User: Robdir (Roberto Di Russo)




Welcome

A programmer is who solve in an incomprehensible way a problem that you didn’t know to have.

Contacts

My e-mail address–> robertodirusso[at]yahoo[dot]it

News

March, 18th 2009–> Finally, I joined ISISLab

March, 24th 2009–>Work in Progress: Intermediaries on the WWW

April, 1st 2009–> Starting a new specifical work: Https Tunneling through SISI

May, 4th 2009–> Starting a new specifical work: Authentication and Privacy Integration on Webmails

May, 27th 2009–> My First Seminar

September, 14th 2009–> My Second Seminar

September, 24th 2009–> My Graduation Day. Thesis Title: Servizi Avanzati per Intermediari: Integrazione di Autenticazione e Privacy in un Webmail

Work 1: Https Tunneling through SISI

At the moment SISI, the framework developed by ISISLab members, doesn’t support the Https (Http on top of SSL).

Well, I’m spending my time on trying to understand how to intercept https requests from a client and forward them to a server.

Https (abstract from Wikipedia)

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol and a network security protocol.

HTTP operates at the highest layer of the TCP/IP Internet reference model, the Application layer; but the security protocol operates at a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arrival.

HTTPS has also been known as "Hypertext Transfer Protocol over Secure Socket Layer", but now HTTPS may be secured by the Transport Layer Security (TLS) instead of Secure Sockets Layer (SSL) protocol. To invoke HTTPS, one replaces "http://" with "https://" in the URI, or Web address.

Before data exchange, HTTPS has a handshake phase performed by the client and the server.

HTTPS connections are often used for payment transactions on the Web and for sensitive transactions in corporate information systems.

Https tunneling

In simple terms, the proxy take the data from the client and, without read them, forward them to the server (and viceversa).

This forward start with the SSL handshaking data and end with the last application data.

Work 2: Authentication and Privacy integration on Webmails

Webmail is an e-mail service intended to be primarily accessed via a web browser, as opposed to through an e-mail client.

The major advantage of a Webmail is that you can use it without installing and mantaining more applications than a normal web browser, so, you can use it to access your mail account even if you are far from your desktop (for example, in an Internet Cafè).

But Webmails don’t have an useful feature: the possibility of let the e-mail content private.

So, my idea is to add to a Webmail interface the features needed to obtain privacy in the e-mail exchanging process and to allow the user to verify the identity of a message-sender.

In order to do this, I’m studing how to use the standard OpenPGP and particularly the "Pure-Perl OpenPGP implementation": the API Crypt::OpenPGP.

As case study, I chosen Microsoft Hotmail because it’s one of the most used webmails and it has an user-frienldy and programmer-frienldy interfaces.

Well, my work is composed by some steps: – studying and modyfing the Hotmail web page; – sending the modified page to the browser; – intercepting the page submitted from the user; – extracting relevant data and applying the crypto features, using the Crypt::OpenPGP API.

Seminars

May, 27th 2009--> Authentication and Privacy Integration on Webmails

Abstract (in Italian)

Il seminario presenterà come integrare all’interno di un Webmail una serie di funzioni che mirano a garantire l’autenticità e la confidenzialità dei messaggi di posta elettronica. In particolare, verrà descritto come rendere privato il contenuto dei messaggi in uscita, in modo che solo il legittimo destinatario possa leggerli, e come verificare che l’identità dichiarata dal mittente di un messaggio in entrata sia autentica.

September, 14th 2009--> Authentication and Privacy Integration on Webmails - Part II

Abstract (in Italian)

Dopo un breve introduzione mirata a reinquadrare il problema, in modo da "agganciare" il seminario a quello precedente, verrà descritta la realizzazione del servizio, enfatizzandone gli aspetti innovativi, ma anche le limitazioni. Si proseguirà, poi, con un’esposizione motivata delle scelte progettuali adottate per poi passare ad una descrizione delle tecniche utilizzate in fase di sviluppo. Il seminario proseguirà con un’analisi descrittiva delle parti fondamentali del codice prodotto per poi terminare proponendo eventuali sviluppi futuri.

References: General

‘Perl programming language

Perl official Italian Website

CPAN: Comprehensive Perl Archive Network

Online Documentation

Socket Programming in Perl

SISI Framework

A scalable framework for the support of advanced edge services

Apache

Official Website

What To Do Once You’ve Downloaded A Module From The CPAN

Install New Modules

References: HTTPS Tunneling

Https and Https Tunneling

DRAFT: Tunneling TCP based protocols through Web proxy servers

HTTP over TLS (RFC)

Introduction to SSL

WireShark: an useful packets sniffer

Official Website

References: Authentication and Privacy Integration on Webmails

Webmail

Webmail vs. Desktop Email, by Bob Rankin

OpenPGP

RFC 2440

RFC 4880

About OpenPGP

Crypt::OpenPGP

Crypt::OpenPGP – Pure-Perl OpenPGP implementation

WWW::Hotmail

WWW::Hotmail – Connect to Hotmail, download, delete and send messages [It doesn’t work!!!]

Definitions from Wikipedia

Webmail

Authentication

Proxy