labs/lab-outline-and-ideas.txt at dcc15e3d6fe2749aee247c75f9182c000f541746

Fork: 0
COMP210 / labs
Find file
Newer
Older
labs / lab-outline-and-ideas.txt
Chris Edwards on 22 Jul 2021 4 KB Reshuffle topics for Lab 2
Raw Blame History
COMP 210 2021 S2 Lab Schedule

Lab 1 (Semester Week 2): HTTP (Hypertext Transfer Protocol) Operation and Security
	Will need some basics - not all students will have an ICT background:
	 - Introduction to the lab environment (esp. Linux, command-line tools)
		...because the tools tend to be: cross-platform, extensible, transparent, and available gratis
		Most of the labs will be hands-on computer-based practicals, but some may be more tutorial-style
	 - Layered network architecture, top-down a la the old INFO 214?
		TCP/IP
		suite vs stack
		UDP vs TCP
		IP as an unreliable infrastructure, more like the postal system than the telephone system
		IP addressing and routing
		Service ports
		data link and physical layer (brief intro)
		Dumb infrastructure, smarts at the outside edges
		Emphasis on client/server operating mode
	 - MIME message format
	 - HTTP/TCP
		Initial focus on HTTP because so much of the use of the Internet involves HTTP
		request/response messages
		MIME header format
	 - tcpflow, maybe insomnia or similar easy HTTP client
	 - SSL/TLS
	 - Introduce Web browser developer tools (Vivaldi and/or Chrome in labenv)
		F12, Ctrl+Shift+I, Tools > Developer Tools in the browser's main menu
		also More Tools > Security tab
		Dev Tools: Network: Headers tab for a selected resource (may need to reload page)
		Look at mix of secure and insecure items on Network tab (but also bear in mind that modern Web infrastructure is strongly leaning toward HTTPS for everything)
	 - webhook.site?

	 - Maybe also introduce SMTP and illustrate how e-mail sending is negotiated between client and server.
	 
	Sections (Tiddlywiki):
		Introduction
		Tiddlywiki
		Lab Environment
		Command-Line Environment
		
	Required tools for labenv:
		[Y] Vivaldi/Chromium
		[Y] curl
		[Y] tcpflow
		[Y] mkcert
	

	Issues:
		[ ] how to deploy certs to Tomcat?!
			https://stackoverflow.com/questions/59479181/what-are-the-steps-to-configure-ssl-for-tomcat
			https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
			or, better:
			https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
			
			* What was the lab (in INFO 201?) where we had the students deploy a Tomcat instance? That would have had useful starting files and instructions.
				but the gist was something like
					tomcat9-instance-create


tcpflow port 8080


topic/mkcert

there are root CA certs


aliases.d only exists under student profile (not infoadmin)

	but the sources are at /usr/local/home/aliases.d
	so you can copy stuff manually from there if need be.
	
	(I assume that students will automatically get a ~/.aliases.d..??)
tc

Note that nss trust store is used by the standard system browsers (but not Java).

	mkcert -install

then

	mkcert localhost 127.0.0.1

and check that the cwd has two new files (pem)

https://isgb.otago.ac.nz/infosci/mark.george/Wiki/wiki/mkcert%20and%20CA%20certificates
	e.g. how to view installed certs
	certutil -L -d /path/to/certs
	e.g.
	certutil -L -d ~/.pki/nssdb
		PKI = Public Key Infrastructure

	vivaldi://settings/certificates
	chrome://settings/certificates
	
		and look for org-mkcert development CA
		
Note that NSS (https://en.wikipedia.org/wiki/Network_Security_Services) != NSS as in nsswitch.conf






[Y] 


https://whynohttps.com

and further interesting data and analysis here
https://scotthelme.co.uk/tag/crawl/




[ ] 
TODO: use tcpflow to examine insecure content. Will need instructions on setting up a Tomcat server instance. Might also want to provide a simple form submission application. At least some static HTML pages...

TODO: separate tiddler on security certificates, CAs, signing, chains, HTTPS.


	[ ]  Install net-tools package to provide `route` and `netstat` commands
		although we can use `ss -plunt` for socket status










Lab 2 (Semester Week 3): 

	- Tomcat (simple deployment of a static Web page, perhaps provide a trivial form + response)
	
	- tcpflow (check insecurity of visit to the local Tomcat)
	
	- mkcert (enable HTTPS on local Tomcat, verify secure)



	 - Motivation: spambots on forums, etc.

	 - Simple captcha demo
		Very simple arithmetic example a la Community Roadwatch?
		Maybe hook into Google's reCAPTCHA provider?
		Reading:
			https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence
			https://www.cloudflare.com/en-gb/learning/bots/how-captchas-work/

	 - Credential-stuffing
		https://www.cloudflare.com/en-gb/learning/bots/what-is-credential-stuffing/

	- Filter-based countermeasures: delays, checks on user agent, check for session cookies (should be present on all but the first transaction)