Internet Security

Explain Introduction.

Explain Internet Architecture and Security Implications.

Explain HTTPS and TLS in Practice.

Explain OWASP Top 10.

The internet was not designed with security in mind.

Its foundational protocols — TCP/IP, HTTP, DNS, SMTP — were developed in an era when the network's user base was small, relatively trusted, and primarily academic.

Many of the topics here build directly on the cryptography covered in Chapter 6 and the network security concepts in Chapter 7.

The internet was not designed with security in mind.

Its foundational protocols — TCP/IP, HTTP, DNS, SMTP — were developed in an era when the network's user base was small, relatively trusted, and primarily academic.

Many of the topics here build directly on the cryptography covered in Chapter 6 and the network security concepts in Chapter 7.

The internet is a network of networks: thousands of autonomous systems (AS) — ISPs, universities, corporations — interconnected through BGP (Border Gateway Protocol) , which…

This decentralized architecture provides resilience (no single point of failure) but creates security implications that are difficult to fully address.

BGP hijacking , for example, occurs when an AS maliciously or accidentally announces ownership of IP address blocks it doesn't control, attracting and potentially intercepting…

Notable incidents include Pakistan Telecom briefly hijacking YouTube's IP addresses in 2008 and, more seriously, nation-state-attributed BGP hijacking incidents targeting…

HTTPS (HTTP Secure) is HTTP carried over a TLS connection.

The presence of a padlock icon in a browser's address bar indicates a valid TLS certificate, but it does not mean the site itself is trustworthy or not malicious — only that the…

Phishing sites routinely obtain valid TLS certificates for their fraudulent domains.

HSTS (HTTP Strict Transport Security) is a security header that instructs browsers to only connect to a domain over HTTPS, never falling back to plain HTTP, for a specified…

The Open Web Application Security Project (OWASP) publishes the OWASP Top 10 , a periodically updated list of the most critical web application security risks.

It is the de facto standard reference for web application security.

Broken Access Control : Users acting outside of their intended permissions — accessing other users' data, elevating privileges, or bypassing authorization checks.

This is the most prevalent web security failure, found in 94% of tested applications.

The Same-Origin Policy (SOP) is a fundamental browser security mechanism that restricts how scripts loaded from one origin (defined as the combination of scheme, hostname, and…

Without SOP, a malicious script could silently read your email, your bank balance, or any other data from any site you are logged into.

CORS (Cross-Origin Resource Sharing) is a controlled relaxation of SOP that allows servers to explicitly declare which origins may access their resources, using HTTP headers…

Misconfigured CORS policies (e.g., Access-Control-Allow-Origin: with Access-Control-Allow-Credentials: true) can re-open the vulnerabilities that SOP prevents.

HTTP cookies are small pieces of data stored by the browser and automatically sent with every request to the domain that set them.

They are the primary mechanism for maintaining session state in stateless HTTP.

Security-relevant cookie attributes: - Secure : Cookie is only sent over HTTPS connections.

- HttpOnly : Cookie is inaccessible to JavaScript, preventing theft via XSS.

Content Security Policy (CSP) is an HTTP response header that tells the browser which sources of content (scripts, styles, images, fonts, etc.) are legitimate for a given page.

By specifying a strict CSP (e.g., script-src 'self'), an application can prevent the execution of injected scripts even if an XSS vulnerability exists, providing a powerful…

CSP is not a substitute for fixing XSS vulnerabilities but significantly raises the bar for exploitation.

Email's foundational protocols (SMTP, POP3, IMAP) were designed without authentication, making email domain spoofing trivially easy — anyone can send an email claiming to be from…

Three complementary standards have been developed to address this:

Email Security Protocols connects to risk, controls, and evidence.

SPF allows domain owners to publish, via DNS TXT records, a list of mail servers authorized to send email on behalf of their domain.

When a receiving mail server gets a message, it checks whether the sending server's IP is listed in the sender domain's SPF record.

This prevents unauthorized servers from sending mail as your domain.

However, SPF only validates the envelope sender (the SMTP MAIL FROM address), not the visible From: header.

DKIM allows sending mail servers to attach a cryptographic signature to outgoing messages.

The signature covers specified headers and the message body.

The corresponding public key is published in the sending domain's DNS records.

Receiving servers verify the signature, confirming that the message was sent by an authorized server and has not been modified in transit.

