COMP 210 2021 S2 Lab Schedule
Lab 1 (Semester Week 2): HTTP (Hypertext Transfer Protocol) Operation and Security
Will need some basics - not all students will have an ICT background:
- Introduction to the lab environment (esp. Linux, command-line tools)
...because the tools tend to be: cross-platform, extensible, transparent, and available gratis
Most of the labs will be hands-on computer-based practicals, but some may be more tutorial-style
- Layered network architecture, top-down a la the old INFO 214?
suite vs stack
UDP vs TCP
IP as an unreliable infrastructure, more like the postal system than the telephone system
IP addressing and routing
data link and physical layer (brief intro)
Dumb infrastructure, smarts at the outside edges
Emphasis on client/server operating mode
- MIME message format
Initial focus on HTTP because so much of the use of the Internet involves HTTP
MIME header format
- tcpflow, maybe insomnia or similar easy HTTP client
- Introduce Web browser developer tools (Vivaldi and/or Chrome in labenv)
F12, Ctrl+Shift+I, Tools > Developer Tools in the browser's main menu
also More Tools > Security tab
Dev Tools: Network: Headers tab for a selected resource (may need to reload page)
Look at mix of secure and insecure items on Network tab (but also bear in mind that modern Web infrastructure is strongly leaning toward HTTPS for everything)
- Maybe also introduce SMTP and illustrate how e-mail sending is negotiated between client and server.
Required tools for labenv:
[ ] how to deploy certs to Tomcat?!
* What was the lab (in INFO 201?) where we had the students deploy a Tomcat instance? That would have had useful starting files and instructions.
but the gist was something like
tcpflow port 8080
there are root CA certs
aliases.d only exists under student profile (not infoadmin)
but the sources are at /usr/local/home/aliases.d
so you can copy stuff manually from there if need be.
(I assume that students will automatically get a ~/.aliases.d..??)
Note that nss trust store is used by the standard system browsers (but not Java).
mkcert localhost 127.0.0.1
and check that the cwd has two new files (pem)
e.g. how to view installed certs
certutil -L -d /path/to/certs
certutil -L -d ~/.pki/nssdb
PKI = Public Key Infrastructure
and look for org-mkcert development CA
Note that NSS (https://en.wikipedia.org/wiki/Network_Security_Services) != NSS as in nsswitch.conf
and further interesting data and analysis here
TODO: use tcpflow to examine insecure content. Will need instructions on setting up a Tomcat server instance. Might also want to provide a simple form submission application. At least some static HTML pages...
TODO: separate tiddler on security certificates, CAs, signing, chains, HTTPS.
[ ] Install net-tools package to provide `route` and `netstat` commands
although we can use `ss -plunt` for socket status
Lab 2 (Semester Week 3):
- Tomcat (simple deployment of a static Web page, perhaps provide a trivial form + response)
- tcpflow (check insecurity of visit to the local Tomcat)
- mkcert (enable HTTPS on local Tomcat, verify secure)
- Motivation: spambots on forums, etc.
- Simple captcha demo
Very simple arithmetic example a la Community Roadwatch?
Maybe hook into Google's reCAPTCHA provider?
- Filter-based countermeasures: delays, checks on user agent, check for session cookies (should be present on all but the first transaction)