Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez)

Published bySara Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez)"— Presentation transcript:

1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez) themez@cisco.com

2 © 2010 Cisco and/or its affiliates. All rights reserved. 2

3 3 Authentication means password/secret management A secret is something you tell to one person at a time It’s not turtles all the way down

4 © 2010 Cisco and/or its affiliates. All rights reserved. 4 Lesson: Defense in depth matters Themes: Passwords – users vs system parts Web server and files Compliance

5 © 2010 Cisco and/or its affiliates. All rights reserved. 5

6 6 Security the way Tim intended Server says: WWW-Authenticate: Basic realm="insert realm” User prompted for their password Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= User agent remembers and sends for that domain/realm

7 © 2010 Cisco and/or its affiliates. All rights reserved. 7 Every site does their own authentication No Single Sign On Password proliferation Password unprotected Encoding is not encrypting Who’s asking you for your password? For what?

8 © 2010 Cisco and/or its affiliates. All rights reserved. 8 There’s Encryption; it’s Secure! Encryption is to Security as Caching is to Performance Trust, Trustworthy, and Trust for What? Who vouches for the information on this web page?

9 © 2010 Cisco and/or its affiliates. All rights reserved. 9 Confidentiality Requiring brute force guessing Two flavors – reversible and not Authentication Proof of a secret/key Integrity (Tamper Detection) Blind changes are recognized Splicing attacks Replay detection

10 © 2010 Cisco and/or its affiliates. All rights reserved. 10

11 © 2010 Cisco and/or its affiliates. All rights reserved. 11 Hash the password With the username and realm Defense against Rainbow Tables Nonces for replay protection No passing the password itself in the protocol No need to store the password in the clear Store it hashed with the username and realm

12 © 2010 Cisco and/or its affiliates. All rights reserved. 12 The world is no longer a clean slate Needs both browser support and server support to work The protocol for negotiating mutual support allows a Man in the Middle to spoof lack of support Gets the password anyway Lesson: Deployment/rollout of client and server software is hard Three tier architectures Calling a back end service as the user Sometimes you need that password to propagate the user authentication to some system type not supporting Digest Why put in the resources to support this? No attacks in the wild, no high value web site interactions

13 © 2010 Cisco and/or its affiliates. All rights reserved. 13

14 © 2010 Cisco and/or its affiliates. All rights reserved. 14 S-HTTP: Encryption of the HTML document Page data and submitted data – not the headers Specific URL moved into encrypted portion Headers defined to specify type of encryption, type of key management, nonces Supports pre arranged keys, public/private keys, PGP, etc. Server and client negotiate which enhancements they’ll use Flexible End to end (resists Man in the Middle)

15 © 2010 Cisco and/or its affiliates. All rights reserved. 15 End to end protection meant client side deployment of secrets A challenge still not overcome today Scale of client deployment much larger than server deployment End user had to interact with secret for web pages Lesson: Deployment at user/file scale is beyond hard Flexible framework meant (too) many choices for deployment Which type of secrets do which users have? Which type of secrets do which web pages require?

16 © 2010 Cisco and/or its affiliates. All rights reserved. 16 Encryption! Authentication! Security! Network protocol that wraps HTTP Encryption of the tunnel for confidentiality and tamper detection Authentication of the server using public key certificate Authentication of the client using public key certificate is an option

17 © 2010 Cisco and/or its affiliates. All rights reserved. 17 What does it mean that the web site is authenticated? My browser has 214 “System Roots”. They’re all trusted to issue web site certificates. What are they trusted to do? Associate the public key with the information in the certificate What does it mean if a server has a self signed certificate? Users learn to ignore warnings What identity is required of the server and why? Why we need the server to authenticate itself has changed since 1994 Lesson: What happens when there are errors?

18 © 2010 Cisco and/or its affiliates. All rights reserved. 18 Citigroup.com Citibank.com Cititigroup.com Citigroup.de Citibank.co.uk Citigroup.org Thisiscitigroup.org Citibank.info Citicards.com Citicreditcards.com Citibank-cards.us Citimoney.com Citigold.net Citigrøup.org

19 © 2010 Cisco and/or its affiliates. All rights reserved. 19

20 © 2010 Cisco and/or its affiliates. All rights reserved. 20

21 © 2010 Cisco and/or its affiliates. All rights reserved. 21

22 © 2010 Cisco and/or its affiliates. All rights reserved. 22 Extended Validation Certificates Extra validation happens to tie a legal entity to a domain name They cost more Browsers provide an indication of that the authentication of the server is particularly good

23 © 2010 Cisco and/or its affiliates. All rights reserved. 23

24 © 2010 Cisco and/or its affiliates. All rights reserved. 24 The Emperor’s New Security Indicators Lab study of bank customers (67) Removed HTTPS indicators – “https” in address bar and lock icon in bottom right 0 withheld password Removed the customer selected site-authentication image 23 of 25 using their own accounts entered their password As well as all 36 role playing Role playing participants behaved significantly less securely About half were security primed

25 © 2010 Cisco and/or its affiliates. All rights reserved. 25

26 © 2010 Cisco and/or its affiliates. All rights reserved. 26 Who put the D in DHTML? Dynamic HTML introduced in IE 4.0 in 1997 Security Principle: Data and Code should not mix Code is dangerous. Data is not. Speech vs action

27 © 2010 Cisco and/or its affiliates. All rights reserved. 27 Who vouches for the code on this web site? Javascript Sandbox + same origin policy Web mail Earliest web application serving data in pages not created by web site developers Cross site scripting (XSS) Response - HTML escaping of any data Where are my bold text and dancing pigs? Next steps: Whitelist vs Blacklist What are the tradeoffs?

28 © 2010 Cisco and/or its affiliates. All rights reserved. 28 Major technical university’s web site Cross Site Scripting (XSS) Every link modified to redirect through proxy Links to other web sites (e.g. LinkedIn, Facebook) Insecure Direct Object Reference Walk the OS file system Lesson: Developers are (fallible) people too

29 © 2010 Cisco and/or its affiliates. All rights reserved. 29 Is It Safe? What responsibility is assumed to be the user’s? Who can the user rely on? How much control can the user have? Are users any good at making these decisions? Different mobile platforms make different choices Control of the lifecycle Control of the store Code signing Installation time permissions

30 © 2010 Cisco and/or its affiliates. All rights reserved. 30 17% of participants paid attention to permissions during installation (self reported and lab experiment) 42% aware permissions exist but do not always consider them 3% of Internet survey respondents could correctly answer all three permission comprehension questions 53% of the answers contain at least one correct choice READ_CALENDAR – 46% correct READ_PHONE_STATE – 4.7% correct

31 Thank you. Mary Ellen Zurko themez@cisco.com Questions? Comments? Brickbats?

32 © 2010 Cisco and/or its affiliates. All rights reserved. 32 Who vouches for the code on this web site? Javascript Sandbox + same origin policy Java Permissions “Should this code access your file system, the network?” Web mail Cross site scripting (XSS) HTML escaping of any data Where are my bold text and dancing pigs? Whitelist vs Blacklist

Download ppt "© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez)"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Similar presentations

Ads by Google