A Presentation on E-Commerce

BY: N. Badal, KNIT, Sultanpur

Introduction To the Course

Course gives a survey of the key technological elements of e-commerce. Focus on the technical aspects : it discusses how to build different parts of an e-commerce system and integrate into a full system. Covers key underlying technologies of e-commerce including web system and web protocol web programming using java servlets. Also covers some business strategies essential to e-commerce.
2

Topic to be Covered
Introduction to electronic commerce The Internet and the Web : Infrastructure for electronic commerce Web-based tools for electronic commerce Electronic commerce Software Security threats to electronic commerce , Implementing security for electronic commerce Electronic payment systems Strategies for marketing, sales and promotion Strategies for purchasing and support activities Strategies for web auctions, virtual communities and web portals The environment of electronic commerce: international, legal, ethical and tax issues Business plans for implementing electronic commerce Practical implementation of an electronic commerce site. E.g. 3 VBS

A Quick Survey
Which of the following have you done? Used e-mail Browsed the Web Bought a product on the Web (what?) Created a web page using an authoring tool Written some HTML NOT teach you HTML ASP,JAVA SCRIPT, JAVA SERVLETS.
4

Electronic Commerce
To many people the term electronic commerce, often shortened to e-commerce, is equivalent to shopping on the web. The term electronic business is sometimes used to capture the broader notion of e-commerce. In this course, we will use e-commerce in its broadest sense. It encompasses both web shopping and other business conducted electronically.
5

E-commerce is not New

Banks have used electronic funds transfers (EFTs), also called wire transfers, for decades. Businesses have been engaging in electronic data interchange for years. EDI occurs when one business transmits computer readable data in a standard format to another business.

Electronic Data Interchange

In the 1960s businesses realized that many of the documents they exchanged related to the shipping of goods and contained the same set of information for each transaction. By sending the information electronically in a standard format, the businesses could save money on printing, mailing, and re-entry of data. Electronic transfer of data also introduces fewer errors than manual transfer.
7

Technology and Commerce

In order to understand how technology can aid commerce we need to understand traditional commerce. Once we have identified what activities are involved in traditional commerce, we can consider how technology can improve them. Note that technology does not always improve commerce.

Origins of Commerce
The origins of traditional commerce predate recorded history. Commerce Is a basic economic activity involving trading or buying and selling of goods. Commerce is based on the specialization of skills. Instead of performing all services and producing all goods independently, people rely on each other for the goods and services they need. Example: Customer enters a bookshop .
9

Commerce

E- Commerce

Traditional Commerce

Internet Commerce

Mobile Commerce

Business Focused E-Commerce

Consumer focused E-Commerce

10

Traditional Commerce
Although money has replaced bartering, the basic mechanics of commerce remain the same: one member of society creates something of value that another member of society desires. Commerce is a negotiated exchange of valuable objects or services between at least two parties and includes all activities that each of the parties undertakes the complete the transaction.
11

Views of Commerce
Commerce can be viewed from at least two different perspectives: 1. The buyers viewpoint 2. The sellers viewpoint Both perspectives will illustrate that commerce involves a number of distinct activities, called business processes.

12

The Buyers Perspective

From the buyers perspective, commerce involves the following activities: 3. Identify a specific need 4. Search for products or services that will satisfy the specific need 5. Select a vendor 6. Negotiate a purchase transaction including delivery logistics, inspection, testing, and acceptance 7. Make payment 13 8. Perform/obtain maintenance if necessary

The Sellers Perspective

From the sellers perspective, commerce involves the following activities: 3. Conduct market research to identify customer needs 4. Create a product or service to meet those needs 5. Advertise and promote the product or service 6. Negotiate a sales transaction including delivery logistics, inspection, testing, and acceptance 7. Ship goods and invoice the customer 8. Receive and process customer payments 9. Provide after sales support and maintenance 14

Business Processes
Business processes are the activities involved in conducting commerce. Examples include: Transferring funds Placing orders Sending invoices Shipping goods to customers

15

E-Commerce
We will define e-commerce as the use of electronic data transmission to implement or enhance any business activity. Example : A buyer sends an electronic purchase order to a seller. The seller then sends an electronic invoice back to the buyer. When used appropriately, electronic transmission can save both time and money.
16

E-Commerce
Electronic commerce "refers generally to all forms of transactions relating to commercial activities, including both organizations and individuals, that are based upon the processing and transmission of digitized data, including text, sound and visual images. Or E-commerce is about the sale and purchase of goods or services by electronic means over the internet.
17

Impact of E-Commerce
E-commerce is changing the way traditional commerce is conducted: Technology can help throughout the process including promotion, searching, selecting, negotiating, delivery, and support.

18

Three- Layer Model

1. An Infrastructure Layer 2. A service Layer 3. A Products / Structures Layer Further divided into Functional layer. A> Technical Infrastructure ( Internet and WWW) B> Secure messaging service ( EDI) C> Supporting Services. D> Commercial Products , services and systems( E-Retailing) E> Electronic Marketplace ( On Line auction)
19

Well-suited for E-Commerce

Business processes that are well-suited for electronic commerce: Sale/purchase of new books and CDs Online delivery of software Advertising and promotion of travel services Online tracking of shipments The business processes that are especially well-suited to e-commerce include commodity items, that is, a product or service that has become standardized.
20

Best for traditional commerce

Business processes that are well-suited to traditional commerce: Sale/purchase of high fashion clothing (Any possible exceptions?) Sale/purchase of perishable food products Small-denomination transactions (Future?) Sale of expensive jewelry and antiques In general, products that buyers prefer to touch, smell, or otherwise closely examine are difficult to sell using 21 e-commerce.

Questionable cases
Would e-commerce or traditional commerce work best for the following activities? Sale/purchase of rare books Browsing through new books Sale/purchase of shoes Sale/purchase of collectibles (trading cards, plates, etc.)

22

Combinations of both
Some business processes can be handled well using a combination of electronic and traditional methods: Sale/purchase of automobiles Online banking Roommate-matching services Sale/purchase of investment/insurance products In this course we will discuss the issue of evaluating the advantages and disadvantages of e-commerce. Lets consider a few examples now.
23

Different Type of E-Commerce

Business (Organization) Consumer (Individual)

Business (Organization) Consumer (Individual)

B2B e.g TPN C2B e.g Priceline

B2C e.g. Amazon C2C e.g eBay

24

Advantages of E-Commerce
For the seller: Increases sales/decreases cost Makes promotion easier for smaller firms Can be used to reach narrow market segments For the buyer: Makes it easier to obtain competitive bids Provides a wider range of choices Provides an easy way to customize the level of detail in the information obtained
25

Advantages of E-Commerce II
In general: Increases the speed and accuracy with which businesses can exchange information Electronic payments (tax refunds, paychecks, etc.) cost less to issue and are more secure Can make products and services available in remote areas Enables people to work from home, providing scheduling flexibility
26

Advantages of E-Commerce III

Profit = Revenue - Cost
Hence E-Commerce is attractive because it can raise profit by increasing revenue while decreasing cost.

27

Disadvantages of E-Commerce
Some business processes are not suited to e-commerce, even with improvements in technology Many products and services require a critical mass of potential buyers (e.g. online grocers) Costs and returns on e-commerce can be difficult to quantify and estimate Cultural impediments: People are reluctant to change in order to integrate new technology The legal environment is uncertain: Courts and 28 legislators are trying to catch up

MYTHS About E-Commerce

Myth 1 : E-Commerce is about developing web pages. Myth 2: The successful implementation of an ecommerce system relies on web Programmers Myth 3 : E-commerce is about translating the traditional business model into an electronic business model .

29

Technical Model for An ECommerce System

Client Side

Service System

Backend system

1. Client side :- Customer interface. 2. Service system : Handle the business Logic 3. Backend System : provides the necessary information to complete a transaction.
30

Questions
Identify the business that are not suitable for Ecommerce. Check out the difference between different type of E-commence sites on the Internet.

31

Different Type of E-Commerce

Business to Consumer (B2C) : The seller is business organization whereas buyer is a consumer . E.g Electronic stores are set up on internet to sell goods to the consumer. Note : Business drives the specification of the product and customer chooses whether or not to buy a product. e.g Amazon.com is one of the most well known e-commerce site and an example of B2C e-commerce. Books are listed under different sections for ease of searching. choose book put in shopping cart after shopping-> check out the books and pay by the credits cards

32

Different Type of E-Commerce

Business to Business ( B2B) : Both the buyer and seller are the business organization . www.tpn.geis.com is an internet based trading network for buyers and sellers to carry out B2B e-Commerce on the Internet. Note : It is buyer driven rather than seller driven. i.e buyer submits a request to the system and then respective sellers respond to the request. -> Interested suppliers bid for the request buyer and suppliers negotiate the bids finally buyer selects the best bid and completes the purchase.

33

Different Type of E-Commerce

Consumer to Consumer (C2C) : In this case both the seller and buyer are consumers. On line auctions provide an effective means for supporting C2C e-commerce. E.g. www.eBay.com provides the worlds largest online trading service by means of online auctions. > 29 Millions members. Buying and selling of a wide ranges of items , books , stamps, etc.

34

Different Type of E-Commerce

Consumer to Business (C2B) : In this consumer specifies the requirements to a business , which provides a product that meets these requirements. Also known as demand collection system. www.priceline.com

35

Day 2

36

The Internet and the WWW

37

What is the Internet?

