Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ All-In-One Edition Chapter 15 – Web Components

Published byVirgil Harrington Modified over 6 years ago

Similar presentations

Presentation on theme: "Security+ All-In-One Edition Chapter 15 – Web Components"— Presentation transcript:

1 Security+ All-In-One Edition Chapter 15 – Web Components
Brian E. Brzezicki

2 Web Components (443) Believe it or not the web did not exist till about A few years later (about 1995) the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol, which transfers HTML documents as well as other file formats.

3 HTTP HTTP (TCP port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP. No Encryption No Authentication of remote server There are many useful web applications for example online banking. Can anyone see why the top 2 issues are VERY problematic?

4 Enter SSL/TLS (445) SSL and TLS are a form of securing network communications. They provide 2 important concepts. Server Authentication Encryption SSL/TLS protected traffic is called HTTPS and runs at TCP port 443

5 How does SSL work (447) Client sends SSL version and cipher settings
Server responds, including it’s digital certificate Client verifies the server is who it says it is (NOTE DISCUSS HOW) Client encrypts a seed value with the servers public key Server decrypts seed value and uses it to generate a master key Client and server use seed value to generate a master key, which will be used to encrypt the sessions traffic

6 SSL Once this handshake is completed we have verified that the server is who he says he is AND we have exchanged keys for symmetric encryption. This “handshake” is the CPU intensive part of SSL communications NOT the actually encryption.

7 Digital Certificates Let’s take a quick look around a HTTPS connection. Go to using Firefox Click on the yellow lock, view certificate What are some of the fields you see here? Click on “Details” and Look at the Certificate Hierarchy.. What is this all about? (more)

8 Digital Certificates Go to a site with a bad digital certificate…
What happens? Have you ever seen errors like this before? Do you usually ignore them? What could be happening if you get an error that a servers certificate is invalid?

9 SSL thoughts What is mutual authentication?
Should you provide authentication via a certificate to a web server? Why or why not? What uses could this serve?

10 SSL closing thoughts SSL provides encryption and authentication
SSL uses RC4 and 3DES for symmetric encryption but can use other protocols SSL uses MD5 or SHA for digital signature hashing SSL was original, and embraced by the IETF in 1996, TLS v1 was equivalent to SSL v3 SSL protects against Man in the Middle Attacks (however that was just defeated)

11 SSL Closing Thoughts Sites can get an “extended” certificate which is a much more through process and costs more money to get from an registration authority. What happens if someone loads a keystroke logger on my desktop. Will an SSL connection protect my communications with a web site?

12 Client side software

13 Cookies

14 Cookies (462) What is a cookie? What is it used for?
Can cookies give you viruses? Let’s look at a cookie

15 Cookie (462) Open Firefox. Hit Tools->Options->Privacy->remove individual Cookies Let’s look at what you see Name Content Host Expires (more)

16 Cookies (462) The point of cookies is to imply state to a stateless protocol. Cookies can inform the web browser of your preferences or what “steps” you are in a session. Without Cookies or other dynamic input, the web would be a boring place. There are two types of cookies (explain) First Party cookies Third party cookie (more)

17 Cookies (462) Cookies do NOT spread viruses, malware etc
Cookies can be used to hold preference Cookies can be used to provide a “session” for a web application Cookies can show some type of browsing history if stolen You can turn off cookies in your browsers, but most websites will be useless if you do. There are a lot of misconceptions regarding Cookies, does anyone have any questions about cookies?

18 JavaScript (457) Developed by Netscape
Runs on web browser to help create interactive features. Code goes between <script> and </script> tags Transmit information to the Web server Can perform tasks outside user’s control

19 Simple JavaScript code
<html> <head> <title>Example JavaScript</title> <script language="JavaScript"> document.writeln("Example"); </script> </head> <body> . </body> </html>

20 JavaScript security holes
Vulnerabilities Monitoring Web browsing Bugs in browsers JavaScript Garbage Collector Reading browser preferences – yes JavaScript can do this. Reading cookies Safeguards Patches for browsers Disable JavaScript in the browser

21 ActiveX (459) Developed by Microsoft
Links desktop apps with Web content Components triggered by HTML scripts Can do anything on the system

22 ActiveX vulnerabilities and safeguards (459)
Potential for harmful code Attacker might gain access to passwords or confidential information Attacker may do bad things on your computer Safeguards Patches Disable ActiveX scripting Configure how ActiveX responds Enable Disable Prompt

23 Java

24 Java applets (457) What is Java, what is the purpose and history of Java? Work on most clients Typically stored on Web server and downloaded to client Can be standalone or web based (applet) JAVA and JAVASCRIPT are COMPLETELY different and NOT related. (the book on 457 is completely wrong on this)

25 Signed and unsigned applets (465)
Downloading code from the Internet to run on your computer…sound dangerous? Would you let a stranger, just put a disk in your computer and run whatever programs they wanted? Software signing is very important as we move to network distributed software. Microsoft version of software signing is called “Authenticode” (more)

26 Signed and Unsigned Applets (465)
No way to confirm code source No way to know if it was changed Sandbox model (Java) Signed applet Digital signature Proves applet was unaltered from source Avoids sandbox restrictions (java)

27 Signed applets (465) Should you ever run an unsigned active X control?
Are you safe running an unsigned Java applet? If an applet or active X control is signed by someone, is it safe to run? What does signing applets provide as far as security goes?

28 Browser Security

29 Browser Security (461) Browser security is important to combating some of these issues that we have seen. There are some good practices that you can use Use Firefox… Make sure you have anti-virus installed on your computer and up to date. Don’t save passwords in your browser Don’t save your history Turn off pop-ups Turn off phishing filters You can disable cookies… though beware your browsing experience will suffer… (more)

30 Browser Security

31 Browser Security

32 Browser Security

33 Browser Security

34 Browser Security (IE) (461)
If using IE, IE has “zones” where you can set specific browser security features on a “zone” by “zone” level f using IE, set your “Internet” Zone to medium-high or high (high is best) If using IE turn off all unsigned active X controls, better yet turn off active X altogether (see next slide)

35 IE

36 Server Based software

37 CGI (461) Quick History of CGI…. Typically two parts Executable
Executable on server HTML page feeds input Executable Perl script Shell script Compiled program

38 Form submission

39 CGI CGIs pass variables after the URL with &.. examples
This method is called a “GET”… why can this be bad? Variables also can be passed outside of the URL using a “POST”

40 CGI vulnerabilities and safeguards (461)
Input from browser executed on server Safeguards IDS, access filtering, screening Check input before processing Validate script security Carefully test script before placing on Web server

41 Chapter 15 - Review Q. What is a cookie, what are some important things in a cookie. Q. Using SSL for a website provides what security advantages? Q. Can you use SSL to protect other network services such as IMAP? Q. What is the purpose of application signing?

42 Chapter 15 - Review Q. What restrictions does Java place on unsigned applications? Q. Where does a CGI program run. Q. What is a weakness of FTP? Q. What protocol port does HTTP use? HTTPS?

Download ppt "Security+ All-In-One Edition Chapter 15 – Web Components"

Similar presentations

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Internet Security Protocols

Internet Security Protocols
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Similar presentations

Ads by Google