Académique Documents
Professionnel Documents
Culture Documents
Topic to be Covered
Introduction to electronic commerce The Internet and the Web : Infrastructure for electronic commerce Web-based tools for electronic commerce Electronic commerce Software Security threats to electronic commerce , Implementing security for electronic commerce Electronic payment systems Strategies for marketing, sales and promotion Strategies for purchasing and support activities Strategies for web auctions, virtual communities and web portals The environment of electronic commerce: international, legal, ethical and tax issues Business plans for implementing electronic commerce Practical implementation of an electronic commerce site. E.g. 3 VBS
A Quick Survey
Which of the following have you done? Used e-mail Browsed the Web Bought a product on the Web (what?) Created a web page using an authoring tool Written some HTML NOT teach you HTML ASP,JAVA SCRIPT, JAVA SERVLETS.
4
Electronic Commerce
To many people the term electronic commerce, often shortened to e-commerce, is equivalent to shopping on the web. The term electronic business is sometimes used to capture the broader notion of e-commerce. In this course, we will use e-commerce in its broadest sense. It encompasses both web shopping and other business conducted electronically.
5
Origins of Commerce
The origins of traditional commerce predate recorded history. Commerce Is a basic economic activity involving trading or buying and selling of goods. Commerce is based on the specialization of skills. Instead of performing all services and producing all goods independently, people rely on each other for the goods and services they need. Example: Customer enters a bookshop .
9
Commerce
E- Commerce
Traditional Commerce
Internet Commerce
Mobile Commerce
Traditional Commerce
Although money has replaced bartering, the basic mechanics of commerce remain the same: one member of society creates something of value that another member of society desires. Commerce is a negotiated exchange of valuable objects or services between at least two parties and includes all activities that each of the parties undertakes the complete the transaction.
11
Views of Commerce
Commerce can be viewed from at least two different perspectives: 1. The buyers viewpoint 2. The sellers viewpoint Both perspectives will illustrate that commerce involves a number of distinct activities, called business processes.
12
Business Processes
Business processes are the activities involved in conducting commerce. Examples include: Transferring funds Placing orders Sending invoices Shipping goods to customers
15
E-Commerce
We will define e-commerce as the use of electronic data transmission to implement or enhance any business activity. Example : A buyer sends an electronic purchase order to a seller. The seller then sends an electronic invoice back to the buyer. When used appropriately, electronic transmission can save both time and money.
16
E-Commerce
Electronic commerce "refers generally to all forms of transactions relating to commercial activities, including both organizations and individuals, that are based upon the processing and transmission of digitized data, including text, sound and visual images. Or E-commerce is about the sale and purchase of goods or services by electronic means over the internet.
17
Impact of E-Commerce
E-commerce is changing the way traditional commerce is conducted: Technology can help throughout the process including promotion, searching, selecting, negotiating, delivery, and support.
18
Questionable cases
Would e-commerce or traditional commerce work best for the following activities? Sale/purchase of rare books Browsing through new books Sale/purchase of shoes Sale/purchase of collectibles (trading cards, plates, etc.)
22
Combinations of both
Some business processes can be handled well using a combination of electronic and traditional methods: Sale/purchase of automobiles Online banking Roommate-matching services Sale/purchase of investment/insurance products In this course we will discuss the issue of evaluating the advantages and disadvantages of e-commerce. Lets consider a few examples now.
23
24
Advantages of E-Commerce
For the seller: Increases sales/decreases cost Makes promotion easier for smaller firms Can be used to reach narrow market segments For the buyer: Makes it easier to obtain competitive bids Provides a wider range of choices Provides an easy way to customize the level of detail in the information obtained
25
Advantages of E-Commerce II
In general: Increases the speed and accuracy with which businesses can exchange information Electronic payments (tax refunds, paychecks, etc.) cost less to issue and are more secure Can make products and services available in remote areas Enables people to work from home, providing scheduling flexibility
26
27
Disadvantages of E-Commerce
Some business processes are not suited to e-commerce, even with improvements in technology Many products and services require a critical mass of potential buyers (e.g. online grocers) Costs and returns on e-commerce can be difficult to quantify and estimate Cultural impediments: People are reluctant to change in order to integrate new technology The legal environment is uncertain: Courts and 28 legislators are trying to catch up
29
Client Side
Service System
Backend system
1. Client side :- Customer interface. 2. Service system : Handle the business Logic 3. Backend System : provides the necessary information to complete a transaction.
30
Questions
Identify the business that are not suitable for Ecommerce. Check out the difference between different type of E-commence sites on the Internet.
31
32
33
34
35
Day 2
36
37
Usenet
In 1979 a group of students and programmers at Duke and the University of North Carolina started Usenet, short for User News Network. Usenet allows anyone who connects to the network to read and post articles on a variety of subjects. Usenet survives today in what are called newsgroups.
42
Newsgroups
There are several thousand newsgroups covering a highly varied groups of subjects. Examples: alt.cats comp.databases rec.climbing soc.penpals The first part of the name of each group tells you what type of group it is and the remaining parts indicate the subject matter.
43
Accessing newsgroups
Newsgroups can be accessed in two ways: 2. Using special software (trn, rn, etc.) 3. Using a browser on the Web. As an example, DejaNews is a web site that allows access to a variety of newsgroups as well as providing an archive of old postings to the group. See http://www.deja.com/usenet/
44
Privatization
The privatization of the Internet was substantially completed in 1995. At that point the NSF decommissioned its backbone. The new structure of the Internet was based on four network access points (NAPs), each operated by a separate company. The network access providers sell Internet access rights directly to larger customers and indirectly to smaller customers through other companies called Internet service providers (ISPs).
47
A growing Internet
Researchers had long considered the Internet a valuable tool. As the 1990s began, a larger variety of people thought of the Internet as a useful resource. The Internet grew significantly in 20 years. Year # of computers 1969 4 1990 313,000 The largest growth in the Internet was yet to come.
48
51
Terminology
A hypertext server is a computer that stores files written in hypertext markup language (HTML) and lets other computers connect to it and read those files. It is now called a Web server. A hyperlink is a special tag that contains a pointer to another location in the same or in a different HTML document. HTML is based on Standard Generalized Markup Language (SGML), which organizations have used for many years to manage large document 52 filing systems.
53
Internet 2
A project to develop another Internet, Internet2, is is being led by over 170 U.S. universities working in partnership with industry and government. This new network is designed to allow development and deployment of advanced network applications and technologies. For more information see: http://www.internet2.edu/
58
59
Circuit switching
Telephone company switching equipment (both mechanical and computerized) selected the phone lines, or circuits, to connect in order to create the path between caller and receiver. This centrally controlled, single connection model is known as circuit switching. Using circuit switching does not work well for sending data across a large network. Point-to-point connections for each sender/ receiver pair is expensive and hard to manage.