A loosely configured global wide-area network. Includes more than 31,000 different networks in over 100 different countries. Millions of people visit and contribute to the Internet, through e-mail and the World Wide Web. Began as a Department of Defense project. For detailed information about the history of the Internet, see:
http://dir.yahoo.com/Computers_and_internet/Internet/History/
38

Early history of the Internet

In the 1950s the U.S. Department of Defense became concerned that a nuclear attack could disable its computing (and thus planning and coordinating) capabilities. By 1969 the Advanced Research Projects Agency Network (ARPANet) had been constructed. The first computers to be connected were ones at the University of California at Los Angeles, SRI International, the University of California at Santa Barbara, and the University of Utah.
39

The changing Internet

Early on researchers began to find new uses for the Internet, beyond its original purpose of controlling weapons systems. These new applications included the following: Electronic mail File transfer protocol Telnet Users News Network (Usenet)
40

The new uses

In 1972 a researcher wrote a program that could send and receive messages over the Internet. E-mail was quickly adopted by Internet users. File transfer protocol (FTP) allowed researchers using the Internet to transfer files easily across great distances. Telnet allows users of the Internet to log into their computer accounts from remote sites. All three of these applications are still widely used. We will discuss them again later.
41

Usenet
In 1979 a group of students and programmers at Duke and the University of North Carolina started Usenet, short for User News Network. Usenet allows anyone who connects to the network to read and post articles on a variety of subjects. Usenet survives today in what are called newsgroups.

42

Newsgroups
There are several thousand newsgroups covering a highly varied groups of subjects. Examples: alt.cats comp.databases rec.climbing soc.penpals The first part of the name of each group tells you what type of group it is and the remaining parts indicate the subject matter.

43

Accessing newsgroups
Newsgroups can be accessed in two ways: 2. Using special software (trn, rn, etc.) 3. Using a browser on the Web. As an example, DejaNews is a web site that allows access to a variety of newsgroups as well as providing an archive of old postings to the group. See http://www.deja.com/usenet/
44

Early use of the Internet

From 1969 until the 1980s the Internet was used primarily by government and university researchers. The development of the Internet was funded in part by the National Science Foundation (NSF) and commercial network traffic was prohibited. As personal computers became more powerful, and affordable in the 1980s, companies created their own networks. These users wanted to be able to communicate outside the network.
45

Commercial use of the Internet

In 1989 the NSF allowed two commercial e-mail services (MCI Mail and CompuServe) to establish limited connections to the Internet. These connections allowed an exchange of e-mail between users of the commercial services and users of the Internet. In 1991 the NSF further eased its restrictions on Internet commercial activity and began planning for the privatization of the Internet.
46

Privatization
The privatization of the Internet was substantially completed in 1995. At that point the NSF decommissioned its backbone. The new structure of the Internet was based on four network access points (NAPs), each operated by a separate company. The network access providers sell Internet access rights directly to larger customers and indirectly to smaller customers through other companies called Internet service providers (ISPs).
47

A growing Internet
Researchers had long considered the Internet a valuable tool. As the 1990s began, a larger variety of people thought of the Internet as a useful resource. The Internet grew significantly in 20 years. Year # of computers 1969 4 1990 313,000 The largest growth in the Internet was yet to come.
48

A prehistory of the Web

In 1945, Vannevar Bush wrote an article that proposed a machine (called the Memex) to store a persons books, records, letters, and research results on microfilm. The Memex would have an index to help locate documents. In the 1960s, Ted Nelson described a similar system in which text on one page would have links to text on other pages. Nelson called this page linking system hypertext. Douglas Englebart (inventor of the mouse) created 49 the first experimental hypertext system.

CERN and hypertext

In 1990, Tim Berners-Lee and Robert Calliau were working on overhauling the document handling procedures at CERN, a laboratory for particle particle physics in Geneva, Switzerland. CERN had been connected to the Internet for two years, but its scientists wanted to find better ways to circulate their scientific papers and data. Independently, Berners-Lee and Calliau proposed a hypertext development project.
50

The birth of the Web

Over the next two years Berners-Lee developed the code for a hypertext server program and made it available on the Internet. He envisioned the set of links between computers as a spider web, hence the name Web. The CERN site is considered the birthplace of the World Wide Web. The CERN site: http://cern.web.cern.ch/CERN/

51

Terminology
A hypertext server is a computer that stores files written in hypertext markup language (HTML) and lets other computers connect to it and read those files. It is now called a Web server. A hyperlink is a special tag that contains a pointer to another location in the same or in a different HTML document. HTML is based on Standard Generalized Markup Language (SGML), which organizations have used for many years to manage large document 52 filing systems.

Early Web browsers

A Web browser is a software interface that lets users read (or browse) HTML documents. Early web browsers were text based. Although the Web caught on quickly in the research community, broader acceptance was slow to materialize. Part of the problem was that the early browsers were difficult to use.

53

GUI Web browsers

In 1993, Marc Andressen led a team of researchers and developed the first software with a graphical user interface for viewing pages over the Web. This first GUI browser was named Mosaic. Mosaic widened the appeal of the Web by making access easier and adding multimedia capabilities. Andressen later went on to develop the Netscape Navigator browser.
54

The growth of the Internet

The Internet has grown, and continues to grow, at a phenomenal rate. Date WWW Servers Internet Hosts 12/1969 N/A 4 12/1979 N/A 188 12/1989 N/A 159,000 12/1993 623 2,056,000 12/1996 603,367 21,819,000 12/1999 9,560,866 56,218,000 07/2005 38,169,498 2,93,047,785 55 till date is growing

Factors behind growth

There are four main factors that led to the surge in popularity of the Internet: The web-like ability to link from site to site. The ease of use provided by the browsers graphical user interface. The growth of personal computers and local area networks that could be connected to the Internet. The TCP/IP standard.
56

Control of the Internet

No one organization currently controls the Internet. Several groups oversee aspects of the development of the Internet. Internet Engineering Task Force (IETF)
Oversees the evolution of Internet protocols

Internet Registries (InterNIC)

Maintain and allocate Internet domains

World Wide Web Consortium (W3C)

Develops standards for the WWW See the Internet Standardization Organizations.
57

Internet 2
A project to develop another Internet, Internet2, is is being led by over 170 U.S. universities working in partnership with industry and government. This new network is designed to allow development and deployment of advanced network applications and technologies. For more information see: http://www.internet2.edu/
58

A model for networking

The worlds telephone companies were the early models for networked computers because the networks used leased telephone company lines. Telephone companies at the time established a single connection between sender and receiver for each telephone call. Once a connection was established, data traveled along that path.

59

Circuit switching
Telephone company switching equipment (both mechanical and computerized) selected the phone lines, or circuits, to connect in order to create the path between caller and receiver. This centrally controlled, single connection model is known as circuit switching. Using circuit switching does not work well for sending data across a large network. Point-to-point connections for each sender/ receiver pair is expensive and hard to manage.
60

A different approach
The Internet uses a less expensive and more easily managed technique than circuit switching. Files and messages are broken down into packets that are labeled with codes that indicate their origin and destination. Packets travel from computer to computer along the network until they reach their destination. The destination computer reassembles the data from the packets it receives. This is called a packet switching network.
61

Packet switching
In a packet-switched network, (some of) the computers that an individual packet encounters determine the best way to move the packet to its destination. Computers performing this determination are called routers. The programs that the computers use to determine the path are called routing algorithms.

62

Benefits of packet switching

There are benefits to packing switching: Long streams of data can be broken down into small manageable data chunks, allowing the small packets to be distributed over a wide number of possible paths to balance traffic. It is relatively inexpensive to replace damaged data packets after they arrive, since if a data packet is altered in transit only a single packet must be retransmitted.

63

Open architecture
When it was being developed, the people working on ARPANet adhered to the following principles: 3. Independent networks should not require any internal changes in order to be connected. 4. The router computers do not retain information about the packets that they handle. 5. Packets that do not arrive at their destinations must be retransmitted from their source network. 6. No global control exists over the network.

64

Most popular Internet protocols

The most popular Internet protocols include: TCP/IP HTTP (Hypertext transfer protocol) E-mail protocols (SMTP, POP, IMAP) FTP (File transfer protocol) Each protocol is used for a different purpose, but all of them are important.

65

TCP/IP
The protocols that underlie the basic operation of the Internet are TCP (transmission control protocol) and IP (Internet protocol). Developed by Internet pioneers Vinton Cerf and and Robert Kahn, these protocols establish rules about how data are moved across networks and how network connections are established and broken. Four layer architecture

66

Purposes of each protocol

TCP controls the assembly of a message into smaller packets before it is transmitted over the network. It also controls the reassembly of packets once they reach their destination. The IP protocol includes rules for routing individual data packets from their source to their destination. It also handles all addressing details for each packet.

67

Network layers
The work done by communications software is broken into multiple layers, each of which handles a different set of tasks. Each layer is responsible for a specific set of tasks and works as one unit with the other layers when delivering information over the Internet. Each layer provides services for the layer above it.
68

TCP/IP architecture
There are five layers in the Internet model: 1. Application 2. Transport 3. Internet 4. Network interface 5. Hardware The lowest layer is the hardware layer that handles the individual pieces of equipment attached to the network. The highest layer is the application layer where various network applications run.
69

Positioning within the layers

A full discussion of the Internet model is beyond the scope of this class. It is, however, useful to know where each protocol resides. TCP operates in the transport layer and IP in the Internet layer. See Figure 2-2 on page 38. Some of the application layer protocols include HTTP, SMTP, POP, IMAP, and FTP. (Telnet also operates in the application layer).
70

Web System Architecture

Web Clients

Internet

Web Server and Application Server

Database

71

Web System Architecture

Web Browser : It is client interface. Web Server : it is one of the main components of the service system,. It interacts with the web clients as well as backend system. Application Server : It hosts the e-commerce application software.

