1 the Internet Security of Electronic Commerce6.1.1 Network and Electronic Commerce,In the early days of the Internet, one of its most popular uses was electronic mail. Despite e-mail s popularity, p
2、eople have often worried that a business rival might intercept e-mail message for competitive again.,Another fear was that employees non-business correspondence might be read by their supervisors, with negative repercussions. These were significant and realistic concerns.,Today, the stakes are much
3、higher. The consequences of a competitor having unauthorized access to messages and digital intelligence are now far more serious than in the past Electronic commerce, in particular, makes security a concern for all users.,A typical worry of Web shoppers is that their credit card numbers might be ex
4、posed to millions of people as the information travels across the Internet.,Recent surveys show that more than 80 percent of all Internet users have at least some concern about the security of their credit card numbers in electronic commerce transactions. This echoes the fear shoppers have expressed
5、 for many years about credit card purchases over the phone.,6.1.2 Computer Security Classifications,Computer security is generally classified into three categories: secrecy, integrity, and necessity (also known as denial of service).,Secrecy refers to protecting against unauthorized data disclosure
6、and ensuring the authenticity of the data source. Integrity refers to preventing unauthorized data modification. Necessity refers to preventing data delays or denials.,Secrecy is the best known of the computer security categories. Every month, newspapers report on break-ins to government computers o
7、r theft and use of stolen credit card numbers that are used to order goods and services.,Integrity threats are reported less frequently and, thus, may be less familiar to the public.,For example, an integrity violation occurs when an Internet e-mail message is intercepted and its contents are change
8、d before it is forwarded to its original destination. In this type of integrity violation, which is called a man-in-the-middle exploit, the contents of the e-mail are often changed in a way that negates the messages original meaning.,Necessity violations take several forms, and they occur relatively
9、 frequently. Delaying a message or completely destroying it can invite grave consequences. Suppose that a message sent at 10:00 a.m. to an online stockbroker includes an order to purchase 1000 shares of IBM at market price.,If the stockbroker does not receive the message (because an attacker delays
10、it) until 2:30 p.m. and IBMs stock price has increased by $3, the buyer loses $3000.,6.1.3 Security Management,Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. Any act or object that poses a danger to computer assets is known as a threat.,The r
11、isk management model applies to protecting Internet and electronic commerce assets from both physical and electronic threats. Examples of the latter include impostors, eavesdroppers, and thieves. An eavesdropper, in this context, is a person or device that can listen in on and copy Internet transmis
12、sions.,People who write programs or manipulate technologies to obtain unauthorized access to computers and networks are called crackers or hackers.,To implement a good security scheme, organizations must identify risks, determine how to protect threatened assets, and calculate how much to spend on p
13、rotecting those assets.,In this chapter, the primary focus in risk management protection is on the central issues of identifying the threats and determining the ways to protect assets from those threats, rather than on the protection costs or value of assets.,6.2 Security for Client Computers,Client
14、 computers, usually PCs, must be protected from threats that originate in software and data that are downloaded to the client computer from the Internet. In this section, you will learn that active content delivered over the Internet in dynamic Web pages can be harmful.,Another threat to client comp
15、uters can arise when a malevolent server site masquerades as a legitimate Web site. Users and their client computers can be duped into revealing information to those Web sites.,This section explains these threats, describes how they work, and outlines some protection mechanisms that can prevent or r
16、educe the threats they pose to client computers.,6.2.1 Cookie,Cookies are some small text files that Web servers place on Web client computers to identify returning visitors. Cookies also allow Web servers to maintain continuing open sessions with Web clients. An open session is necessary to do a nu