60
A different approach
The Internet uses a less expensive and more easily managed technique than circuit switching. Files and messages are broken down into packets that are labeled with codes that indicate their origin and destination. Packets travel from computer to computer along the network until they reach their destination. The destination computer reassembles the data from the packets it receives. This is called a packet switching network.
61
Packet switching
In a packet-switched network, (some of) the computers that an individual packet encounters determine the best way to move the packet to its destination. Computers performing this determination are called routers. The programs that the computers use to determine the path are called routing algorithms.
62
63
Open architecture
When it was being developed, the people working on ARPANet adhered to the following principles: 3. Independent networks should not require any internal changes in order to be connected. 4. The router computers do not retain information about the packets that they handle. 5. Packets that do not arrive at their destinations must be retransmitted from their source network. 6. No global control exists over the network.
64
65
TCP/IP
The protocols that underlie the basic operation of the Internet are TCP (transmission control protocol) and IP (Internet protocol). Developed by Internet pioneers Vinton Cerf and and Robert Kahn, these protocols establish rules about how data are moved across networks and how network connections are established and broken. Four layer architecture
66
67
Network layers
The work done by communications software is broken into multiple layers, each of which handles a different set of tasks. Each layer is responsible for a specific set of tasks and works as one unit with the other layers when delivering information over the Internet. Each layer provides services for the layer above it.
68
TCP/IP architecture
There are five layers in the Internet model: 1. Application 2. Transport 3. Internet 4. Network interface 5. Hardware The lowest layer is the hardware layer that handles the individual pieces of equipment attached to the network. The highest layer is the application layer where various network applications run.
69
Web Clients
Internet
Database
71
72
HTTP
HTTP (hypertext transfer protocol) is the protocol responsible for transferring and displaying Web pages. It has continued to evolve since being introduced. Like other Internet protocols, HTTP uses the client/ server model of computing. Thus, to understand how HTTP works, we need to first discuss the client/server model. HTTP/1.0 HTTP/1.1
73
HTTP
Request Method in HTML Get Head Post
74
Client/server model
In the client/server model there are two roles: the client and the server. The client process makes requests of the server. The client is only capable of sending a request to the server and then waiting for the reply. The server satisfies the requests of the client. It usually has access to a resource, such as data, that the client wants. When the resource that the client wants becomes available, it sends a message to the client. This model simplifies communication.
75
77
Internet addresses
Internet addresses are represented in several ways, but all the formats are translated to a 32-bit number called an IP address. The increased demand for IP addresses will soon make 32-bit addresses too small, and they will be replaced with 128-bit addresses in the near future. See the links page for more information. How does increasing the number of bits in the address help with increasing demand?
78
Dotted quads
IP numbers appear as a series of up to 4 separate numbers delineated by a period. Examples: students.depaul.edu: 140.192.1.100 condor.depaul.edu: 140.192.1.6 facweb.cs.depaul.edu: 140.192.33.6 Each of the four numbers can range from 0 to 255, so the possible IP addresses range from 0.0.0.0 to 255.255.255.255
79
Domain names
Since IP numbers can be difficult for humans to remember, domain names are associated with each IP address. Examples: students.depaul.edu: 140.192.1.100 facweb.cs.depaul.edu: 140.192.33.6 A domain name server is responsible for the mapping between domain names and IP addresses.
80
A URL deconstructed
http://facweb.cs.depaul.edu/asettle/ect250/section602/hw/assign2.htm
domain
path that indicates the location of the document in the hosts file system
document name
82
Handle
Domain
83
Domain types
edu: educational com: commercial net: originally for telecommunications org: organizations (non-profit) gov: U.S. government ja, uk, de, : Nations other than the U.S. New additions: info, biz, name, pro, museum, coop, aero, tv. See links page for a related news story.
84
85
Finger
Finger is a program that allows a user to obtain limited information about other network users. The information that can be obtained includes: Which users are currently logged on Where each user logged onto the network from How long the user has been on the network When the user last logged onto the system Finger is sometimes disabled for security reasons.
86
Ping
Ping (Packet InterNet Groper) tests the connectivity between two Internet hosts and determines if a host is active on the network. It works by sending a packet to the specified address and waiting for a reply. Ping is typically used to troubleshoot connections. To run ping, you simply type ping followed by the IP address or domain name of the machine you are interested in. Example: ping students.depaul.edu
87
COOKIES
HTTP is a Stateless Protocol. I.e . Web user will not keep users state or information . But in E-commerce applications , knowing the users state is very important. e.g. in shopping cart application , it is very impartment for server to keep track of user content w.r.t. shopping cart application. Solution : COOLKIES for a web sever was proposed to save state data at web client.
88
COOKIES
A maximum of 20 Cookies are allowed to each domain Each cookies is limited to 4kb to prevent overloading the memory of the client computer. Set cookie header : Set_Cookie : Name = value Where name and Value of the cookie Whenever required , the client will include the cookie in the http request herder as cookie : Name = value. Finally users information is passed to the server.
89
COOKIES
Set-Cookie: Item1=1111 Set-Cookie: Item2=2222
Set-Cookie: Item3=3333
COOKIES
Comment Domain Expires Max-age Path Secure
91
92
Java Script
Java script is scripting language proposed by Netscape to enhance the functions of HTML ( form Validation.) It can be used to make a web page more interactive and dynamic. A java script code is embedded between <script> and </script> . There are three main object: Document Object : For providing information on the documents. Form Object :For providing information on the form. Location Object : For providing location related information for
current web page such as URL , host name etc.,
93
DAY 3
94
96
97
99
CGI
100
CGI
101
ASP
102
SERVLET
SERVLET
To run servlets , there are basically two technique. 2. Servlet enabled web server 3. Nonservlet enabled web server
SERVLET
Two main package in the servlet API , javax.servlet and javax.servlet.http.
105
SERVLET
106
Web servers
The components of a web server are: Hardware Software When determining what sort of server hardware and software to use you have to consider: Size of the site Purpose of the site Traffic on the site A small, noncommercial Web site will require less resources than a large, commercial site.
107
Hosting considerations
Will the site be hosted in-house or by a provider? Factors to consider: The bandwidth and availability needed for the expected size, traffic, and sales of the site Scalability: If the Web site needs to grow or has a sudden increase in traffic, can the provider still handle it? Personnel requirements or restraints Budget and cost effectiveness of the solution Target audience: Business-to-customer (B2C) or business-to-business (B2B)
109
110
Commerce sites
Commerce sites must be available 24 hours a day, 7 days a week. Requirements include: Reliable servers Backup servers for high availability Efficient and easily upgraded software Security software Database connectivity B2B sites also require certificate servers to issue and analyze electronic authentication information.