72

HTTP
HTTP (hypertext transfer protocol) is the protocol responsible for transferring and displaying Web pages. It has continued to evolve since being introduced. Like other Internet protocols, HTTP uses the client/ server model of computing. Thus, to understand how HTTP works, we need to first discuss the client/server model. HTTP/1.0 HTTP/1.1
73

HTTP
Request Method in HTML Get Head Post

74

Client/server model
In the client/server model there are two roles: the client and the server. The client process makes requests of the server. The client is only capable of sending a request to the server and then waiting for the reply. The server satisfies the requests of the client. It usually has access to a resource, such as data, that the client wants. When the resource that the client wants becomes available, it sends a message to the client. This model simplifies communication.
75

HTTP and client/server

With HTTP the client is the users Web browser and the server is the Web server. To open a session, the browser sends a request to the server that holds the desired web page. The server replies by sending back the page or an error message if the page could not be found. After the client verifies that the response sent was correct, the TCP/IP connection is closed and the HTTP session ends. Each new page that is desired will result in a new HTTP session and another TCP/IP connection.
76

One page, multiple requests

If a Web page contains objects such as movies, sound, or graphics, a client must make a request for each object. For example, a Web page containing a background sound and three graphics will result in five separate server request messages to retrieve the four objects plus the page itself.

77

Internet addresses
Internet addresses are represented in several ways, but all the formats are translated to a 32-bit number called an IP address. The increased demand for IP addresses will soon make 32-bit addresses too small, and they will be replaced with 128-bit addresses in the near future. See the links page for more information. How does increasing the number of bits in the address help with increasing demand?
78

Dotted quads
IP numbers appear as a series of up to 4 separate numbers delineated by a period. Examples: students.depaul.edu: 140.192.1.100 condor.depaul.edu: 140.192.1.6 facweb.cs.depaul.edu: 140.192.33.6 Each of the four numbers can range from 0 to 255, so the possible IP addresses range from 0.0.0.0 to 255.255.255.255

79

Domain names
Since IP numbers can be difficult for humans to remember, domain names are associated with each IP address. Examples: students.depaul.edu: 140.192.1.100 facweb.cs.depaul.edu: 140.192.33.6 A domain name server is responsible for the mapping between domain names and IP addresses.
80

Uniform resource locator

People on the Web use a naming convention called the uniform resource locator (URL). A URL consists of at least two and as many as four parts. A simple two part URL contains the protocol used to access the resource followed by the location of the resource. Example: http://www.cs.depaul.edu/ A more complex URL may have a file name and a path where the file can be found.
81

A URL deconstructed
http://facweb.cs.depaul.edu/asettle/ect250/section602/hw/assign2.htm

hypertext transfer protocol

domain

path that indicates the location of the document in the hosts file system

document name

82

Anatomy of an e-mail address

asettle @ cs . depaul . edu
Domain Type

Handle

Host/Server Others: students hawk condor

Domain

83

Domain types
edu: educational com: commercial net: originally for telecommunications org: organizations (non-profit) gov: U.S. government ja, uk, de, : Nations other than the U.S. New additions: info, biz, name, pro, museum, coop, aero, tv. See links page for a related news story.
84

Internet utility programs

TCP/IP supports a variety of utility programs that allow people to use the Internet more efficiently. These utility programs include: Finger Ping

85

Finger
Finger is a program that allows a user to obtain limited information about other network users. The information that can be obtained includes: Which users are currently logged on Where each user logged onto the network from How long the user has been on the network When the user last logged onto the system Finger is sometimes disabled for security reasons.
86

Ping
Ping (Packet InterNet Groper) tests the connectivity between two Internet hosts and determines if a host is active on the network. It works by sending a packet to the specified address and waiting for a reply. Ping is typically used to troubleshoot connections. To run ping, you simply type ping followed by the IP address or domain name of the machine you are interested in. Example: ping students.depaul.edu
87

COOKIES
HTTP is a Stateless Protocol. I.e . Web user will not keep users state or information . But in E-commerce applications , knowing the users state is very important. e.g. in shopping cart application , it is very impartment for server to keep track of user content w.r.t. shopping cart application. Solution : COOLKIES for a web sever was proposed to save state data at web client.
88

COOKIES
A maximum of 20 Cookies are allowed to each domain Each cookies is limited to 4kb to prevent overloading the memory of the client computer. Set cookie header : Set_Cookie : Name = value Where name and Value of the cookie Whenever required , the client will include the cookie in the http request herder as cookie : Name = value. Finally users information is passed to the server.
89

COOKIES
Set-Cookie: Item1=1111 Set-Cookie: Item2=2222

Set-Cookie: Item3=3333

Cookie: Item1=1111 Cookie: Item2=2222 Cookie: Item3=3333

90

COOKIES
Comment Domain Expires Max-age Path Secure

91

Architecture of A Web Based E-Commerce System

92

Java Script
Java script is scripting language proposed by Netscape to enhance the functions of HTML ( form Validation.) It can be used to make a web page more interactive and dynamic. A java script code is embedded between <script> and </script> . There are three main object: Document Object : For providing information on the documents. Form Object :For providing information on the form. Location Object : For providing location related information for
current web page such as URL , host name etc.,
93

DAY 3

94

E-Commerce hardware and Software

Revisiting the Three Tier Model

96

First Tier Web Client

It provides a web based GUI displayed through a web browser in the client computer .

97

Second Tier Server side Applications

It consists of server side applications that run on a web server or a dedicated application server . These application implement the business logic of the web system. Major Factors : Efficiency , Security , cost effectiveness and Compatibility CGI : Common Gateway Interface ASP : Active Server Page Java Servlet
98

Third Tier Database Management System

It provides data storage / retrieval services for the second tier so that dynamic web pages can be created. It may consist of one database or group of databases. For this we need database connectivity. One of the most popular method is by means of JDBC ODBC bridge . Others are Proprietary Network Protocol Drivers and Native API drivers. To communicate with a database , we used SQL.

99

CGI

100

CGI

101

ASP

102

SERVLET

Servlet is invoked by using HTML form

103

SERVLET
To run servlets , there are basically two technique. 2. Servlet enabled web server 3. Nonservlet enabled web server

we use Tomcat for developing an e-commerce application. 104

SERVLET
Two main package in the servlet API , javax.servlet and javax.servlet.http.

105

SERVLET

106

Web servers
The components of a web server are: Hardware Software When determining what sort of server hardware and software to use you have to consider: Size of the site Purpose of the site Traffic on the site A small, noncommercial Web site will require less resources than a large, commercial site.
107

The role of a web server

Facilitates business Business to business transactions Business to customer transactions Hosts company applications Part of the communications infrastructure Poor decisions about web server platforms can have a negative impact on a company. This is particularly true for purely online (click and mortar) companies.
108

Hosting considerations
Will the site be hosted in-house or by a provider? Factors to consider: The bandwidth and availability needed for the expected size, traffic, and sales of the site Scalability: If the Web site needs to grow or has a sudden increase in traffic, can the provider still handle it? Personnel requirements or restraints Budget and cost effectiveness of the solution Target audience: Business-to-customer (B2C) or business-to-business (B2B)
109

Types of Web sites

Development sites: A test site; low-cost Intranets: Available internally only B2B and B2C commerce sites Content delivery site Each type of site has a different purpose, requires different hardware and software, and incurs varying costs.

110

Commerce sites
Commerce sites must be available 24 hours a day, 7 days a week. Requirements include: Reliable servers Backup servers for high availability Efficient and easily upgraded software Security software Database connectivity B2B sites also require certificate servers to issue and analyze electronic authentication information.
111

Content delivery site

Examples: USA Today New York Times ZDNet Sell and deliver content: news, summaries, histories, other digital information. Hardware requirements are similar to the commerce sites. Database access must be efficient.

112

What is Web hosting?

Web hosts are Internet service providers who also allow access to: E-commerce software Storage space E-commerce expertise You can choose: Managed hosting: the service provider manages the operation and oversight of all servers Unmanaged hosting: the customer must maintain and oversee all servers
113

Benefits
Cost effective for small companies or those without in-house technical staff. May require less investment in hardware/software. Can eliminate the need to hire and oversee technical personnel. Make sure that the site is scalable.

114

Services provided
Access to hardware, software, personnel Domain name, IP address Disk storage Template pages to use for designing the site E-mail service Use of FTP to upload and download information Shopping cart software Multimedia extensions (sound, animation, movies) Secure credit card processing

115

Summary
ISPs have Web hosting expertise that small or medium-sized companies may not. Creating and maintaining a Web site using an existing network can be difficult. With the exception of large companies with large Web sites and in-house computer experts, it is almost always cheaper to use outside Web hosting services.

116

Examples
EZ Webhost Interland HostPro HostIndex Managed hosting Other hosting options TopHosts.com

117

B2C e-commerce
Requirements: A catalog display Shopping cart capabilities Transaction processing Tools to populate the store catalog and to facilitate storefront display choices Any e-commerce software must be integrated with existing systems: Database Transaction processing software
118

Catalog display
Small storefront (fewer than 35 items) Simple listing of products No particular organization Example: Quebec maple syrup Larger catalog Store product information in database More sophisticated navigation aids Better product organization Search engine Example: LL Bean
119

Shopping carts
Early e-commerce shopping used forms-based check out methods. Required writing down product codes, unit prices, etc. A shopping cart: Keeps track of items selected Allows you to view the items in a cart Allows you to change quantities of items Because the Web is stateless, information must be stored for retrieval. One way to do this is to use cookies, bits of information stored on the clients computer.
120

Transaction processing
Usually performed with a secure connection. May require the calculation of: Sales tax Shipping costs Volume discounts Tax-free sales Special promotions Time sensitive offers Details about transactions must be tracked for accounting, sales reports.
121

B2B e-commerce
Business-to-business e-commerce requires tools and capabilities different from those required for businessto-customer systems. Encryption Authentication Digital signatures Signed receipt notices The ability to connect to existing legacy systems, including Enterprise Resource Planning (ERP) software. ERP integrates all facets of a business including planning, sales, and marketing.
122

Levels of packages
Three levels of e-commerce packages: Basic: Requires a few hundred dollars in fees and less than an hour to set up. Typically hosted by an ISP. Middle-tier: Ranges in price from $1K to $5K+, and can take from one day to several days to set up. Can connect with a database server. Requires hardware purchase and some skills. Enterprise-class: For large companies with high traffic and transaction volumes. Hardware and in-house specialists needed.
123

