Welcome

A programmer is who solve in an incomprehensible way a problem that you didn't know to have.

Contacts

My e-mail address--> robertodirusso[at]yahoo[dot]it

News

March, 18th 2009--> Finally, I joined ISISLab

March, 24th 2009-->Work in Progress: Intermediaries on the WWW

April, 1st 2009--> Starting a new specifical work: Https Tunneling through SISI

May, 4th 2009--> Starting a new specifical work: Authentication and Privacy Integration on Webmails

May, 27th 2009--> My First Seminar

September, 14th 2009--> My Second Seminar

September, 24th 2009--> My Graduation Day. Thesis Title: Servizi Avanzati per Intermediari: Integrazione di Autenticazione e Privacy in un Webmail

Work 1: Https Tunneling through SISI

At the moment SISI, the framework developed by ISISLab members, doesn't support the Https (Http on top of SSL).

Well, I'm spending my time on trying to understand how to intercept https requests from a client and forward them to a server.

Https (abstract from Wikipedia)

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol and a network security protocol.

HTTP operates at the highest layer of the TCP/IP Internet reference model, the Application layer; but the security protocol operates at a lower sublayer, encrypting an HTTP message prior to transmission and decrypting a message upon arrival.

HTTPS has also been known as "Hypertext Transfer Protocol over Secure Socket Layer", but now HTTPS may be secured by the Transport Layer Security (TLS) instead of Secure Sockets Layer (SSL) protocol. To invoke HTTPS, one replaces "http://" with "https://" in the URI, or Web address.

Before data exchange, HTTPS has a handshake phase performed by the client and the server.

HTTPS connections are often used for payment transactions on the Web and for sensitive transactions in corporate information systems.

Https tunneling

In simple terms, the proxy take the data from the client and, without read them, forward them to the server (and viceversa).

This forward start with the SSL handshaking data and end with the last application data.

Work 2: Authentication and Privacy integration on Webmails

Webmail is an e-mail service intended to be primarily accessed via a web browser, as opposed to through an e-mail client.

The major advantage of a Webmail is that you can use it without installing and mantaining more applications than a normal web browser, so, you can use it to access your mail account even if you are far from your desktop (for example, in an Internet Cafè).

But Webmails don't have an useful feature: the possibility of let the e-mail content private.

So, my idea is to add to a Webmail interface the features needed to obtain privacy in the e-mail exchanging process and to allow the user to verify the identity of a message-sender.

In order to do this, I'm studing how to use the standard OpenPGP and particularly the "Pure-Perl OpenPGP implementation": the API Crypt::OpenPGP.

As case study, I chosen Microsoft Hotmail because it's one of the most used webmails and it has an user-frienldy and programmer-frienldy interfaces.

Well, my work is composed by some steps: - studying and modyfing the Hotmail web page; - sending the modified page to the browser; - intercepting the page submitted from the user; - extracting relevant data and applying the crypto features, using the Crypt::OpenPGP API.

Seminars

May, 27th 2009--> Authentication and Privacy Integration on Webmails

Abstract (in Italian)

Il seminario presenterà come integrare all'interno di un Webmail una serie di funzioni che mirano a garantire l'autenticità e la confidenzialità dei messaggi di posta elettronica. In particolare, verrà descritto come rendere privato il contenuto dei messaggi in uscita, in modo che solo il legittimo destinatario possa leggerli, e come verificare che l'identità dichiarata dal mittente di un messaggio in entrata sia autentica.

September, 14th 2009--> Authentication and Privacy Integration on Webmails - Part II

Abstract (in Italian)

Dopo un breve introduzione mirata a reinquadrare il problema, in modo da "agganciare" il seminario a quello precedente, verrà descritta la realizzazione del servizio, enfatizzandone gli aspetti innovativi, ma anche le limitazioni. Si proseguirà, poi, con un'esposizione motivata delle scelte progettuali adottate per poi passare ad una descrizione delle tecniche utilizzate in fase di sviluppo. Il seminario proseguirà con un'analisi descrittiva delle parti fondamentali del codice prodotto per poi terminare proponendo eventuali sviluppi futuri.