111
112
Benefits
Cost effective for small companies or those without in-house technical staff. May require less investment in hardware/software. Can eliminate the need to hire and oversee technical personnel. Make sure that the site is scalable.
114
Services provided
Access to hardware, software, personnel Domain name, IP address Disk storage Template pages to use for designing the site E-mail service Use of FTP to upload and download information Shopping cart software Multimedia extensions (sound, animation, movies) Secure credit card processing
115
Summary
ISPs have Web hosting expertise that small or medium-sized companies may not. Creating and maintaining a Web site using an existing network can be difficult. With the exception of large companies with large Web sites and in-house computer experts, it is almost always cheaper to use outside Web hosting services.
116
Examples
EZ Webhost Interland HostPro HostIndex Managed hosting Other hosting options TopHosts.com
117
B2C e-commerce
Requirements: A catalog display Shopping cart capabilities Transaction processing Tools to populate the store catalog and to facilitate storefront display choices Any e-commerce software must be integrated with existing systems: Database Transaction processing software
118
Catalog display
Small storefront (fewer than 35 items) Simple listing of products No particular organization Example: Quebec maple syrup Larger catalog Store product information in database More sophisticated navigation aids Better product organization Search engine Example: LL Bean
119
Shopping carts
Early e-commerce shopping used forms-based check out methods. Required writing down product codes, unit prices, etc. A shopping cart: Keeps track of items selected Allows you to view the items in a cart Allows you to change quantities of items Because the Web is stateless, information must be stored for retrieval. One way to do this is to use cookies, bits of information stored on the clients computer.
120
Transaction processing
Usually performed with a secure connection. May require the calculation of: Sales tax Shipping costs Volume discounts Tax-free sales Special promotions Time sensitive offers Details about transactions must be tracked for accounting, sales reports.
121
B2B e-commerce
Business-to-business e-commerce requires tools and capabilities different from those required for businessto-customer systems. Encryption Authentication Digital signatures Signed receipt notices The ability to connect to existing legacy systems, including Enterprise Resource Planning (ERP) software. ERP integrates all facets of a business including planning, sales, and marketing.
122
Levels of packages
Three levels of e-commerce packages: Basic: Requires a few hundred dollars in fees and less than an hour to set up. Typically hosted by an ISP. Middle-tier: Ranges in price from $1K to $5K+, and can take from one day to several days to set up. Can connect with a database server. Requires hardware purchase and some skills. Enterprise-class: For large companies with high traffic and transaction volumes. Hardware and in-house specialists needed.
123
Basic packages
Basic packages are free or low-cost e-commerce software supplied by a Web host for building sites to be placed on the Web hosts system. Fundamental services Banner advertising exchanges Full-service mall-style hosting
124
Fundamental services
Available for businesses selling less than 50 items with a low rate of transactions. These services offer: Space for the store Forms-based shopping The Web host makes money from advertising banners placed on the site. Each business has some control over which banners are placed on its site. Examples: Bizland.com, HyperMart Drawbacks: E-mail transaction processing, banners.
125
128
Midrange packages
Distinction from basic e-commerce packages: The merchant has explicit control over Merchandising choices Site layout Internal architecture Remote and local management options Other differences include price, capability, database connectivity, software portability, software customization tools, computer expertise required of the merchant.
129
Features
Prices range from $2000 to $9000. Hosted on the merchants server. Typically has connectivity with complex database systems and stores catalog information. Several provide connections (hooks) into existing inventory and ERP systems. Highly customizable Requires part-time or full-time programming talent. Examples: INTERSHOP efinity, WebSphere Commerce
Suite
130
Enterprise solutions
Distinguishing features: Price ($25,000 - $1 million) Extensive support for B2B e-commerce Interacts with a variety of back office systems, such as database, accounting, and ERP. Requires one or more dedicated computers, a Web front-end, firewall(s), a DNS server, an SMTP system, an HTTP server, an FTP server, and a database server.
131
Features
Good tools for linking supply and purchasing. Can interact with the inventory system to make the proper adjustments to stock, issue purchase orders, and generate accounting entries. Example: Wal-Mart Allows several suppliers to make decisions about resupplying Results in cost savings in inventory Examples: WebSphere Commerce Suite, Netscape
CommerceXpert
132
133
Factors in performance
Hardware and operating system choice Speed of connection to the Internet User capacity Throughput: The number of HTTP requests that can be processed in a given time period. Response time: The amount of time a server requires to process one request. The mix and type of Web pages Static pages Dynamic pages: Shaped in response to users.
134
Benchmarking
Benchmarking is testing used to compare the performance of hardware and software. Results measure the performance of aspects such as the OS, software, network speed, CPU speed. There are several Web benchmarking programs. For examples see Figure 3-4 on page 87. Anyone considering buying a server for a heavy traffic situation or wanting to make changes to an existing system should consider benchmarks.
135
136
Core capabilities
Process and respond to Web client requests Static pages, dynamic pages, domain name translation. Security Name/passwords, processing certificates and public/private key pairs. FTP, Gopher Searching, indexing Data analysis Who, what, when, how long? May involve the use of Web log analysis software.
137
Site management
Features found in site management tools: Link checking Script checking HTML validation Web server log file analysis Remote server administration
138
Application construction
Uses Web editors and extensions to produce Web pages, both static and dynamic. Like HTML editors, application editors allow the creation dynamic features without knowledge of CGI (Common Gateway Interface) or API (Application Program Interface) programming. Also detects HTML code that differs from the standard or is browser specific.
139
Dynamic content
Non-static information constructed in response to to a Web clients request. Assembled from backend databases and internal data on the Web site, a successful dynamic page is tailored to the query that generated it. Active Server Pages (ASP) is a server-side scripting mechanism to build dynamic sites and Web applications. It uses a variety of languages such as VBScript, Jscript, and Perl. More information? Take ECT 353!
140
Electronic commerce
An Web server handles Web pages whereas an e-commerce server deals with the buying and selling of goods and services. A Web server should handle e-commerce software since this simplifies adding e-commerce features to existing sites. Features: Creation of graphics, product information, addition of new products, shopping carts, credit card processing, sales report generation, Web ad rotation and weighting.
141
142
Apache Server
Developed by Rob McCool while at UI in the NCSA in 1994. The software is available free of charge and is quite efficient. Can be used for intranets and public Web sites. Originally written for Unix, it is now available for many operating systems. For a discussion of its features see the Apache Software Foundation page.