Basic packages
Basic packages are free or low-cost e-commerce software supplied by a Web host for building sites to be placed on the Web hosts system. Fundamental services Banner advertising exchanges Full-service mall-style hosting

124

Fundamental services
Available for businesses selling less than 50 items with a low rate of transactions. These services offer: Space for the store Forms-based shopping The Web host makes money from advertising banners placed on the site. Each business has some control over which banners are placed on its site. Examples: Bizland.com, HyperMart Drawbacks: E-mail transaction processing, banners.
125

Banner exchange sites

Banner exchange sites aid online store promotion. Banner exchange agreements are made between sites that sign up for the service. The BES organizes the exchanges, enforces banner exchange rules, collects statistics about customers, and rotates ads on the sites. A click through count is the number of visitors that a banner produces at a site. Examples: Banner Exchange, Exchange-it, SmartClicks
126

Full-service mall-style hosting

Full-service hosting sites provide: High-quality tools Storefront templates An easy-to-use interface Quick Web page creation and maintenance No required banner advertising In exchange these sites may charge: One-time set up fees Monthly fees A percentage of each transaction A fixed amount per each transaction
127

Differences from basic services

Shopping cart software Comprehensive customer transaction processing Choice of purchase options (credit card, electronic cash or other forms) Acceptance and authorization of credit cards No required (and distracting) Web banner ads Higher quality Web store building/maintenance tools (saving time and energy) Examples: Yahoo!Store, BigStep.com

128

Midrange packages
Distinction from basic e-commerce packages: The merchant has explicit control over Merchandising choices Site layout Internal architecture Remote and local management options Other differences include price, capability, database connectivity, software portability, software customization tools, computer expertise required of the merchant.
129

Features
Prices range from $2000 to $9000. Hosted on the merchants server. Typically has connectivity with complex database systems and stores catalog information. Several provide connections (hooks) into existing inventory and ERP systems. Highly customizable Requires part-time or full-time programming talent. Examples: INTERSHOP efinity, WebSphere Commerce
Suite
130

Enterprise solutions
Distinguishing features: Price ($25,000 - $1 million) Extensive support for B2B e-commerce Interacts with a variety of back office systems, such as database, accounting, and ERP. Requires one or more dedicated computers, a Web front-end, firewall(s), a DNS server, an SMTP system, an HTTP server, an FTP server, and a database server.

131

Features
Good tools for linking supply and purchasing. Can interact with the inventory system to make the proper adjustments to stock, issue purchase orders, and generate accounting entries. Example: Wal-Mart Allows several suppliers to make decisions about resupplying Results in cost savings in inventory Examples: WebSphere Commerce Suite, Netscape
CommerceXpert
132

Web Platform Choices

Hardware, operating system, and application server software must be considered together since each affects the other. Whatever your choice you must ensure that the server hardware is scalable, meaning that it can be upgraded or a new server added as necessary. Other needs, such as a database server, should be handled by separate hardware. Database products have large processing needs.

133

Factors in performance
Hardware and operating system choice Speed of connection to the Internet User capacity Throughput: The number of HTTP requests that can be processed in a given time period. Response time: The amount of time a server requires to process one request. The mix and type of Web pages Static pages Dynamic pages: Shaped in response to users.
134

Benchmarking
Benchmarking is testing used to compare the performance of hardware and software. Results measure the performance of aspects such as the OS, software, network speed, CPU speed. There are several Web benchmarking programs. For examples see Figure 3-4 on page 87. Anyone considering buying a server for a heavy traffic situation or wanting to make changes to an existing system should consider benchmarks.

135

Web server features

Web server features range from basic to extensive depending on the software package being used. Web server features fall into groups based on their purpose: Core capabilities Site management Application construction Dynamic content Electronic commerce

136

Core capabilities
Process and respond to Web client requests Static pages, dynamic pages, domain name translation. Security Name/passwords, processing certificates and public/private key pairs. FTP, Gopher Searching, indexing Data analysis Who, what, when, how long? May involve the use of Web log analysis software.
137

Site management
Features found in site management tools: Link checking Script checking HTML validation Web server log file analysis Remote server administration

138

Application construction
Uses Web editors and extensions to produce Web pages, both static and dynamic. Like HTML editors, application editors allow the creation dynamic features without knowledge of CGI (Common Gateway Interface) or API (Application Program Interface) programming. Also detects HTML code that differs from the standard or is browser specific.

139

Dynamic content
Non-static information constructed in response to to a Web clients request. Assembled from backend databases and internal data on the Web site, a successful dynamic page is tailored to the query that generated it. Active Server Pages (ASP) is a server-side scripting mechanism to build dynamic sites and Web applications. It uses a variety of languages such as VBScript, Jscript, and Perl. More information? Take ECT 353!
140

Electronic commerce
An Web server handles Web pages whereas an e-commerce server deals with the buying and selling of goods and services. A Web server should handle e-commerce software since this simplifies adding e-commerce features to existing sites. Features: Creation of graphics, product information, addition of new products, shopping carts, credit card processing, sales report generation, Web ad rotation and weighting.
141

Web server software

There is no best package for all cases. The market is divided into intranet servers and public Web servers. Three of the most popular Web server programs: Apache Tomcat Server Microsoft Internet Information Server Netscape Enterprise Server

142

Apache Server
Developed by Rob McCool while at UI in the NCSA in 1994. The software is available free of charge and is quite efficient. Can be used for intranets and public Web sites. Originally written for Unix, it is now available for many operating systems. For a discussion of its features see the Apache Software Foundation page.

143

Microsoft IIS
Microsofts Internet Information Server comes bundled with Microsofts Windows NT/2000. Can be used for intranets and public Web sites. It is suitable for everything from small sites to large enterprise-class sites with high volumes. Currently only runs on Windows NT/2000. See Microsofts Web Services page.

144

Netscape Enterprise Server

Costs several thousand dollars and has a 60-day trial period. Can be run on the Internet, intranets and extranets. Some of the busiest sites on the Internet use NES including E*Trade, Excite, and Lycos. Runs on many different operating systems. See Netscape Server Products.

145

Further information
What Web software is running on a site? Web server side-by-side comparisons

146

Web server tools

Other Web server tools include: Web portals Search engines Push technologies Intelligent agents

147

Web portals
Provides a cyber door on the Web Serves as a customizable home base Successful portals include: Excite Yahoo! My Netscape Microsoft Passport

148

Push technologies
An automated delivery of specific and current information from a Web server to the users hard drive May be used to provide information on: Health benefit updates Employee awards Changes in corporate policies

149

Intelligent agents
A program that performs functions such as information gathering, information filtering, or mediation on behalf of a person or entity Examples: AuctionBot BargainFinder MySimon Kasbah

150

Example uses
Example uses for intelligent agents: Search for the best price and characteristics of various products Procurement: Deciding what, when, and how much to purchase Stock alert: Monitors stock and notifies when certain conditions are met, e.g. purchase 100 shares if the price is below $60 a share.

151

We Learned
1. Have a idea about HTML and Java Script. 2. Server Side Component : Servlets , CGI , ASP etc. Design some simple program.using servlet. 3. Database Connectivity. JDBC ODBC Connectivity ; how to communicate with backend database system. 4. Hardware and Software required.

152

Day 4

153

Session Tracking

154

Four Methods
1. Hidden from field :- We define a hidden field element called the username in an HTML form . This can be used to keep track of user and shopping cart. 2. URL rewriting 3. HTTP USER Authentication 4. Cookies

155

2. URL rewriting : the basic concept is to modify and more precisely rewrite URL to a specific URL for each user. I.e each user is given a specific URL for talking to the web server. A> To add extra directory to the original URL B> To add additional parameters at the end of URL e.g http://www.xyz.com/servelts/welcome/hello http:// www.xyz.com/servelts/welcome/007/hello Or http://www.xyz.com/servlets/welcome/hello?session_no007
156

3. HTTP User Authentication : it can be done by asking the user to provide his username and password. 4. Cookies : are a small piece of information stored in the client browser. Each one have its own advantage and disadvantages. Can not be used in e-commerce scenario

157

Servlet Session Tracking API

It can be used in any servlet program. It can be used with other java components such as CORBA , RMI etc. It can be easily integrated with java security API. 1. Setting up of session object. 2. Management of different Session. 3. Handling the life cycle of a session object.

158

159

Security

Terminology
Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. There are two types of security: Physical security including such devices as alarms, fireproof doors, security fences, vaults. Logical security is non-physical protection. A threat is an act or object that poses a danger to computer assets. A countermeasure is a procedure, either physical or logical that recognizes, reduces, or eliminates a threat.
161

Risk analysis
The countermeasure will depend both on the cost associated with the threat and the likelihood that the threat will occur. High probability, low impact: Contain and control High probability, high impact: Prevent Low probability, low impact: Ignore Low probability, high impact: Insurance or backup Example: CTI computer systems under threat from (1) virus, (2) fire, (3) earthquake, (4) theft
162

Types of threats
Physical threats Natural phenomena: Earthquake, storm, tornado Arson, electrical shutdown, power surge Theft, sabotage Logical threats Impostors Eavesdroppers Thieves

163

Security terminology
Secrecy Protecting against unauthorized data disclosure, and ensuring the authenticity of the data source. Example: Use of stolen credit card numbers Integrity Preventing unauthorized data modification. Example: Changing of an e-mail message Necessity Preventing data delays or denials. Example: Delaying a purchase order for stock
164

Security policy
Any organization concerned about protecting its e-commerce assets should have a security policy. A security policy is a written statement describing what assets are to be protected, why they are to be protected, who is responsible for that protection, and which behaviors are acceptable and not. The policy should address physical security, network security, access authorizations, virus protection, and disaster recovery.

