labs / lab-outline-and-ideas.txt
COMP 210 2021 S2 Lab Schedule

Lab 1 (Semester Week 2): HTTP (Hypertext Transfer Protocol) Operation and Security
	Will need some basics - not all students will have an ICT background:
	 - Introduction to the lab environment (esp. Linux, command-line tools)
		...because the tools tend to be: cross-platform, extensible, transparent, and available gratis
		Most of the labs will be hands-on computer-based practicals, but some may be more tutorial-style
	 - Layered network architecture, top-down a la the old INFO 214?
		suite vs stack
		UDP vs TCP
		IP as an unreliable infrastructure, more like the postal system than the telephone system
		IP addressing and routing
		Service ports
		data link and physical layer (brief intro)
		Dumb infrastructure, smarts at the outside edges
		Emphasis on client/server operating mode
	 - MIME message format
		Initial focus on HTTP because so much of the use of the Internet involves HTTP
		request/response messages
		MIME header format
	 - tcpflow, maybe insomnia or similar easy HTTP client
	 - Introduce Web browser developer tools (Vivaldi and/or Chrome in labenv)
		F12, Ctrl+Shift+I, Tools > Developer Tools in the browser's main menu
		also More Tools > Security tab
		Dev Tools: Network: Headers tab for a selected resource (may need to reload page)
		Look at mix of secure and insecure items on Network tab (but also bear in mind that modern Web infrastructure is strongly leaning toward HTTPS for everything)

	 - Maybe also introduce SMTP and illustrate how e-mail sending is negotiated between client and server.
	Sections (Tiddlywiki):
		Lab Environment
		Command-Line Environment
	Required tools for labenv:
		[Y] Vivaldi/Chromium
		[Y] curl
		[Y] tcpflow
		[Y] mkcert

		[ ] how to deploy certs to Tomcat?!
			or, better:
			* What was the lab (in INFO 201?) where we had the students deploy a Tomcat instance? That would have had useful starting files and instructions.
				but the gist was something like

tcpflow port 8080


there are root CA certs

aliases.d only exists under student profile (not infoadmin)

	but the sources are at /usr/local/home/aliases.d
	so you can copy stuff manually from there if need be.
	(I assume that students will automatically get a ~/.aliases.d..??)

Note that nss trust store is used by the standard system browsers (but not Java).

	mkcert -install


	mkcert localhost

and check that the cwd has two new files (pem)
	e.g. how to view installed certs
	certutil -L -d /path/to/certs
	certutil -L -d ~/.pki/nssdb
		PKI = Public Key Infrastructure

		and look for org-mkcert development CA
Note that NSS ( != NSS as in nsswitch.conf


and further interesting data and analysis here

[ ] 
TODO: use tcpflow to examine insecure content. Will need instructions on setting up a Tomcat server instance. Might also want to provide a simple form submission application. At least some static HTML pages...

TODO: separate tiddler on security certificates, CAs, signing, chains, HTTPS.

	[ ]  Install net-tools package to provide `route` and `netstat` commands
		although we can use `ss -plunt` for socket status

Lab 2 (Semester Week 3): 

	- Tomcat (simple deployment of a static Web page, perhaps provide a trivial form + response)
	- tcpflow (check insecurity of visit to the local Tomcat)
	- mkcert (enable HTTPS on local Tomcat, verify secure)

	 - Motivation: spambots on forums, etc.

	 - Simple captcha demo
		Very simple arithmetic example a la Community Roadwatch?
		Maybe hook into Google's reCAPTCHA provider?

	 - Credential-stuffing

	- Filter-based countermeasures: delays, checks on user agent, check for session cookies (should be present on all but the first transaction)