143
Microsoft IIS
Microsofts Internet Information Server comes bundled with Microsofts Windows NT/2000. Can be used for intranets and public Web sites. It is suitable for everything from small sites to large enterprise-class sites with high volumes. Currently only runs on Windows NT/2000. See Microsofts Web Services page.
144
145
Further information
What Web software is running on a site? Web server side-by-side comparisons
146
147
Web portals
Provides a cyber door on the Web Serves as a customizable home base Successful portals include: Excite Yahoo! My Netscape Microsoft Passport
148
Push technologies
An automated delivery of specific and current information from a Web server to the users hard drive May be used to provide information on: Health benefit updates Employee awards Changes in corporate policies
149
Intelligent agents
A program that performs functions such as information gathering, information filtering, or mediation on behalf of a person or entity Examples: AuctionBot BargainFinder MySimon Kasbah
150
Example uses
Example uses for intelligent agents: Search for the best price and characteristics of various products Procurement: Deciding what, when, and how much to purchase Stock alert: Monitors stock and notifies when certain conditions are met, e.g. purchase 100 shares if the price is below $60 a share.
151
We Learned
1. Have a idea about HTML and Java Script. 2. Server Side Component : Servlets , CGI , ASP etc. Design some simple program.using servlet. 3. Database Connectivity. JDBC ODBC Connectivity ; how to communicate with backend database system. 4. Hardware and Software required.
152
Day 4
153
Session Tracking
154
Four Methods
1. Hidden from field :- We define a hidden field element called the username in an HTML form . This can be used to keep track of user and shopping cart. 2. URL rewriting 3. HTTP USER Authentication 4. Cookies
155
2. URL rewriting : the basic concept is to modify and more precisely rewrite URL to a specific URL for each user. I.e each user is given a specific URL for talking to the web server. A> To add extra directory to the original URL B> To add additional parameters at the end of URL e.g http://www.xyz.com/servelts/welcome/hello http:// www.xyz.com/servelts/welcome/007/hello Or http://www.xyz.com/servlets/welcome/hello?session_no007
156
3. HTTP User Authentication : it can be done by asking the user to provide his username and password. 4. Cookies : are a small piece of information stored in the client browser. Each one have its own advantage and disadvantages. Can not be used in e-commerce scenario
157
158
159
Security
Terminology
Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. There are two types of security: Physical security including such devices as alarms, fireproof doors, security fences, vaults. Logical security is non-physical protection. A threat is an act or object that poses a danger to computer assets. A countermeasure is a procedure, either physical or logical that recognizes, reduces, or eliminates a threat.
161
Risk analysis
The countermeasure will depend both on the cost associated with the threat and the likelihood that the threat will occur. High probability, low impact: Contain and control High probability, high impact: Prevent Low probability, low impact: Ignore Low probability, high impact: Insurance or backup Example: CTI computer systems under threat from (1) virus, (2) fire, (3) earthquake, (4) theft
162
Types of threats
Physical threats Natural phenomena: Earthquake, storm, tornado Arson, electrical shutdown, power surge Theft, sabotage Logical threats Impostors Eavesdroppers Thieves
163
Security terminology
Secrecy Protecting against unauthorized data disclosure, and ensuring the authenticity of the data source. Example: Use of stolen credit card numbers Integrity Preventing unauthorized data modification. Example: Changing of an e-mail message Necessity Preventing data delays or denials. Example: Delaying a purchase order for stock
164
Security policy
Any organization concerned about protecting its e-commerce assets should have a security policy. A security policy is a written statement describing what assets are to be protected, why they are to be protected, who is responsible for that protection, and which behaviors are acceptable and not. The policy should address physical security, network security, access authorizations, virus protection, and disaster recovery.
165
History
Early computer security measures: Computers were kept in locked central rooms Access was granted only to select individuals No one could remotely access the machine Modern systems are more complex: Remote processing Electronic transmission of information Widespread use of the Internet
166
E-commerce threats
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: 1. Client security 2. Communication channel security 3. Server security First, however, we will consider issues surrounding copyright and intellectual property.
167
Copyright and IP
Copyright is the protection of expression and it typically covers items such as books, essays, music, pictures, graphics, sculptures, motion pictures, recordings, architectural works. Intellectual property is the ownership of ideas and control over the representation of those ideas. The U.S. Copyright Act of 1976 protects items for a fixed period of time. Each work is protected when it is created. A copyright notice is not necessary.
168
Threats
The widespread use of the Internet has resulted in an increase in intellectual property threats. It is very easy to reproduce an exact copy of anything found on the Internet. Many people are unaware of copyright restrictions protecting intellectual property. See Intellectual Property Resources on the Internet. A related issue is cybersquatting which is the practice of registering a trademark of another company as a domain name.
169
170
Digital watermarks
Steganography is the practice of hiding information within other information. Example: See everyone? Lucky Larry! What does it mean? A digital watermark is a digital code or stream embedded into a file. They do not affect the quality of the file and may be undetectable. The presence of a watermark can indicate that the file was stolen.
171
Outline
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: Client security Communication channel security Server security
172
Cookies
Cookies are files that store identifying information about clients for the purposes of personalization. See The Cookie FAQ for more information. Malicious programs can read cookies to gain private information. Many sites do not store sensitive data in cookies. Cookies are not inherently bad, but it is wise to learn about them. Software exists that enables you to identify, manage, display, and eliminate cookies. See Cookie Crusher, and Cookie Pal.
174
Anonymous browsing
Since many Web sites gather information about visitors to their sites, you are constantly giving away information such as your IP address. There are portals that allow you to surf the Web anonymously by visiting their portal first. Their site acts as a firewall, preventing any leaks in information. Example: Anonymizer.com
175
Client threats
Malicious code is a program that causes damage to a system. Malicious code can affect both the server and the client. Typically servers engage in much more thorough detection and disinfection. Examples: Virus or worm Trojan horses Malicious mobile code in active content
176
Viruses
Macro virus (Anna Kournikova) 75-80% of all viruses Application specific Spread through e-mail attachments File-infecting virus Infects executable files (.com, .exe, .drv, .dll) Spread through e-mail and file transfer Script viruses (ILOVEYOU) Written in scripting languages (VBScript, JavaScript) Activated by clicking a .vbs or .js file
177
Worms
Viruses are often combined with a worm. A worm is designed to spread from computer to computer rather than from file to file. A worm does not necessarily need to be activated by a user or program for it to replicate. Example: ILOVEYOU virus was both a script virus and a worm that propagated by sending itself to the first 50 people in a users Microsoft Outlook address book.