165

History
Early computer security measures: Computers were kept in locked central rooms Access was granted only to select individuals No one could remotely access the machine Modern systems are more complex: Remote processing Electronic transmission of information Widespread use of the Internet

166

E-commerce threats
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: 1. Client security 2. Communication channel security 3. Server security First, however, we will consider issues surrounding copyright and intellectual property.
167

Copyright and IP
Copyright is the protection of expression and it typically covers items such as books, essays, music, pictures, graphics, sculptures, motion pictures, recordings, architectural works. Intellectual property is the ownership of ideas and control over the representation of those ideas. The U.S. Copyright Act of 1976 protects items for a fixed period of time. Each work is protected when it is created. A copyright notice is not necessary.
168

Threats
The widespread use of the Internet has resulted in an increase in intellectual property threats. It is very easy to reproduce an exact copy of anything found on the Internet. Many people are unaware of copyright restrictions protecting intellectual property. See Intellectual Property Resources on the Internet. A related issue is cybersquatting which is the practice of registering a trademark of another company as a domain name.
169

Protecting copyrights and IP

Enforcing existing copyright laws can be difficult. Some methods for protecting digital IP include: Digital copyright laws Electronically locking files Digital watermarks

170

Digital watermarks
Steganography is the practice of hiding information within other information. Example: See everyone? Lucky Larry! What does it mean? A digital watermark is a digital code or stream embedded into a file. They do not affect the quality of the file and may be undetectable. The presence of a watermark can indicate that the file was stolen.

171

Outline
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: Client security Communication channel security Server security

172

Secrecy vs. privacy

Secrecy The prevention of unauthorized information disclosure. A technical issue involving physical and logical mechanisms. Example: Encryption of e-mail. Privacy The protection of individual rights to non-disclosure. The law enforces privacy protection. Example: Employers reading employees e-mail. See: E-lessons in the Chicago Tribune
173

Cookies
Cookies are files that store identifying information about clients for the purposes of personalization. See The Cookie FAQ for more information. Malicious programs can read cookies to gain private information. Many sites do not store sensitive data in cookies. Cookies are not inherently bad, but it is wise to learn about them. Software exists that enables you to identify, manage, display, and eliminate cookies. See Cookie Crusher, and Cookie Pal.
174

Anonymous browsing
Since many Web sites gather information about visitors to their sites, you are constantly giving away information such as your IP address. There are portals that allow you to surf the Web anonymously by visiting their portal first. Their site acts as a firewall, preventing any leaks in information. Example: Anonymizer.com

175

Client threats
Malicious code is a program that causes damage to a system. Malicious code can affect both the server and the client. Typically servers engage in much more thorough detection and disinfection. Examples: Virus or worm Trojan horses Malicious mobile code in active content

176

Viruses
Macro virus (Anna Kournikova) 75-80% of all viruses Application specific Spread through e-mail attachments File-infecting virus Infects executable files (.com, .exe, .drv, .dll) Spread through e-mail and file transfer Script viruses (ILOVEYOU) Written in scripting languages (VBScript, JavaScript) Activated by clicking a .vbs or .js file
177

Worms
Viruses are often combined with a worm. A worm is designed to spread from computer to computer rather than from file to file. A worm does not necessarily need to be activated by a user or program for it to replicate. Example: ILOVEYOU virus was both a script virus and a worm that propagated by sending itself to the first 50 people in a users Microsoft Outlook address book.

178

Trojan horse programs

Malicious active content may be embedded into a seemingly innocuous Web page. A Trojan horse is a program hidden inside another program or Web page that masks its true purpose. Origin of the name?

179

Active content
Active content, programs embedded in Web pages, can be a threat to clients. Active content displays moving graphics, downloads and plays audio, places items into shopping carts, computes the total invoice amount, etc. Active content can be implemented in a variety of ways: Java JavaScript ActiveX
180

Java
Java is a high-level, object-oriented programming language developed by Sun Microsystems. It was created for embedded systems, but its most popular use has been in Web pages where applets implement client-side applications. Java is platform independent. It reduces the load on servers by downloading work onto the clients machine.

181

Java sandbox
To counter security problems, a special security model called the Java sandbox was created. The Java sandbox confines Java applet actions to a set of rules defined by a security model. These rules apply to all untrusted Java applets, those that have not been proven to be secure. The sandbox prevents applets from performing file input or output and from deleting files. All applets from a local file system are trusted and have full access to system resources.
182

JavaScript
JavaScript is a scripting language developed by Netscape to enable Web page designers to build active content. When you download embedded JavaScript code it executes on your machine. It does not operate under the sandbox model. For this reason it can invoke privacy and integrity attacks by destroying your disk, copying credit card numbers, recording the URLs of pages you visit, etc. Secure connections do not help. JavaScript programs must be explicitly run.
183

ActiveX controls
ActiveX is an object that contains programs and properties that Web designers place on pages to perform certain tasks. ActiveX controls only run on Windows machines. When embedded ActiveX controls are downloaded, they are run on the client machine. Examples: Flash, Shockwave Once downloaded, ActiveX controls have access to system resources, including the operating system.

184

Graphics and plug-ins

Graphics: Some graphics file formats have been designed to contain instructions on how the graphic is to be rendered. Code embedded into the graphic is a potential threat. Plug-ins: A browser plug-in is a program that enhances the capabilities of the browser. They handle things like playing audio clips and displaying movies. Many plug-ins work by executing commands buried within the media they are displaying.
185

Protecting client computers

The primary task in protecting a client machine is the monitoring of active content. Each browser handles this in a different way. The primary issue is trust of the site providing the active content. One way to improve trust is through the use of digital certificates.

186

Digital certificates
A digital certificate, or digital ID, is an attachment to a Web page or e-mail message verifying the identity of the creator of the page/message. It identifies the author and has an expiration date. A page or message with a certificate is signed. The certificate is only a guarantee of the identity of the author, not of the validity of the page/code. Certificates are obtained from a Certificate Authority (CA) that issues them to an individual or an organization. Example: VeriSign Identification requirements vary.
187

Security in Internet Explorer

Provides content warnings Reacts to ActiveX and Java-based content Uses Microsoft Authenticode technology that: Verifies who signed the code Checks if the code has been modified since it was signed If a publisher has not attached a code you can set the browser to not download the page. It is up to you to designate which companies you trust using zones.
188

Authenticode
When a page with a certificate is downloaded: The certificate is detached The identity of the CA is verified The integrity of the program is checked A list of trusted CAs is built into the browser along with their public keys. Both the certificate and the key must match.

189

Security zones
You can specify different security settings based on the origin of the information being downloaded. There are four zones: Internet: Anything not classified in another way Local intranet: The internal network Trusted sites Restricted sites: Web sites you do not trust

190

Security levels
High: Safer but less functional; less secure features are disabled; cookies are disabled. Medium: Safe but functional browsing; prompts before downloading potentially unsafe content; unsigned ActiveX will not be downloaded. Medium-low: Downloads everything with prompts; most content will be run without prompts; unsigned ActiveX will not be downloaded. Low: Minimal safeguards; most content will be downloaded and run without prompts; all active content can be run.
191

Security settings
The Custom Level button allows you to alter the defaults provided by a specific level. All protections are a choice between running and not running active content. No monitoring of code occurs during execution.

192

Netscape Navigator
You can control whether active content (Java or Javascript) will be downloaded. This is done using the Preferences dialog box. On the Advanced tab you can specify what should be done for images, Java, JavaScript, style sheets, and cookies. A message will be sent when Java or JavaScript is downloaded indicating whether the content is signed. A risk assessment is given.

193

Outline
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: Client security Communication channel security Server security

194

Communication channel threats

The Internet was designed for redundancy, not secure communications. The DOD intended to encrypt all information moving in the network. The Internet remains in its insecure state. It is impossible to guarantee that every computer through which information passes is safe, secure, and non-hostile. The possible security violations include secrecy, integrity, and necessity threats.

195

Sniffer programs
E-mail transmissions can be compromised by the theft of sensitive or personal information. Sniffer programs record information as it passes through a particular router. This can capture: Passwords Credit card numbers Proprietary corporate product information

196

Integrity threats
An integrity threat is also called active wiretapping. This occurs when an unauthorized party alters a message in a stream of information. Cyber vandalism is the electronic defacing of an existing Web sites page. This occurs when an individual replaces content on the site. Masquerading or spoofing occurs when perpetrators substitute the address of their site for a legitimate site and then alter an order or other information before passing it along.
197

Necessity threats
Also known as delay or denial threats, the purpose is to disrupt or deny normal processing. Slowing processing can render a service unusable. The most famous example of a denial attack is the Robert Morris Internet Worm attack, perpetrated in 1988.

198

Encryption
Since the Internet is inherently insecure, any secret information must be encrypted. Encryption is the coding of information using a program and a key to produce a string of unintelligible characters. The study of encryption is called cryptography. The name comes from krupto (secret) and grafh (writing). Cryptography is not related to steganography.

199

Terminology
Unencrypted data is called plaintext. Encrypted data is called ciphertext. A key is a string of digits that acts as a password. Only the intended receivers should have the key that transforms the ciphertext into plaintext. A cipher or cryptosystem is a technique or algorithm for encrypting messages. Cryptographic ciphers have a long history.

200

Early cipher systems

Ciphers were used as far back as the ancient Egyptians. Text was encrypted by hand. The two main types of ciphers were used: Substitution cipher: Every occurrence of a given letter is replaced by a different one. Example: a by b, b by c, etc. Uftujoh, uftujoh Transposition cipher: The ordering of the letters is shifted to form new words. Example: Plaintext = example Ciphertext = eape xml
201

Modern cipher systems

Modern cryptosystems are digital; the algorithms are based on the individual bits of a message rather than letters of the alphabet. Computer information is stored as binary strings, sequences of 0s and 1s. Encryption and decryption keys are binary strings of a given key length. Example: 128-bit encryption systems.

