© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez)

© 2010 Cisco and/or its affiliates. All rights reserved. 2

3 Authentication means password/secret management A secret is something you tell to one person at a time It’s not turtles all the way down

© 2010 Cisco and/or its affiliates. All rights reserved. 4 Lesson: Defense in depth matters Themes: Passwords – users vs system parts Web server and files Compliance

© 2010 Cisco and/or its affiliates. All rights reserved. 5

6 Security the way Tim intended Server says: WWW-Authenticate: Basic realm="insert realm” User prompted for their password Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= User agent remembers and sends for that domain/realm

© 2010 Cisco and/or its affiliates. All rights reserved. 7 Every site does their own authentication No Single Sign On Password proliferation Password unprotected Encoding is not encrypting Who’s asking you for your password? For what?

© 2010 Cisco and/or its affiliates. All rights reserved. 8 There’s Encryption; it’s Secure! Encryption is to Security as Caching is to Performance Trust, Trustworthy, and Trust for What? Who vouches for the information on this web page?

© 2010 Cisco and/or its affiliates. All rights reserved. 9 Confidentiality Requiring brute force guessing Two flavors – reversible and not Authentication Proof of a secret/key Integrity (Tamper Detection) Blind changes are recognized Splicing attacks Replay detection

© 2010 Cisco and/or its affiliates. All rights reserved. 10

© 2010 Cisco and/or its affiliates. All rights reserved. 11 Hash the password With the username and realm Defense against Rainbow Tables Nonces for replay protection No passing the password itself in the protocol No need to store the password in the clear Store it hashed with the username and realm

© 2010 Cisco and/or its affiliates. All rights reserved. 12 The world is no longer a clean slate Needs both browser support and server support to work The protocol for negotiating mutual support allows a Man in the Middle to spoof lack of support Gets the password anyway Lesson: Deployment/rollout of client and server software is hard Three tier architectures Calling a back end service as the user Sometimes you need that password to propagate the user authentication to some system type not supporting Digest Why put in the resources to support this? No attacks in the wild, no high value web site interactions

© 2010 Cisco and/or its affiliates. All rights reserved. 13

© 2010 Cisco and/or its affiliates. All rights reserved. 14 S-HTTP: Encryption of the HTML document Page data and submitted data – not the headers Specific URL moved into encrypted portion Headers defined to specify type of encryption, type of key management, nonces Supports pre arranged keys, public/private keys, PGP, etc. Server and client negotiate which enhancements they’ll use Flexible End to end (resists Man in the Middle)

© 2010 Cisco and/or its affiliates. All rights reserved. 15 End to end protection meant client side deployment of secrets A challenge still not overcome today Scale of client deployment much larger than server deployment End user had to interact with secret for web pages Lesson: Deployment at user/file scale is beyond hard Flexible framework meant (too) many choices for deployment Which type of secrets do which users have? Which type of secrets do which web pages require?

© 2010 Cisco and/or its affiliates. All rights reserved. 16 Encryption! Authentication! Security! Network protocol that wraps HTTP Encryption of the tunnel for confidentiality and tamper detection Authentication of the server using public key certificate Authentication of the client using public key certificate is an option

© 2010 Cisco and/or its affiliates. All rights reserved. 17 What does it mean that the web site is authenticated? My browser has 214 “System Roots”. They’re all trusted to issue web site certificates. What are they trusted to do? Associate the public key with the information in the certificate What does it mean if a server has a self signed certificate? Users learn to ignore warnings What identity is required of the server and why? Why we need the server to authenticate itself has changed since 1994 Lesson: What happens when there are errors?

© 2010 Cisco and/or its affiliates. All rights reserved. 18 Citigroup.com Citibank.com Cititigroup.com Citigroup.de Citibank.co.uk Citigroup.org Thisiscitigroup.org Citibank.info Citicards.com Citicreditcards.com Citibank-cards.us Citimoney.com Citigold.net Citigrøup.org

© 2010 Cisco and/or its affiliates. All rights reserved. 19

© 2010 Cisco and/or its affiliates. All rights reserved. 20

© 2010 Cisco and/or its affiliates. All rights reserved. 21

© 2010 Cisco and/or its affiliates. All rights reserved. 22 Extended Validation Certificates Extra validation happens to tie a legal entity to a domain name They cost more Browsers provide an indication of that the authentication of the server is particularly good

© 2010 Cisco and/or its affiliates. All rights reserved. 23

© 2010 Cisco and/or its affiliates. All rights reserved. 24 The Emperor’s New Security Indicators Lab study of bank customers (67) Removed HTTPS indicators – “https” in address bar and lock icon in bottom right 0 withheld password Removed the customer selected site-authentication image 23 of 25 using their own accounts entered their password As well as all 36 role playing Role playing participants behaved significantly less securely About half were security primed

© 2010 Cisco and/or its affiliates. All rights reserved. 25

© 2010 Cisco and/or its affiliates. All rights reserved. 26 Who put the D in DHTML? Dynamic HTML introduced in IE 4.0 in 1997 Security Principle: Data and Code should not mix Code is dangerous. Data is not. Speech vs action

© 2010 Cisco and/or its affiliates. All rights reserved. 27 Who vouches for the code on this web site? Javascript Sandbox + same origin policy Web mail Earliest web application serving data in pages not created by web site developers Cross site scripting (XSS) Response - HTML escaping of any data Where are my bold text and dancing pigs? Next steps: Whitelist vs Blacklist What are the tradeoffs?

© 2010 Cisco and/or its affiliates. All rights reserved. 28 Major technical university’s web site Cross Site Scripting (XSS) Every link modified to redirect through proxy Links to other web sites (e.g. LinkedIn, Facebook) Insecure Direct Object Reference Walk the OS file system Lesson: Developers are (fallible) people too

© 2010 Cisco and/or its affiliates. All rights reserved. 29 Is It Safe? What responsibility is assumed to be the user’s? Who can the user rely on? How much control can the user have? Are users any good at making these decisions? Different mobile platforms make different choices Control of the lifecycle Control of the store Code signing Installation time permissions

© 2010 Cisco and/or its affiliates. All rights reserved % of participants paid attention to permissions during installation (self reported and lab experiment) 42% aware permissions exist but do not always consider them 3% of Internet survey respondents could correctly answer all three permission comprehension questions 53% of the answers contain at least one correct choice READ_CALENDAR – 46% correct READ_PHONE_STATE – 4.7% correct

Thank you. Mary Ellen Zurko Questions? Comments? Brickbats?

© 2010 Cisco and/or its affiliates. All rights reserved. 32 Who vouches for the code on this web site? Javascript Sandbox + same origin policy Java Permissions “Should this code access your file system, the network?” Web mail Cross site scripting (XSS) HTML escaping of any data Where are my bold text and dancing pigs? Whitelist vs Blacklist