178
179
Active content
Active content, programs embedded in Web pages, can be a threat to clients. Active content displays moving graphics, downloads and plays audio, places items into shopping carts, computes the total invoice amount, etc. Active content can be implemented in a variety of ways: Java JavaScript ActiveX
180
Java
Java is a high-level, object-oriented programming language developed by Sun Microsystems. It was created for embedded systems, but its most popular use has been in Web pages where applets implement client-side applications. Java is platform independent. It reduces the load on servers by downloading work onto the clients machine.
181
Java sandbox
To counter security problems, a special security model called the Java sandbox was created. The Java sandbox confines Java applet actions to a set of rules defined by a security model. These rules apply to all untrusted Java applets, those that have not been proven to be secure. The sandbox prevents applets from performing file input or output and from deleting files. All applets from a local file system are trusted and have full access to system resources.
182
JavaScript
JavaScript is a scripting language developed by Netscape to enable Web page designers to build active content. When you download embedded JavaScript code it executes on your machine. It does not operate under the sandbox model. For this reason it can invoke privacy and integrity attacks by destroying your disk, copying credit card numbers, recording the URLs of pages you visit, etc. Secure connections do not help. JavaScript programs must be explicitly run.
183
ActiveX controls
ActiveX is an object that contains programs and properties that Web designers place on pages to perform certain tasks. ActiveX controls only run on Windows machines. When embedded ActiveX controls are downloaded, they are run on the client machine. Examples: Flash, Shockwave Once downloaded, ActiveX controls have access to system resources, including the operating system.
184
186
Digital certificates
A digital certificate, or digital ID, is an attachment to a Web page or e-mail message verifying the identity of the creator of the page/message. It identifies the author and has an expiration date. A page or message with a certificate is signed. The certificate is only a guarantee of the identity of the author, not of the validity of the page/code. Certificates are obtained from a Certificate Authority (CA) that issues them to an individual or an organization. Example: VeriSign Identification requirements vary.
187
Authenticode
When a page with a certificate is downloaded: The certificate is detached The identity of the CA is verified The integrity of the program is checked A list of trusted CAs is built into the browser along with their public keys. Both the certificate and the key must match.
189
Security zones
You can specify different security settings based on the origin of the information being downloaded. There are four zones: Internet: Anything not classified in another way Local intranet: The internal network Trusted sites Restricted sites: Web sites you do not trust
190
Security levels
High: Safer but less functional; less secure features are disabled; cookies are disabled. Medium: Safe but functional browsing; prompts before downloading potentially unsafe content; unsigned ActiveX will not be downloaded. Medium-low: Downloads everything with prompts; most content will be run without prompts; unsigned ActiveX will not be downloaded. Low: Minimal safeguards; most content will be downloaded and run without prompts; all active content can be run.
191
Security settings
The Custom Level button allows you to alter the defaults provided by a specific level. All protections are a choice between running and not running active content. No monitoring of code occurs during execution.
192
Netscape Navigator
You can control whether active content (Java or Javascript) will be downloaded. This is done using the Preferences dialog box. On the Advanced tab you can specify what should be done for images, Java, JavaScript, style sheets, and cookies. A message will be sent when Java or JavaScript is downloaded indicating whether the content is signed. A risk assessment is given.
193
Outline
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: Client security Communication channel security Server security
194
195
Sniffer programs
E-mail transmissions can be compromised by the theft of sensitive or personal information. Sniffer programs record information as it passes through a particular router. This can capture: Passwords Credit card numbers Proprietary corporate product information
196
Integrity threats
An integrity threat is also called active wiretapping. This occurs when an unauthorized party alters a message in a stream of information. Cyber vandalism is the electronic defacing of an existing Web sites page. This occurs when an individual replaces content on the site. Masquerading or spoofing occurs when perpetrators substitute the address of their site for a legitimate site and then alter an order or other information before passing it along.
197
Necessity threats
Also known as delay or denial threats, the purpose is to disrupt or deny normal processing. Slowing processing can render a service unusable. The most famous example of a denial attack is the Robert Morris Internet Worm attack, perpetrated in 1988.
198
Encryption
Since the Internet is inherently insecure, any secret information must be encrypted. Encryption is the coding of information using a program and a key to produce a string of unintelligible characters. The study of encryption is called cryptography. The name comes from krupto (secret) and grafh (writing). Cryptography is not related to steganography.
199
Terminology
Unencrypted data is called plaintext. Encrypted data is called ciphertext. A key is a string of digits that acts as a password. Only the intended receivers should have the key that transforms the ciphertext into plaintext. A cipher or cryptosystem is a technique or algorithm for encrypting messages. Cryptographic ciphers have a long history.
200
202
Knowledge needed
Someone can know the details of an encryption algorithm and yet not be able to decipher an encrypted message without the key. The resistance of the encrypted message depends on the size, in terms of bits, of the key used in the encryption procedure. The longer the key, the more computing power and time it takes to break the code. Example: 128-bit encryption systems.
203
Types of cryptosystems
There are two main types of cryptosystems: Private-key cryptography Also known as symmetric or secret-key encryption, it uses a single key to both encrypt and decipher the message. Public-key cryptography Also known as asymmetric encryption, it uses a public key to encrypt messages and a private key to decipher messages.
204
Private-key cryptography
Suppose that Alice wishes to send Bob a message: They exchange a secret key. Alice encodes the message using the secret key. The ciphertext is sent to the Bob. Bob decodes the message using the secret key. Problems with this approach: How do Alice and Bob exchange the secret key? There is no authentication of the sender. What if both wish to communicate with Chris?
205
206
DES
Data Encryption Standard (DES) is a 56-bit private-key encryption algorithm developed by the NSA and IBM in the 1950s. Cryptoanalysts no longer believe that 56-bit keys are secure. The current standard is to use Triple DES, three DES systems in a row, each with its own key. Advanced Encryption Standard (AES).
207
Public-key cryptography
Public-key cryptography uses two related keys. The private key is kept secret by its owner. The public key is freely distributed. When someone wishes to communicate with Alice they use Alices public key to encode their message. Alice then uses her private key to decode the message. Although the two keys are mathematically related, it would require enormous computing power to deduce the private key from the public one.
208
Authentication
If a customer sends a message to a merchant using the merchants public key, the customer knows that only the merchant can decipher the message. Similarly if the customer sends a message using the customers private key, the merchant can decipher it using the customers public key thus identifying the customer. Both together give two way authentication. Example: Merchant to customer First encode using the customers public key. Use the merchants private key on the result.