202

Knowledge needed
Someone can know the details of an encryption algorithm and yet not be able to decipher an encrypted message without the key. The resistance of the encrypted message depends on the size, in terms of bits, of the key used in the encryption procedure. The longer the key, the more computing power and time it takes to break the code. Example: 128-bit encryption systems.

203

Types of cryptosystems
There are two main types of cryptosystems: Private-key cryptography Also known as symmetric or secret-key encryption, it uses a single key to both encrypt and decipher the message. Public-key cryptography Also known as asymmetric encryption, it uses a public key to encrypt messages and a private key to decipher messages.

204

Private-key cryptography
Suppose that Alice wishes to send Bob a message: They exchange a secret key. Alice encodes the message using the secret key. The ciphertext is sent to the Bob. Bob decodes the message using the secret key. Problems with this approach: How do Alice and Bob exchange the secret key? There is no authentication of the sender. What if both wish to communicate with Chris?
205

Key distribution center

A key distribution center shares a different key with each user in the network. When Alice and Bob want to communicate, they obtain a session key from the KDC. They communicate using the session key. If Chris wants to communicate with Alice, they obtain a new session key, improving security. If the KDC is compromised, the security of the entire network is at risk.

206

DES
Data Encryption Standard (DES) is a 56-bit private-key encryption algorithm developed by the NSA and IBM in the 1950s. Cryptoanalysts no longer believe that 56-bit keys are secure. The current standard is to use Triple DES, three DES systems in a row, each with its own key. Advanced Encryption Standard (AES).

207

Public-key cryptography
Public-key cryptography uses two related keys. The private key is kept secret by its owner. The public key is freely distributed. When someone wishes to communicate with Alice they use Alices public key to encode their message. Alice then uses her private key to decode the message. Although the two keys are mathematically related, it would require enormous computing power to deduce the private key from the public one.
208

Authentication
If a customer sends a message to a merchant using the merchants public key, the customer knows that only the merchant can decipher the message. Similarly if the customer sends a message using the customers private key, the merchant can decipher it using the customers public key thus identifying the customer. Both together give two way authentication. Example: Merchant to customer First encode using the customers public key. Use the merchants private key on the result.
209

RSA
The mostly commonly used public-key system is RSA (named for its inventors: Ron Rivest, Adi Shamir, and Leonard Adleman). Invented in 1977 at MIT. Most secure e-commerce transactions on the Internet use RSA products. See the RSA security page. RSA is built into many Web browsers, commerce servers, and e-mail systems. Examples: Internet Explorer, Apache Web Server, Netscape Communicator.
210

PGP
Another common public-key system is PGP (Pretty Good Privacy). Used to encrypt e-mail messages and files. PGP is freely available for non-commercial use. See the MIT Distribution Center.

211

Key agreement protocols

A drawback of public-key algorithms is that they are not efficient for sending large amounts of information. Public-key algorithms can be used to exchange private keys. The process by which two parties exchange keys over an insecure medium is a key agreement protocol. The most common key agreement protocol is a digital envelope.
212

Digital envelopes
The basic idea: A message is encrypted using a secret key. The secret key is encrypted using a public key. Only the receiver can decipher the secret key. Example: Alice encrypts a message using a secret key. Alice encrypts the secret key using Bobs public key. Alice sends both to Bob. Bob decrypts the secret key using his private key. He then uses that key to decipher the message.
213

Key management
Most compromises in security result from poor key management, e.g. the mishandling of private keys resulting in key theft. An important part of management is the generation of keys. The key length must be sufficiently long. A key generation algorithm that is unintentionally constructed to select keys from a small subset of all possible keys may allow a third party to crack the encryption. Key generation algorithms must be random.
214

Digital Certificate and X.509

A digital Certificate is an identification document.

215

Digital Certificate and X.509

X.509 contains the following fields:

216

Digital Certificate System

217

Secure protocols
Secure sockets layer (SSL) The purpose is to secure connections between two computers. Developed by Netscape communications. Secure Hypertext Transfer Protocol (S-HTTP) The purpose is to send individual messages securely. Developed by CommerceNet.

218

SSL
To begin, a client sends a message to a server. The server responds by sending its digital certificate to the client for authentication. Using public-key cryptography, the client and server negotiate session keys to continue. Once the keys are established, the transaction proceeds using the session keys and digital certificates. All information exchanged is encoded. See Figure 6-17 on page 221.
219

Types of communication
SSL resides on top of TCP/IP in the Internet protocol suite. As a result it can secure many different types of communications: FTP sessions Telnet sessions HTTP sessions: S-HTTP

220

SSL key length

Secure Sockets Layer comes in two strengths: 2. 40-bit 3. 128-bit Both refer to the length of the session key generated by every encrypted transaction. The 40-bit version is available for export, but U.S. firms may only use the 128-bit version in products intended for the U.S. market.
221

Secure protocols
Secure sockets layer (SSL) The purpose is to secure connections between two computers. Developed by Netscape communications. Secure Hypertext Transfer Protocol (S-HTTP) The purpose is to send individual messages securely. Developed by CommerceNet.

222

Limitation
Although SSL protects information as it is being transmitted, it does not protect information once it is stored in the merchants database. The data needs to be encrypted and/or the server secured to protect information that was previously transmitted.

223

Secure HTTP
Secure HTTP (S-HTTP) is an extension of HTTP. It is concerned with securing individual messages. Works at the application level. Security features: Client and server authentication (using RSA) Symmetric encryption for communication Message digests The client and server may use separate S-HTTP techniques simultaneously. Example: The client may use private keys and the server may use public keys.
224

Establishing contact
The details of S-HTTP security are conducted during the initial negotiation session. Security details are specified in special packet headers that are exchanged. Once the client and server have agreed to the security implementations that will be enforced between them, all subsequent messages are wrapped in a secure envelope.

225

Security techniques
The client and server can specify that a security feature is required, optional, or refused. When a feature is required it must be used or the connection will be terminated. Features: Use of private-key encryption Server authentication Client authentication Message integrity

226

Transaction integrity
It is difficult to prevent integrity violations, but techniques can enable integrity violations to be detected; information can then be re-sent. The basic idea: A hashing algorithm is applied to produce a message digest. The message digest is encrypted to produce a digital signature.

227

Message digest
A hashing function is applied to the message. This produces a number that is based on the length and content of the message. Good hash algorithms have few collisions. The message digest is appended to the message. The receiver recalculates the message digest. If they two do not match, integrity is violated. Problem: What if an adversary changes both the message and the message digest?
228

Digital signature
The sender computes the digest, encrypts it using her private key, and then appends the encrypted digest onto the message. Only the sender could have created the digital signature. The merchant deciphers the digest, computes his own digest, and compares the two. If they match the integrity of the message was preserved. For added security, the digital signature and the message can be encrypted.
229

E-commerce security
E-commerce security is best studied by examining the overall process, beginning with the consumer and ending with the commerce server. This analysis produces a three part structure: Client security Communication channel security Server security

230

Server threats
Server threats can be classified by the means used to obtain unauthorized access into the server: The Web server and its software Back-end programs and servers such as ones for a database Common Gateway Interface (CGI) programs Other utility programs residing on the server

231

Security levels
Web servers running on most machines can be set to run at various privilege levels. The highest one allows access to any part of the system, including sensitive areas. The lowest level provides a logical fence that prevents access to sensitive areas. The rule is to use the lowest level needed to complete a given task. Setting up a Web server to run in high privilege mode can cause potential threats.
232

Entering passwords
Web servers that require usernames and passwords can compromise security by revealing them. Because the Web server needs the information as it moves from page to page, it may place that in a cookie on the clients machine. The server must be careful not to request that the cookie be transmitted unprotected.

233

Username/password pairs
Web servers may keep files with username/password pairs to use for authentication. If these files are compromised then the system can be attacked by people masquerading as others. Users who choose passwords badly also pose a threat to Web server security. Passwords that are easily guessed, such as birth dates, child or pet names, are poor choices. Administrators often run programs that attempt to guess users passwords as a preventative measure.
234

Database threats
Because databases hold valuable information, attacks on them are particularly troubling. Security features rely on usernames/passwords. Security is enforced using privileges. Databases that fail to store usernames/passwords in a secure manner or fail to enforce privileges can be compromised. During an attack, information may be moved to a less protected level of the database, giving full access.

235

CGI threats
CGI implements the transfer of information from a Web server to another program. Like Web servers, CGI scripts can be set to run unconstrained (with high privilege). Defective or malicious CGI scripts can access or destroy sensitive information. Old CGI scripts that have been replaced can be loopholes for access into the system. CGI scripts can reside anywhere and are difficult to track.
236

Buffer overflows
A buffer is an area of memory set aside to hold data read from a file or database. Buffers are necessary because I/O operations are much slower than CPU operations. Buffer overflows, either from a buggy program or as part of a deliberate attack, can result in: A computer crash Instructions for an attacking program being written into the return address save area causing it to be run by the Web server CPU
237

Securing the server

Access control and authentication Controlling who and what has access to the server; includes both users and other servers. Firewalls Inside: Network and machines protected by the firewall. Outside: All other networks.

238

Access control
Authentication via digital certificates and signatures. Usernames/passwords Usernames are stored as clear text Passwords are stored as encrypted text A password entered is encrypted and compared against the encrypted password. An access control list gives the users that can access certain files and folders in the system. Read, write, and execute permissions may be set separately.
239

Firewalls
All traffic from the outside must pass through it. Only authorized traffic is allowed to pass. The firewall should be immune to attack. Operates at the application layer. Trusted networks are inside; untrusted ones outside. Can be used to separate divisions of a company. The same policies should apply to all firewalls. Unnecessary software should be stripped off.