17、mber of things that are important in online business activity.,For example, shopping and payment processing software both need an open session to work properly. Early in the history of the Web, cookies were devised as a way to maintain an open session despite the stateless nature of Internet connect
18、ions.,Thus, cookies were invented to solve the stateless connection problem by saving information about a web user from one set of server-client message exchanges to another.,6.2.2 Active Content,Until the debut of executable Web content, Web pages could do little more than display content and provi
19、de links to related pages with additional information. The widespread use of active content has changed the situation.,Active content refers to programs that are embedded transparently in Web pages and that cause action to occur. For example, active content can display moving graphics, download and
20、play audio, or implement Web- based spreadsheet programs.,Active content is used in electronic commerce to place items into a shopping cart and compute a total invoice amount, including sales tax, handling, and shipping costs.,Developers use active content because it extends the functionality of HTM
21、L and moves some data processing chores from the busy server machine to the users client computer.,Unfortunately, because active content elements are programs that run on the client computer, active content can damage the client computer. Thus, active content can pose a threat to the security of cli
22、ent computers.,Active content is provided in several forms.,The best-known active content forms are cookies, Java applets, JavaScript, VBScript, and ActiveX controls. Other ways to provide Web active content include graphics, Web browser plug-ins, and e-mail attachments.,6.2.3 Java Applets,Java is a
23、 programming language developed by Sun Microsystems that is used widely in Web pages to provide active content. The Web server sends the Java applets along with Web pages requested by the Web client.,In most cases, the Java applets operation will be visible to the site visitor; however, it is possib
24、le for a Java applet to perform functions that would not be noticed by the site visitor. The client computer then runs the programs within its Web browser.,Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer. That relieves
25、 an otherwise busy server-side program from handling thousands of transactions simultaneously. Once downloaded, embedded Java code can run on a clients computer, which means that security violations can occur.,To counter this possibility, a security model called the Java sandbox has been developed.
26、The Java sandbox confines Java applet actions to a set of rules defined by the security model. These rules apply to all distrusted Java applets .,6.2.4 ActiveX Controls,The security danger with ActiveX controls is that once they are downloaded, they execute like any other program on a client compute
27、r. They have full access to all system resources, including operating system code.,An ill-intentioned ActiveX control could reformat a users hard disk, rename or delete files, send e-mails to all the people listed in the users address book, or simply shut down the computer.,Because ActiveX controls
28、have full access to client computers, they can cause secrecy, integrity, or necessity violations.,The actions of ActiveX controls cannot be halted once they begin execution. Most Web browsers can be configured to provide a notice when the user is about to download an ActiveX control. Figure 8-1 show
29、s an example of the warning issued when Internet Explorer detects an ActiveX control.,Figure 8-1 Internet Explore ActiveX Control warning message,6.2.5 Graphics and Plug-Ins,Graphics, browser plug-ins, and e-mail attachments can harbor executable content. Some graphics file formats have been designe
30、d specifically to contain instructions on how to render a graphic.,That means that any Web page containing such a graphic could be a threat because the code embedded in the graphic could cause harm to a client computer.,Plug-ins are normally beneficial and perform tasks for a browser, such as playin
31、g audio clips, displaying movies, or animating graphics. Apples QuickTime, for example, is a plug-in that downloads and plays movies stored in a special format.,6.2.6 Viruses and Worms,A virus is the little program that attaches itself to another program and can cause damage when the host program is
32、 activated. A worm is a type of virus that replicates itself on the computers that it infects.,Worms can spread quickly through the Internet. A macro virus is a type of virus that is coded as a small program, called a macro, and is embedded in a file You have probably read about or have personally e