209
RSA
The mostly commonly used public-key system is RSA (named for its inventors: Ron Rivest, Adi Shamir, and Leonard Adleman). Invented in 1977 at MIT. Most secure e-commerce transactions on the Internet use RSA products. See the RSA security page. RSA is built into many Web browsers, commerce servers, and e-mail systems. Examples: Internet Explorer, Apache Web Server, Netscape Communicator.
210
PGP
Another common public-key system is PGP (Pretty Good Privacy). Used to encrypt e-mail messages and files. PGP is freely available for non-commercial use. See the MIT Distribution Center.
211
Digital envelopes
The basic idea: A message is encrypted using a secret key. The secret key is encrypted using a public key. Only the receiver can decipher the secret key. Example: Alice encrypts a message using a secret key. Alice encrypts the secret key using Bobs public key. Alice sends both to Bob. Bob decrypts the secret key using his private key. He then uses that key to decipher the message.
213
Key management
Most compromises in security result from poor key management, e.g. the mishandling of private keys resulting in key theft. An important part of management is the generation of keys. The key length must be sufficiently long. A key generation algorithm that is unintentionally constructed to select keys from a small subset of all possible keys may allow a third party to crack the encryption. Key generation algorithms must be random.
214
215
216
217
Secure protocols
Secure sockets layer (SSL) The purpose is to secure connections between two computers. Developed by Netscape communications. Secure Hypertext Transfer Protocol (S-HTTP) The purpose is to send individual messages securely. Developed by CommerceNet.
218
SSL
To begin, a client sends a message to a server. The server responds by sending its digital certificate to the client for authentication. Using public-key cryptography, the client and server negotiate session keys to continue. Once the keys are established, the transaction proceeds using the session keys and digital certificates. All information exchanged is encoded. See Figure 6-17 on page 221.
219
Types of communication
SSL resides on top of TCP/IP in the Internet protocol suite. As a result it can secure many different types of communications: FTP sessions Telnet sessions HTTP sessions: S-HTTP
220
Secure protocols
Secure sockets layer (SSL) The purpose is to secure connections between two computers. Developed by Netscape communications. Secure Hypertext Transfer Protocol (S-HTTP) The purpose is to send individual messages securely. Developed by CommerceNet.
222
Limitation
Although SSL protects information as it is being transmitted, it does not protect information once it is stored in the merchants database. The data needs to be encrypted and/or the server secured to protect information that was previously transmitted.
223
Secure HTTP
Secure HTTP (S-HTTP) is an extension of HTTP. It is concerned with securing individual messages. Works at the application level. Security features: Client and server authentication (using RSA) Symmetric encryption for communication Message digests The client and server may use separate S-HTTP techniques simultaneously. Example: The client may use private keys and the server may use public keys.
224
Establishing contact
The details of S-HTTP security are conducted during the initial negotiation session. Security details are specified in special packet headers that are exchanged. Once the client and server have agreed to the security implementations that will be enforced between them, all subsequent messages are wrapped in a secure envelope.
225
Security techniques
The client and server can specify that a security feature is required, optional, or refused. When a feature is required it must be used or the connection will be terminated. Features: Use of private-key encryption Server authentication Client authentication Message integrity
226
Transaction integrity
It is difficult to prevent integrity violations, but techniques can enable integrity violations to be detected; information can then be re-sent. The basic idea: A hashing algorithm is applied to produce a message digest. The message digest is encrypted to produce a digital signature.
227
Message digest
A hashing function is applied to the message. This produces a number that is based on the length and content of the message. Good hash algorithms have few collisions. The message digest is appended to the message. The receiver recalculates the message digest. If they two do not match, integrity is violated. Problem: What if an adversary changes both the message and the message digest?
228
Digital signature
The sender computes the digest, encrypts it using her private key, and then appends the encrypted digest onto the message. Only the sender could have created the digital signature. The merchant deciphers the digest, computes his own digest, and compares the two. If they match the integrity of the message was preserved. For added security, the digital signature and the message can be encrypted.
229
E-commerce security
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: Client security Communication channel security Server security
230
Server threats
Server threats can be classified by the means used to obtain unauthorized access into the server: The Web server and its software Back-end programs and servers such as ones for a database Common Gateway Interface (CGI) programs Other utility programs residing on the server
231
Security levels
Web servers running on most machines can be set to run at various privilege levels. The highest one allows access to any part of the system, including sensitive areas. The lowest level provides a logical fence that prevents access to sensitive areas. The rule is to use the lowest level needed to complete a given task. Setting up a Web server to run in high privilege mode can cause potential threats.
232
Entering passwords
Web servers that require usernames and passwords can compromise security by revealing them. Because the Web server needs the information as it moves from page to page, it may place that in a cookie on the clients machine. The server must be careful not to request that the cookie be transmitted unprotected.
233
Username/password pairs
Web servers may keep files with username/password pairs to use for authentication. If these files are compromised then the system can be attacked by people masquerading as others. Users who choose passwords badly also pose a threat to Web server security. Passwords that are easily guessed, such as birth dates, child or pet names, are poor choices. Administrators often run programs that attempt to guess users passwords as a preventative measure.
234
Database threats
Because databases hold valuable information, attacks on them are particularly troubling. Security features rely on usernames/passwords. Security is enforced using privileges. Databases that fail to store usernames/passwords in a secure manner or fail to enforce privileges can be compromised. During an attack, information may be moved to a less protected level of the database, giving full access.
235
CGI threats
CGI implements the transfer of information from a Web server to another program. Like Web servers, CGI scripts can be set to run unconstrained (with high privilege). Defective or malicious CGI scripts can access or destroy sensitive information. Old CGI scripts that have been replaced can be loopholes for access into the system. CGI scripts can reside anywhere and are difficult to track.
236
Buffer overflows
A buffer is an area of memory set aside to hold data read from a file or database. Buffers are necessary because I/O operations are much slower than CPU operations. Buffer overflows, either from a buggy program or as part of a deliberate attack, can result in: A computer crash Instructions for an attacking program being written into the return address save area causing it to be run by the Web server CPU
237
238
Access control
Authentication via digital certificates and signatures. Usernames/passwords Usernames are stored as clear text Passwords are stored as encrypted text A password entered is encrypted and compared against the encrypted password. An access control list gives the users that can access certain files and folders in the system. Read, write, and execute permissions may be set separately.
239
Firewalls
All traffic from the outside must pass through it. Only authorized traffic is allowed to pass. The firewall should be immune to attack. Operates at the application layer. Trusted networks are inside; untrusted ones outside. Can be used to separate divisions of a company. The same policies should apply to all firewalls. Unnecessary software should be stripped off.