240

Types of firewalls
Packet filters Filters traffic according to source and destination (IP address) based on a set of rules. Gateway servers Filter traffic according to the application requested. Example: Incoming FTP requests granted but outgoing requests denied. Proxy servers Communicate with the Internet on behalf of the private network. Also used as a cache for Web pages.
241

DAY 5

242

Electronic Payment System

Four Types of Payment Methods: Cash , Credit Card , Check and Credit/Debit ( Fund transfer) 3. Secure Electronic Transaction (SET) Protocol for implementing Credit card. 4. An electronic check system for supporting check payment 5. An electronic funds transfer system 6. An Electronic cash system
243

Features of Payment Methods

1. Anonymity 2. Security 3. Overhead Cost 4. Transferability 5. Divisibility 6. Acceptability 4C Payments Methods

244

Secure Electronic Transaction

Must satisfying the following security requirements in context of credit card payment: Confidentiality Integrity Authentication

245

Network Architecture of SET System

1. Merchant 2. Cardholder 3. Issuer 4. Acquirer 5. Payment Gateway

246

Set Digital Certificate System

247

Dual Signature Generation and Verification

OI Order Information , PI - Payment system

248

Digital Envelope

249

SET Protocol
1. Purchase Initiation 2. Purchase Request 3. Payment Authorization 4. Payment Capture

250

SET Protocol

251

Marketing, sales, and promotion

Building a presence
An organizations presence is the public image it conveys to its stakeholders. The stakeholders include customers, suppliers, employees, stockholders, neighbors, and the general public. Physical world: Create a store, factory, warehouse or office building and/or engage in advertising. On the Web: Create a site, which may be the only point of contact for stakeholders, and/or engage in advertising.
253

Web presence goals

Attracting visitors to the site Making the site sticky so that visitors stay Convincing visitors to follow the sites links to obtain information Creating an image consistent with the desired image of the organization Reinforcing positive images that the visitor may already have about the organization

254

Examples
Commercial organizations Toyota Metra Museums Art Institute Field Museum Museum of Science and Industry

255

Elements of a Web site

History, statement of objectives, mission statement Information about products or services Financial information A way to communicate with the organization + Usability matters + Communication should be two-way + Failure will result in a loss of competitiveness How can the design of the site be done effectively?
256

Purposes for visiting a site

Learning about products and services Buying products and services Obtaining information about warranties or service for previously purchased products Gaining general information about the organization Obtaining information for the purposes of investing or granting credit Identifying the people who manage the organization Obtaining contact information for an individual

257

Difficulties in delivering content

Varying visitor needs Differing experience levels Technological issues Data transmission speeds Web browsers Plug-in software

258

Strategies
Convey an integrated image Provide easily accessible facts both about the firm and any products or services it may offer Allow visitors to experience the site in a variety of ways and at different levels Provide meaningful, responsive, reliable, twoway communication Sustain visitor attention without detracting from the purpose and image of the site Find ways to encourage return visits
259

Usability
Design the site around how visitors will navigate the site, not around the organizations structure Allow quick access to the sites information Avoid using inflated marketing statements Avoid using business jargon Allow visitors with older browsers and slower connections to access the site -- this may mean building several versions of the site Be consistent in the use of design features and colors
260

Usability
Make sure that navigation controls are clearly labeled or otherwise recognizable Test text visibility on smaller monitors Check that color combinations do not impair viewing clarity for the colorblind Positive examples: Webby Awards (See the Monterey Bay Aquarium) Negative examples: Mud Brick Awards

261

Finding and reaching customers

Personal contact/prospecting Employees individually search for, qualify, and contact potential customers. Mass media approach Advertising and promotional material is created and then distributed via: Television or radio Newspapers or magazines Highway billboards Mailings
262

Types of interactions
One-to-many Mass media Seller sends out carefully produced messages to a large audience. Seller is active; buyer is passive. One-to-one Personal contact Salesperson interacts with customer directly. Trust building is important. Both seller and buyer participate actively.
263

The Web
Many-to-one Many active potential customers seek out information from resources produced by the seller. Example: Book review sites, fan sites One-to-one E-mail contact with a seller Many-to-many Newsgroups and interactive Web sites Primary characteristic: The buyer is active and controls the length, depth, and scope of the search.
264

Effectiveness of mass media

Mass media efforts are measured by estimates of audience size, circulation, or number of addresses. Money spent on mass media is in dollars per each thousand people in the estimated audience. This pricing metric is called cost per thousand and is often abbreviated CPM.

265

Micromarketing
As mass media lost its effectiveness (new and improved!), one approach was to divide a pool of potential customers into segments. This is called market segmentation. Targeting very small market segments is called micromarketing. Micromarketing is expensive using traditional means, but more cost effective on the Web.

266

Web-specific measures
A visit occurs when a visitor requests a page. Immediate downloads of new pages are often counted as part of the same visit. A trial visit is the first one; subsequent ones are called repeat visits. Each page loaded is a page view. If the page contains an ad it is an ad view. An impression refers to each banner ad load. If a visitor clicks a banner, it is a click-through. One CPM for banner ads is 1000 impressions. Charges range from $1 to $100 CPM.
267

Comparisons
The Web has: Better effectiveness than mass media More trust than mass media Lower cost than personal contact Less trust than personal contact It is believed that a move toward the side of personal contact is more effective. Increase the trust level Increase the personalization
268

Technology and marketing

Technology-enabled relationship management is when a firm obtains detailed information about customer preferences, needs, behavior and buying patterns and uses that information to: set prices negotiate terms tailor promotions add product features customize its relationship with the customer.

269

Branding
A known and respected brand presents a powerful statement about quality, value, and other desired qualities to potential customers. Branded elements are easier to promote. The key elements of branding are: Differentiation Relevance Perceived value This makes branding for commodity products like salt or plywood more difficult.
270

Differentiation
A characteristic that sets the product apart from similar products. Examples: Ivory soap: It floats Dove soap: 1/4 moisturizing creme Palmolive dish soap: Mild on your hands Dawn dish soap: Takes grease out of your way Antibacterial soaps

271

Relevance
The degree to which the product offer utility to a potential customer. The customer must be able to see themselves purchasing and using the product. Examples: Cadillac Hyundai Minivans

272

Perceived value
The product must have some identified value. Products can be different than others and people can see themselves using it, but it may not have values that they desire. Example: Subway sandwich ads comparing fat values of their product to those found in BigMacs.

273

Emotional branding
Ted Leonhardt: Brand is an emotional shortcut between a company and its customer Emotional appeals work well on television, radio, billboards, and print media since the viewer is a passive recipient of information. On the Web it is easy to click away from emotional appeals.

274

Rational branding
Rational branding offers to help Web users in some way in exchange for their viewing an ad. Functional assistance replaces emotional appeals. Examples: Free e-mail services such as HotMail Free Web hosting such as HyperMart ShopSmart! program from Mastercard

275

Other branding strategies

Leverage success in one area into another area. Example: Yahoo! Affiliate marketing: Descriptions, reviews or other information about a product on one site are linked to pages on another site allowing you to purchase that item. Example: Amazon.com Serving as a market intermediary between buyers and sellers. Example: Wedding Channel
276

Costs of branding
Transferring existing brands to the Web or using the Web to maintain an existing brand is easier and less expensive than creating a new brand. Example: Catalog sales companies Attempting to create a brand on the Web may involve spending on traditional mass media such as television, print, and radio. Example: In 1998 Amazon.com spent $133 million and BarnesandNoble.com spent $70 million, much of it on traditional advertising.
277

Business models for the Web

Selling goods and services Based on the mail order catalog business Selling information or other digital content Can be used to expand markets and cut costs Advertising supported Used by American network television Advertising-subscription mixed Supported via both fees and advertising Fee-for-transaction The use of information filtering for profit
278

Selling goods and services

Used for apparel, computers, electronics, and gifts. The printed catalog is replaced or supplemented by information on the Web site. Customers may purchase via phone. (Why?) Fabric swatches are usually available. (Why?) Examples: Dell computers: Flexibility Lands End: Overstocks FTD Florists: Traditional advertising Buy.com: Discounting
279

Selling digital content

The Web is an efficient means for selling information. Legal research: Lexis Publishing Digital copies of documents: ProQuest Electronic versions of journals: ACM Digital Library Adult entertainment Reference materials: Encyclopedia Britannica

280

Advertising supported
The success of Web advertising has been hampered by two major problems: There is no consensus on how to measure and charge for site visitor views. Examples: Number of visitors, number of unique visitors, number of click-throughs. Very few Web sites have sufficient number of hits to interest large advertisers. Targeted advertising requires that demographics be collected, a sensitive privacy issue. One success: Employment advertising
281

Advertising-subscription mixed
Subscribers are subject to less advertising and have greater access to the resources of the site. Popular with online newspapers. Examples The New York Times The Wall Street Journal Reuters ESPN

282

Fee-for-transaction
Value-added services are sold in exchange for a commission. Travel agencies Travelocity Expedia Automobile sales Autobytel: An example of disintermediation Stockbrokers Insurance companies

283

284

International, ethical, and legal issues

Outline
International issues
Language Culture Infrastructure

Ethical issues
Defamation Privacy rights

Legal issues
Borders and jurisdiction Jurisdiction on the Internet Taxation and e-commerce Contracting Web site content

286

International e-commerce
E-commerce is by its nature international. International companies must work to build trust with customers. Trust can be built by sharing a culture, that is, a combination of language and customs. The barriers to international e-commerce include: Language Culture Infrastructure

287

Language issues
A first step in reaching international customers is to conduct business in their native language. Customers are more likely to buy products and services from Web sites in their own language, even if they understand English. Estimates are that by the end of this year, 60% of Web use and 40% of e-commerce sales will involve at least one party outside the U.S.