DMARC builds on SPF and DKIM by allowing domain owners to specify what should happen to messages that fail authentication (nothing, quarantine to spam, or reject outright) and to…

A properly configured DMARC policy (especially with p=reject) dramatically reduces spoofed email successfully reaching recipients.

⚠️ Warning : Email without SPF, DKIM, and DMARC is easily spoofed.

Many phishing attacks succeed because recipient organizations do not validate the sender's domain.

The DNS infrastructure underpins nearly all internet communication — every web request, email, and API call typically begins with a DNS lookup.

Yet traditional DNS provides no authentication: resolvers cannot verify that the responses they receive are from the authoritative name server for a domain and haven't been…

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records.

Each zone has a key pair; resource records are signed with the private key, and resolvers can verify these signatures using the public key published in the zone.

Beyond their role in securing remote access (covered in Chapter 7), VPNs are widely used for privacy: by routing all traffic through the VPN provider's servers, the user's ISP and…

However, this only shifts trust to the VPN provider, who can see all the user's traffic.

Users should choose VPN providers with strong no-logging policies and ideally those that have been independently audited.

Tor (The Onion Router) provides anonymity through a technique called onion routing .

When a Tor user connects to a website, their traffic is encrypted in multiple layers and relayed through a circuit of three volunteer-operated Tor relays (the guard/entry node, a…

Each relay decrypts one layer, learning only the previous and next hop — no single relay knows both the origin and destination of the traffic.

Tor is used by journalists, activists, whistleblowers, and ordinary users who need strong anonymity.

The dark web refers to overlay networks (primarily Tor, but also I2P and Freenet) that require specific software to access and provide anonymity to both clients and servers.

It hosts a range of content: privacy-focused services (SecureDrop for whistleblowing), forums, and unfortunately, markets for illegal goods and cybercrime-as-a-service operations.

From a security perspective, the dark web is significant as a marketplace for stolen credentials, ransomware tools, zero-day exploits, and personal data from breaches.

Organizations monitor dark web forums and marketplaces for indications that their data or credentials have been compromised.

The Internet of Things (IoT) encompasses the vast and growing ecosystem of network-connected devices beyond traditional computers: smart thermostats, IP cameras, smart TVs,…

By 2030, an estimated 25 billion IoT devices will be deployed.

IoT devices present severe security challenges: - Insecure defaults : Many devices ship with default credentials (admin/admin, admin/password) that many users never change.

The Mirai botnet (2016), which launched record-breaking DDoS attacks, was built from hundreds of thousands of IoT devices compromised using default credentials.

PCI-DSS includes requirements for network security (firewalls, encryption in transit), access control (least privilege, MFA), vulnerability management (patching, security…

PCI-DSS compliance is not a guarantee of security, but it establishes a meaningful baseline.

Merchants who achieve compliance through compliance-checking exercises alone without actually improving security ("checkbox compliance") continue to be breached.

This has shifted card fraud toward card-not-present (online) transactions, which require other mitigations such as 3D Secure (3DS) protocols.

While first-party cookies serve legitimate purposes (session state, preferences), third-party tracking cookies enable advertising networks and data brokers to track users'…

Modern browsers (Safari, Firefox, Brave) and privacy regulations (GDPR, CCPA) have increasingly restricted third-party cookies.

Users can test their fingerprint uniqueness at sites like coveryourtracks.eff.org.

Data brokers aggregate personal data from public records, social media, loyalty programs, and purchased datasets, building detailed profiles on individuals that are sold to…

- Password managers (Bitwarden, 1Password, KeePass) enable the use of unique, strong passwords for every account, eliminating credential reuse.

- Multi-Factor Authentication (MFA) : Enable MFA — preferably hardware security keys (FIDO2/WebAuthn) or TOTP apps — on all accounts, especially email, banking, and cloud storage.

SMS-based MFA is better than nothing but vulnerable to SIM swapping.

- Browser privacy : Use a privacy-focused browser (Firefox with uBlock Origin, Brave) or configure your existing browser to block trackers.

The internet was not designed with security in mind.

Its foundational protocols — TCP/IP, HTTP, DNS, SMTP — were developed in an era when the network's user base was small, relatively trusted, and primarily academic.

Many of the topics here build directly on the cryptography covered in Chapter 6 and the network security concepts in Chapter 7.

Introduction

Internet Architecture and Security Implications

HTTPS and TLS in Practice

OWASP Top 10

Where Introduction applies.

Where Internet Architecture and Security Implications applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Internet Security

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.