240
Types of firewalls
Packet filters Filters traffic according to source and destination (IP address) based on a set of rules. Gateway servers Filter traffic according to the application requested. Example: Incoming FTP requests granted but outgoing requests denied. Proxy servers Communicate with the Internet on behalf of the private network. Also used as a cache for Web pages.
241
DAY 5
242
244
245
247
248
Digital Envelope
249
SET Protocol
1. Purchase Initiation 2. Purchase Request 3. Payment Authorization 4. Payment Capture
250
SET Protocol
251
Building a presence
An organizations presence is the public image it conveys to its stakeholders. The stakeholders include customers, suppliers, employees, stockholders, neighbors, and the general public. Physical world: Create a store, factory, warehouse or office building and/or engage in advertising. On the Web: Create a site, which may be the only point of contact for stakeholders, and/or engage in advertising.
253
254
Examples
Commercial organizations Toyota Metra Museums Art Institute Field Museum Museum of Science and Industry
255
257
258
Strategies
Convey an integrated image Provide easily accessible facts both about the firm and any products or services it may offer Allow visitors to experience the site in a variety of ways and at different levels Provide meaningful, responsive, reliable, twoway communication Sustain visitor attention without detracting from the purpose and image of the site Find ways to encourage return visits
259
Usability
Design the site around how visitors will navigate the site, not around the organizations structure Allow quick access to the sites information Avoid using inflated marketing statements Avoid using business jargon Allow visitors with older browsers and slower connections to access the site -- this may mean building several versions of the site Be consistent in the use of design features and colors
260
Usability
Make sure that navigation controls are clearly labeled or otherwise recognizable Test text visibility on smaller monitors Check that color combinations do not impair viewing clarity for the colorblind Positive examples: Webby Awards (See the Monterey Bay Aquarium) Negative examples: Mud Brick Awards
261
Types of interactions
One-to-many Mass media Seller sends out carefully produced messages to a large audience. Seller is active; buyer is passive. One-to-one Personal contact Salesperson interacts with customer directly. Trust building is important. Both seller and buyer participate actively.
263
The Web
Many-to-one Many active potential customers seek out information from resources produced by the seller. Example: Book review sites, fan sites One-to-one E-mail contact with a seller Many-to-many Newsgroups and interactive Web sites Primary characteristic: The buyer is active and controls the length, depth, and scope of the search.
264
265
Micromarketing
As mass media lost its effectiveness (new and improved!), one approach was to divide a pool of potential customers into segments. This is called market segmentation. Targeting very small market segments is called micromarketing. Micromarketing is expensive using traditional means, but more cost effective on the Web.
266
Web-specific measures
A visit occurs when a visitor requests a page. Immediate downloads of new pages are often counted as part of the same visit. A trial visit is the first one; subsequent ones are called repeat visits. Each page loaded is a page view. If the page contains an ad it is an ad view. An impression refers to each banner ad load. If a visitor clicks a banner, it is a click-through. One CPM for banner ads is 1000 impressions. Charges range from $1 to $100 CPM.
267
Comparisons
The Web has: Better effectiveness than mass media More trust than mass media Lower cost than personal contact Less trust than personal contact It is believed that a move toward the side of personal contact is more effective. Increase the trust level Increase the personalization
268
269
Branding
A known and respected brand presents a powerful statement about quality, value, and other desired qualities to potential customers. Branded elements are easier to promote. The key elements of branding are: Differentiation Relevance Perceived value This makes branding for commodity products like salt or plywood more difficult.
270
Differentiation
A characteristic that sets the product apart from similar products. Examples: Ivory soap: It floats Dove soap: 1/4 moisturizing creme Palmolive dish soap: Mild on your hands Dawn dish soap: Takes grease out of your way Antibacterial soaps
271
Relevance
The degree to which the product offer utility to a potential customer. The customer must be able to see themselves purchasing and using the product. Examples: Cadillac Hyundai Minivans
272
Perceived value
The product must have some identified value. Products can be different than others and people can see themselves using it, but it may not have values that they desire. Example: Subway sandwich ads comparing fat values of their product to those found in BigMacs.
273
Emotional branding
Ted Leonhardt: Brand is an emotional shortcut between a company and its customer Emotional appeals work well on television, radio, billboards, and print media since the viewer is a passive recipient of information. On the Web it is easy to click away from emotional appeals.
274
Rational branding
Rational branding offers to help Web users in some way in exchange for their viewing an ad. Functional assistance replaces emotional appeals. Examples: Free e-mail services such as HotMail Free Web hosting such as HyperMart ShopSmart! program from Mastercard
275
Costs of branding
Transferring existing brands to the Web or using the Web to maintain an existing brand is easier and less expensive than creating a new brand. Example: Catalog sales companies Attempting to create a brand on the Web may involve spending on traditional mass media such as television, print, and radio. Example: In 1998 Amazon.com spent $133 million and BarnesandNoble.com spent $70 million, much of it on traditional advertising.
277
280
Advertising supported
The success of Web advertising has been hampered by two major problems: There is no consensus on how to measure and charge for site visitor views. Examples: Number of visitors, number of unique visitors, number of click-throughs. Very few Web sites have sufficient number of hits to interest large advertisers. Targeted advertising requires that demographics be collected, a sensitive privacy issue. One success: Employment advertising
281
Advertising-subscription mixed
Subscribers are subject to less advertising and have greater access to the resources of the site. Popular with online newspapers. Examples The New York Times The Wall Street Journal Reuters ESPN
282
Fee-for-transaction
Value-added services are sold in exchange for a commission. Travel agencies Travelocity Expedia Automobile sales Autobytel: An example of disintermediation Stockbrokers Insurance companies
283
284
Outline
International issues
Language Culture Infrastructure
Ethical issues
Defamation Privacy rights
Legal issues
Borders and jurisdiction Jurisdiction on the Internet Taxation and e-commerce Contracting Web site content
286
International e-commerce
E-commerce is by its nature international. International companies must work to build trust with customers. Trust can be built by sharing a culture, that is, a combination of language and customs. The barriers to international e-commerce include: Language Culture Infrastructure
287
Language issues
A first step in reaching international customers is to conduct business in their native language. Customers are more likely to buy products and services from Web sites in their own language, even if they understand English. Estimates are that by the end of this year, 60% of Web use and 40% of e-commerce sales will involve at least one party outside the U.S.