288

Common languages
Most common non-English languages for U.S. companies: Spanish, German, Japanese, French, Chinese. Second tier of languages: Italian, Korean, Russian, Portuguese, and Swedish. Many languages involve different dialects such as Spanish in Mexico vs. Spain vs. Argentina. Some dialect differences are in spoken inflection. Word meanings and spellings can vary between dialects. Example: Gray in U.S.; grey in U.K.
289

Multiple language sites

Not every page on a site will be translated into multiple languages. Pages that may be kept in multiple languages: Home page Marketing and branding pages Product information pages Pages that may be kept in a single language: Local news Employment opportunities

290

Handling language displays

There are several ways to ensure that customers will see the language appropriate for them. Use the information about the default language of the browser to direct visitors to pages. Create different versions of the site and place links on the page directing visitors. Examples: Dell Computers, Hyundai The links need to be clearly labeled. Country flags are not a good choice. (Why?)

291

Translation/localization
Hire a Web page translation service Translate the pages Maintain them for a fee ($0.25 0.50/word) Use software that automates the translation and maintenance of the pages. Example: Idiom Technologies Completely automated translation software. Can translate up to 40,000 words an hour. Human translators do 400-600 words an hour.

292

Culture issues
Errors can stem from language and culture standards. Chevrolet Nova did not sell in Latin America. Pepsis campaign in China failed. Come alive became Brings your ancestors back from their graves. Complaints from Japanese customers to wine.com. Packaging is important part of a quality product. Baby food with a picture of a baby did not sell well in parts of Africa where food containers always carry a picture of their contents.
293

Labeling issues
Labeling issues are particularly troublesome: Inappropriate use of the image of a cow in India. Uncovered legs or arms in a Muslim country. A Web page divided into four parts or that uses the color white in Japan, where the number 4 and white represents death.

294

Ways of doing business

Japanese customers prefer to pay using cash or cash transfer instead of credit cards. Softbank created a joint venture with 7-Eleven, Yahoo! Japan, and Tohan to sell books and CDs on the Web. Order items on Internet Pick them up and pay at 7-Eleven In this case, adding an intermediary helped gain customers.

295

Internet access
Some parts of the world have environments that are inhospitable to e-commerce. Denial of access to citizens Restriction of citizens access Addition of taxes that place it out of reach The information provided on the Internet may be seen as objectionable or threatening to the culture or traditions of the country.
296

Culture and the law

Some countries have strong cultural requirements that have found their way into the legal codes. In France all advertisements for products must be in French. A U.S. company that ships to France must provide pages in French. Quebec provincial law requires street signs, billboards, directories, and advertising created by Quebec businesses to be in French. Web pages marketed at the U.S. in English only are not allowed.
297

Infrastructure issues
In many countries, the telecommunication systems are government-owned or heavily regulated. Regulations in some places have restricted the development to a point that Internet data packet traffic cannot be handled reliably. Local connection costs may be much higher than in the U.S., resulting in different behavior by Internet users. The paperwork needed for international transactions can be prohibitive. See Figure 11-2, page 347.
298

Ethical issues
Not adhering to common ethical standards can result in a degradation of trust on the part of customers. Example: Amazon.com and publishers Two areas of concern: 8. Defamation 9. Privacy rights

299

Defamation
A defamatory statement is one that is false and injures the reputation of another person or company. A statement injuring the reputation of a product or service is called product disparagement. The line between justifiable criticism and defamation can be hard to determine.

300

Privacy rights
Privacy issues remain unsettled and are hotly debated in many forums. The FTC issued a report that concluded Web sites were developing privacy practices with sufficient speed. Responses from privacy advocacy groups were in sharp disagreement. Privacy assumptions vary between cultures.

301

Some principles
Use the data collected to improve service. Do not share customer data with outsiders without the customers permission. Tell customers what data is being collected and what you are doing with it. Give customers the right to delete any of the data collected about them.

302

The legal environment

Legal issues regarding e-commerce have only begun to be addressed. Categories of issues: Borders and jurisdiction Jurisdiction on the Internet Contracting and contract enforcement Web site content

303

Borders and jurisdiction

Culture affects both laws and ethical standards. Territorial borders in the physical world serve as notice that culture and laws may be changing. The relationship between geographic boundaries and legal boundaries deals with four elements: 1. Power 2. Effects 3. Legitimacy 4. Notice

304

Power
Some of the defining characteristics of a sovereign government are control over: A physical space Objects that reside in that space People who reside in that space The ability of a government to exert control over a person or corporation is called jurisdiction. Laws in the physical world do not apply to people who are not located in or own assets in the area that created those laws.
305

Effects
Laws in the physical world are based on the relationship between physical proximity and the effects of a persons behavior. Actions have a stronger hold on things nearby. Example: Trademark enforcement Two restaurants with the same name, one in Chicago and one in France.

306

Legitimacy
The right to create laws and enforce laws derives from the mandate of those who will be subject to those laws. Some cultures allow their governments a high degree of autonomy and authority. Example: China and Singapore Other cultures place severe restrictions on the authority of the government. Example: Scandinavian countries

307

Notice
Physical boundaries are an effective way to announce the ending of one legal or cultural system and the beginning of another. The perception that the laws and norms have changed is needed to allow people to adjust. Borders provide this notice.

308

Jurisdiction on the Internet

Determining who has jurisdiction can be difficult. Example: Mexican customer dealing with a firm from Sweden, hosted by a Canadian site, and maintained by a programmer from India. A contract is an agreement between two or more legal entities that provides for an exchange of value (goods, services, money). A tort is an action taken by a legal entity that causes harm to another legal entity.

309

Sufficient jurisdiction
If a person or organization wants to enforce their rights under contracts or seek tort damages, they must find courts that have sufficient jurisdiction. A court has sufficient jurisdiction in a matter if it has both: Subject matter jurisdiction Personal jurisdiction.

310

Subject-matter jurisdiction
Subject-matter jurisdiction is a courts authority to decide the type of dispute. In the United States: Federal courts preside over federal law (Bankruptcy, copyright, patent, federal taxes) State courts deal with issues governed by states (Professional licensing, state taxes) The rules are easy to apply for subject-matter.
311

Personal jurisdiction
Personal jurisdiction is, in general, determined by the residence of the parties in question. A court has jurisdiction if the defendant resides in the state in which the court is located. An out-of-state person can submit to a courts jurisdiction by signing a contract that includes a statement that the contract will be enforced according to the laws of a particular state.

312

Long-arm statutes
States can enact statutes that create personal jurisdiction over nonresidents conducting business or committing tortious acts in the state. In many cases, these laws are not clear with respect to e-commerce. The more business conducted, the more likely a court will be to use a long-arm statute. Courts are also assert jurisdiction when a crime or intentional tort has occurred.
313

International issues
The exercise of jurisdiction across national borders is governed by treaties between the countries. In general, personal jurisdiction for foreign firms and persons is determined by U.S. courts in the same way as long-arm statues. Jurisdictional issues are complex and changing. Businesses should consult an attorney for advice.

314

Taxation and e-commerce

A government acquires the power to tax a business when the business establishes a connection with the area controlled by the government. This connection is called nexus. Nexus is similar to personal jurisdiction. Determining nexus can be difficult when a company conducts only a few activities in a state. Online companies may be subject to multiple tax laws from day one.
315

Types of taxes
A online business is potentially subject to several types of taxes: Income taxes: Levied by national, state, and local governments on the net income generated by business activities. Transaction taxes: Includes sales taxes, use taxes, and customs duties. Property taxes: Levied on the personal property and real estate used in the business. Income and transaction taxes are most important.
316

Federal income taxes

In the U.S., any increase in a companys wealth is subject to federal taxation. Any company whose U.S.-based Web site generates income is subject to U.S. federal income tax. A Web site maintained by a U.S. company must also pay federal income tax on income generated outside the U.S. (The law provides a tax credit for taxes paid to foreign countries).

317

State and local income taxes

Companies that do business in multiple local jurisdictions must apportion their income and file tax returns in each locality that levies an income tax. The number of taxing authorities is over 30,000 in the United States. Companies can accept orders and ship from one state to many other states and avoid nexus by using a contract carrier such as FedEx or UPS to deliver goods to customers.
318

Sales taxes
Businesses that establish nexus with a state must file sales tax returns and remit the sales tax they collect from their customers. If a business ships to customers in other states, it is not required to collect sales tax from those customers unless the business has established nexus with the customers state. There are 7500 U.S. sales tax jurisdictions and the rules about which items are taxable differ. Example: In NY large marshmallows are taxable since they are snacks but small ones are not since 319 they are food.

Contracting
Any contract includes an offer and an acceptance. An offer is a declaration of willingness to buy or sell a product or service with enough details to be firm, precise, and unambiguous. An acceptance is the expression of willingness to take an offer, including all of its stated terms. When one party makes an offer that is accepted, a contract is created.

320

Contracting on the Web

A seller advertising on the Web is not making an offer but inviting offers from potential buyers. When the buyer submits an order, the seller accepts and a contract is made. Some examples of legally binding acceptances in the physical world: Mailing a check Shipping goods Shaking hands Taking an item off a shelf Opening a wrapped package
321

Written contracts
In the U.S. written contracts must be used for goods worth more than $500 and contracts requiring actions that cannot be completed with a year. Things that constitute a signature: Faxes Typed names Printed names Digital signatures

322

Warranties
Any contract for sale includes implied warranties. Sellers can create explicit warranties. Statements in promotional material may create an implied warranty. Sellers can use a warranty disclaimer to avoid some implied warranties. It must be clearly displayed.

323

Web site content

Legal issues can arise relating to the Web page content of an e-commerce site. These include: Trademark infringement Deceptive trade practices Regulation of advertising claims Defamation

324

Trademark infringement
Web designers must be careful not to use any trademarked name, logo, or other identifying mark without the written consent of the trademark owner. Example: A picture of a company (other than Pepsi) president holding a can of Pepsi. Manipulating trademarked images and placing them on a site can cause problems.

325

Deceptive trade practices

Web sites that include links to other sites must be careful not to imply a relationship with the company if there is none. A firm cannot use a similar name, logo, or other identifying characteristic that causes confusion in the customers mind. Trademark dilution is the reduction of the distinctive quality of a trademark by alternate uses.

326

Thanks and Good Bye

327