33、xperienced recent examples of e-mail attachment-borne virus attacks.,6.2.7 Digital Certificates,One way to control threats from active content is to use digital certificates. A digital certificate or digital ID is an attachment to an e-mail message or a program embedded in a web page that verifies t
34、hat the sender or Web site is who or what it claims to be.,In addition, the digital certificate contains a means to send an encrypted message-encoded so others can not read it - to entity that set the original web page or e-mail message.,In the case of a downloaded program containing a digital certi
35、ficate, the encrypted message identifies the software publisher (ensuring that the identity of the software publisher matches the certificate) and indicates whether the certificate his expired or is still valid.,The digital certificate is a signed message or code. Signed code or messages serve the s
36、ame emotion as a photo on a drivers license or passport. They provide proof that the holder is the person identified by the certificate.,Just like a passport, a certificate does not imply anything about either the usefulness or quality of the downloaded program. The certificate only supplies a level
37、 of assurance that the software is genuine.,The idea behind certificate is that if the user trusts the software developer, signed software can be trusted because, as proven by the certificate, it came from that trusted developer.,Digital certificates are used for many different types of online trans
38、actions, including electronic commerce, electronic mail, and electronic fund transfers. A digital ID verifies a Web site to a shopper and, optionally, identifies a shopper to a Web site.,Web browsers or e- mail programs exchange digital certificates automatically and invisibly when requested to vali
39、date the identity of each party involved in a transaction,6.3 Communication Channel Security,Today, the Internet remains largely unchanged from its original, insecure state. Message packets on the Internet travel an unplanned path from a source node to a destination node. A packet passes through a n
40、umber of intermediate computers on the network before reaching its final destination.,The path can vary each time a packet is sent between the same source and destination points. Because users cannot control the path and do not know where their packets have been, it is possible that an intermediary
41、can read the packets, alter them, or even delete them. That is, any message traveling on the Internet is subject to secrecy, integrity, and necessity threats.,Vocabulary,rival / raivl / n. 对手,竞争者; a. 竞争的; vt. 与相匹敌,比得上 intercept / .intsept / n. 截取,妨碍,截距; v. 拦截,阻止,截取; 计算机 截断 correspondence / krispndns
42、 / n. 相符,通信,信件 repercussion / ri:p(:)kn / n. 弹回,反响,反射stake / steik / n. 木柱,赌注,奖金,问题; v. 打赌,下赌注,integrity / integriti / n. 诚实,正直,完整,完善 disclosure / disklu / n. 揭发,败露 authenticity n. 确实性,真实性destination. / destinein / n. 目的地,终点 negate / nigeit / v. 否定,否认,打消 grave / greiv / a. 严肃的,庄重的,严重的; n. 坟墓 asset /
43、 set / n. 资产,有用的东西,优点,长处impostor / impst / n. 冒充者,骗子,eavesdropper / i:vz.drp(r) / n. 偷听者 malevolent / mlevlnt / a. 有恶意的,恶毒的 masquerade / mskreid, m:s / n. 化妆舞会; v. 化装 session / sen / n. 会议,开庭期,市盘,会话devise / divaiz / v. 设计 filter / filt / n. 筛选,滤波器,过滤器,滤色镜; v. 过滤,渗透,走漏; 计算机 过滤,Transparently /trnsprnt
44、li/ ad. 透明地(某种辐射线可以透过的,明显的)applet n. JAVA的小应用程序 attachment /ttmnt/ n. 附件,附著,附属物,依恋 configure / knfig / v. 配置 detect / detect / v. 发现,计算机 检测 harbor / h:b / n. 港,避难所; v. 庇护,隐藏,藏匿,存储render / rend / vt. 提供,报答,着色,致使,显示; vi. 给予补偿n. 交纳, 粉刷, 打底,infect / infekt / v. 传染,感染license / laisns / n. 执照,许可证,特许; vt.
45、许可,特许 genuine / denjuin / a. 真正的,真实的,诚恳的 node / nud / n. 节,结节,瘤,计算机 节点 intermediate /intmi:djt / a. 中级的,中间的; n. 中间体,媒介物 encryption / inkripn / n. 加密术,Phrases,man-in-the-middle exploit 两面欺诈risk management 风险管理JavaScript, Java脚本VBScript VB脚本ActiveX controls 网络化多媒体对象控件ill-intentioned 有恶意的Digital Certif
46、icate 数字证书message packet 数据包,信息包macro virus 宏病毒,Abbreviations,ID Identification 身份,Notes to the Passage,1.The consequences of a competitor having unauthorized access to messages and digital intelligence are now far more serious than in the past.竞争者未经授权而访问到公司的信息和数字内容所带来的后果前所未有地严重。句子的中心部分为:The consequ
47、ences are now far more serious than in the past.,2. an integrity violation occurs when an Internet e-mail message is intercepted and its contents are changed before it is forwarded to its original destination.假如一个电子邮件在发送到它的原始目的地之前被拦截,并修改了内容,我们就说发生了对完整性的破坏。1) 句子的主句为: an integrity violation occurs. 2) when 引导两个并列的时间状语从句A :an Internet e-mail message is intercepted before it is forwarded to its original B :its contents are changed before it is forwarded to its original destination.,