288
Common languages
Most common non-English languages for U.S. companies: Spanish, German, Japanese, French, Chinese. Second tier of languages: Italian, Korean, Russian, Portuguese, and Swedish. Many languages involve different dialects such as Spanish in Mexico vs. Spain vs. Argentina. Some dialect differences are in spoken inflection. Word meanings and spellings can vary between dialects. Example: Gray in U.S.; grey in U.K.
289
290
291
Translation/localization
Hire a Web page translation service Translate the pages Maintain them for a fee ($0.25 0.50/word) Use software that automates the translation and maintenance of the pages. Example: Idiom Technologies Completely automated translation software. Can translate up to 40,000 words an hour. Human translators do 400-600 words an hour.
292
Culture issues
Errors can stem from language and culture standards. Chevrolet Nova did not sell in Latin America. Pepsis campaign in China failed. Come alive became Brings your ancestors back from their graves. Complaints from Japanese customers to wine.com. Packaging is important part of a quality product. Baby food with a picture of a baby did not sell well in parts of Africa where food containers always carry a picture of their contents.
293
Labeling issues
Labeling issues are particularly troublesome: Inappropriate use of the image of a cow in India. Uncovered legs or arms in a Muslim country. A Web page divided into four parts or that uses the color white in Japan, where the number 4 and white represents death.
294
295
Internet access
Some parts of the world have environments that are inhospitable to e-commerce. Denial of access to citizens Restriction of citizens access Addition of taxes that place it out of reach The information provided on the Internet may be seen as objectionable or threatening to the culture or traditions of the country.
296
Infrastructure issues
In many countries, the telecommunication systems are government-owned or heavily regulated. Regulations in some places have restricted the development to a point that Internet data packet traffic cannot be handled reliably. Local connection costs may be much higher than in the U.S., resulting in different behavior by Internet users. The paperwork needed for international transactions can be prohibitive. See Figure 11-2, page 347.
298
Ethical issues
Not adhering to common ethical standards can result in a degradation of trust on the part of customers. Example: Amazon.com and publishers Two areas of concern: 8. Defamation 9. Privacy rights
299
Defamation
A defamatory statement is one that is false and injures the reputation of another person or company. A statement injuring the reputation of a product or service is called product disparagement. The line between justifiable criticism and defamation can be hard to determine.
300
Privacy rights
Privacy issues remain unsettled and are hotly debated in many forums. The FTC issued a report that concluded Web sites were developing privacy practices with sufficient speed. Responses from privacy advocacy groups were in sharp disagreement. Privacy assumptions vary between cultures.
301
Some principles
Use the data collected to improve service. Do not share customer data with outsiders without the customers permission. Tell customers what data is being collected and what you are doing with it. Give customers the right to delete any of the data collected about them.
302
303
304
Power
Some of the defining characteristics of a sovereign government are control over: A physical space Objects that reside in that space People who reside in that space The ability of a government to exert control over a person or corporation is called jurisdiction. Laws in the physical world do not apply to people who are not located in or own assets in the area that created those laws.
305
Effects
Laws in the physical world are based on the relationship between physical proximity and the effects of a persons behavior. Actions have a stronger hold on things nearby. Example: Trademark enforcement Two restaurants with the same name, one in Chicago and one in France.
306
Legitimacy
The right to create laws and enforce laws derives from the mandate of those who will be subject to those laws. Some cultures allow their governments a high degree of autonomy and authority. Example: China and Singapore Other cultures place severe restrictions on the authority of the government. Example: Scandinavian countries
307
Notice
Physical boundaries are an effective way to announce the ending of one legal or cultural system and the beginning of another. The perception that the laws and norms have changed is needed to allow people to adjust. Borders provide this notice.
308
309
Sufficient jurisdiction
If a person or organization wants to enforce their rights under contracts or seek tort damages, they must find courts that have sufficient jurisdiction. A court has sufficient jurisdiction in a matter if it has both: Subject matter jurisdiction Personal jurisdiction.
310
Subject-matter jurisdiction
Subject-matter jurisdiction is a courts authority to decide the type of dispute. In the United States: Federal courts preside over federal law (Bankruptcy, copyright, patent, federal taxes) State courts deal with issues governed by states (Professional licensing, state taxes) The rules are easy to apply for subject-matter.
311
Personal jurisdiction
Personal jurisdiction is, in general, determined by the residence of the parties in question. A court has jurisdiction if the defendant resides in the state in which the court is located. An out-of-state person can submit to a courts jurisdiction by signing a contract that includes a statement that the contract will be enforced according to the laws of a particular state.
312
Long-arm statutes
States can enact statutes that create personal jurisdiction over nonresidents conducting business or committing tortious acts in the state. In many cases, these laws are not clear with respect to e-commerce. The more business conducted, the more likely a court will be to use a long-arm statute. Courts are also assert jurisdiction when a crime or intentional tort has occurred.
313
International issues
The exercise of jurisdiction across national borders is governed by treaties between the countries. In general, personal jurisdiction for foreign firms and persons is determined by U.S. courts in the same way as long-arm statues. Jurisdictional issues are complex and changing. Businesses should consult an attorney for advice.
314
Types of taxes
A online business is potentially subject to several types of taxes: Income taxes: Levied by national, state, and local governments on the net income generated by business activities. Transaction taxes: Includes sales taxes, use taxes, and customs duties. Property taxes: Levied on the personal property and real estate used in the business. Income and transaction taxes are most important.
316
317
Sales taxes
Businesses that establish nexus with a state must file sales tax returns and remit the sales tax they collect from their customers. If a business ships to customers in other states, it is not required to collect sales tax from those customers unless the business has established nexus with the customers state. There are 7500 U.S. sales tax jurisdictions and the rules about which items are taxable differ. Example: In NY large marshmallows are taxable since they are snacks but small ones are not since 319 they are food.
Contracting
Any contract includes an offer and an acceptance. An offer is a declaration of willingness to buy or sell a product or service with enough details to be firm, precise, and unambiguous. An acceptance is the expression of willingness to take an offer, including all of its stated terms. When one party makes an offer that is accepted, a contract is created.
320
Written contracts
In the U.S. written contracts must be used for goods worth more than $500 and contracts requiring actions that cannot be completed with a year. Things that constitute a signature: Faxes Typed names Printed names Digital signatures
322
Warranties
Any contract for sale includes implied warranties. Sellers can create explicit warranties. Statements in promotional material may create an implied warranty. Sellers can use a warranty disclaimer to avoid some implied warranties. It must be clearly displayed.
323
324
Trademark infringement
Web designers must be careful not to use any trademarked name, logo, or other identifying mark without the written consent of the trademark owner. Example: A picture of a company (other than Pepsi) president holding a can of Pepsi. Manipulating trademarked images and placing them on a site can cause problems.
325
326
327