Security+ All-In-One Edition Chapter 15 – Web Components Brian E. Brzezicki
Web Components (443) Believe it or not the web did not exist till about 1993. A few years later (about 1995) the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol, which transfers HTML documents as well as other file formats.
HTTP HTTP (TCP port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP. No Encryption No Authentication of remote server There are many useful web applications for example online banking. Can anyone see why the top 2 issues are VERY problematic?
Enter SSL/TLS (445) SSL and TLS are a form of securing network communications. They provide 2 important concepts. Server Authentication Encryption SSL/TLS protected traffic is called HTTPS and runs at TCP port 443
How does SSL work (447) Client sends SSL version and cipher settings Server responds, including it’s digital certificate Client verifies the server is who it says it is (NOTE DISCUSS HOW) Client encrypts a seed value with the servers public key Server decrypts seed value and uses it to generate a master key Client and server use seed value to generate a master key, which will be used to encrypt the sessions traffic
SSL Once this handshake is completed we have verified that the server is who he says he is AND we have exchanged keys for symmetric encryption. This “handshake” is the CPU intensive part of SSL communications NOT the actually encryption.
Digital Certificates Let’s take a quick look around a HTTPS connection. Go to https://www.redhat.com using Firefox Click on the yellow lock, view certificate What are some of the fields you see here? Click on “Details” and Look at the Certificate Hierarchy.. What is this all about? (more)
Digital Certificates Go to a site with a bad digital certificate… What happens? Have you ever seen errors like this before? Do you usually ignore them? What could be happening if you get an error that a servers certificate is invalid?
SSL thoughts What is mutual authentication? Should you provide authentication via a certificate to a web server? Why or why not? What uses could this serve?
SSL closing thoughts SSL provides encryption and authentication SSL uses RC4 and 3DES for symmetric encryption but can use other protocols SSL uses MD5 or SHA for digital signature hashing SSL was original, and embraced by the IETF in 1996, TLS v1 was equivalent to SSL v3 SSL protects against Man in the Middle Attacks (however that was just defeated)
SSL Closing Thoughts Sites can get an “extended” certificate which is a much more through process and costs more money to get from an registration authority. What happens if someone loads a keystroke logger on my desktop. Will an SSL connection protect my communications with a web site?
Client side software
Cookies
Cookies (462) What is a cookie? What is it used for? Can cookies give you viruses? Let’s look at a cookie
Cookie (462) Open Firefox. Hit Tools->Options->Privacy->remove individual Cookies Let’s look at what you see Name Content Host Expires (more)
Cookies (462) The point of cookies is to imply state to a stateless protocol. Cookies can inform the web browser of your preferences or what “steps” you are in a session. Without Cookies or other dynamic input, the web would be a boring place. There are two types of cookies (explain) First Party cookies Third party cookie (more)
Cookies (462) Cookies do NOT spread viruses, malware etc Cookies can be used to hold preference Cookies can be used to provide a “session” for a web application Cookies can show some type of browsing history if stolen You can turn off cookies in your browsers, but most websites will be useless if you do. There are a lot of misconceptions regarding Cookies, does anyone have any questions about cookies?
JavaScript (457) Developed by Netscape Runs on web browser to help create interactive features. Code goes between <script> and </script> tags Transmit information to the Web server Can perform tasks outside user’s control
Simple JavaScript code <html> <head> <title>Example JavaScript</title> <script language="JavaScript"> document.writeln("Example"); </script> </head> <body> . </body> </html>
JavaScript security holes Vulnerabilities Monitoring Web browsing Bugs in browsers JavaScript Garbage Collector Reading browser preferences – yes JavaScript can do this. Reading cookies Safeguards Patches for browsers Disable JavaScript in the browser
ActiveX (459) Developed by Microsoft Links desktop apps with Web content Components triggered by HTML scripts Can do anything on the system
ActiveX vulnerabilities and safeguards (459) Potential for harmful code Attacker might gain access to passwords or confidential information Attacker may do bad things on your computer Safeguards Patches Disable ActiveX scripting Configure how ActiveX responds Enable Disable Prompt
Java
Java applets (457) What is Java, what is the purpose and history of Java? Work on most clients Typically stored on Web server and downloaded to client Can be standalone or web based (applet) JAVA and JAVASCRIPT are COMPLETELY different and NOT related. (the book on 457 is completely wrong on this)
Signed and unsigned applets (465) Downloading code from the Internet to run on your computer…sound dangerous? Would you let a stranger, just put a disk in your computer and run whatever programs they wanted? Software signing is very important as we move to network distributed software. Microsoft version of software signing is called “Authenticode” (more)
Signed and Unsigned Applets (465) No way to confirm code source No way to know if it was changed Sandbox model (Java) Signed applet Digital signature Proves applet was unaltered from source Avoids sandbox restrictions (java)
Signed applets (465) Should you ever run an unsigned active X control? Are you safe running an unsigned Java applet? If an applet or active X control is signed by someone, is it safe to run? What does signing applets provide as far as security goes?
Browser Security
Browser Security (461) Browser security is important to combating some of these issues that we have seen. There are some good practices that you can use Use Firefox… Make sure you have anti-virus installed on your computer and up to date. Don’t save passwords in your browser Don’t save your history Turn off pop-ups Turn off phishing filters You can disable cookies… though beware your browsing experience will suffer… (more)
Browser Security
Browser Security
Browser Security
Browser Security
Browser Security (IE) (461) If using IE, IE has “zones” where you can set specific browser security features on a “zone” by “zone” level f using IE, set your “Internet” Zone to medium-high or high (high is best) If using IE turn off all unsigned active X controls, better yet turn off active X altogether (see next slide)
IE
Server Based software
CGI (461) Quick History of CGI…. Typically two parts Executable Executable on server HTML page feeds input Executable Perl script Shell script Compiled program
Form submission
CGI CGIs pass variables after the URL with &.. examples http://www.server.com/login.cgi?username=brian&password=mypassword This method is called a “GET”… why can this be bad? Variables also can be passed outside of the URL using a “POST”
CGI vulnerabilities and safeguards (461) Input from browser executed on server Safeguards IDS, access filtering, screening Check input before processing Validate script security Carefully test script before placing on Web server
Chapter 15 - Review Q. What is a cookie, what are some important things in a cookie. Q. Using SSL for a website provides what security advantages? Q. Can you use SSL to protect other network services such as IMAP? Q. What is the purpose of application signing?
Chapter 15 - Review Q. What restrictions does Java place on unsigned applications? Q. Where does a CGI program run. Q. What is a weakness of FTP? Q. What protocol port does HTTP use? HTTPS?