Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates.

Published byGyles Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates."— Presentation transcript:

1 Web Security Chapter 6

2 Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates to SSL Explore common uses of instant messaging applications and identify vulnerabilities associated with those applications continued…

3 Learning Objectives Understand the vulnerabilities of JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, SMTP relay, and how they are commonly exploited

4 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Commonly used protocols for managing the security of a message transmission across the “insecure” Internet

5 Secure Sockets Layer (SSL) Developed by Netscape for transmitting private documents via the Internet Uses a public key to encrypt data that is transferred over the SSL connection URLs that require an SSL connection start with “https:” instead of “http:”

6 Transport Layer Security (TLS) Latest version of SSL Not as widely available in browsers

7 SSL/TLS Protocol Runs on top of the TCP and below higher-level protocols Uses TCP/IP on behalf of higher-level protocols Allows SSL-enabled server to authenticate itself to SSL-enabled client Allows client to authenticate itself to server Allows both machines to establish an encrypted connection

8 Secure Sockets Layer Protocol

9 SSL/TLS Protocol Uses ciphers to enable encryption of data between two parties Uses digital certificates to enable authentication of the parties involved in a secure transaction

10 Cipher Types Used by SSL/TLS Asymmetric encryption (public key encryption) Symmetric encryption (secret key encryption)

11 Digital Certificates Components  Certificate user’s name  Entity for whom certificate is being issued  Public key of the subject  Time stamp Typically issued by a CA that acts as a trusted third party  Public certificate authorities  Private certificate authorities

12 Secure Hypertext Transfer Protocol (HTTPS) Communications protocol designed to transfer encrypted information between computers over the World Wide Web An implementation of HTTP Often used to enable online purchasing or exchange of private information over insecure networks Combines with SSL to enable secure communication between a client and a server

13 Instant Messaging (IM) Communications service that enables creation of a private chat room with another individual Based on client/server architecture Typically alerts you whenever someone on your private list is online Categorized as enterprise IM or consumer IM systems Examples: AOL Instant Messenger, ICQ, NetMessenger, Yahoo! Messenger

14 IM Security Issues Cannot prevent transportation of files that contain viruses and Trojan horses Misconfigured file sharing can provide access to sensitive or confidential data Lack of encryption Could be utilized for transportation of copyrighted material; potential for substantial legal consequences Transferring files reveals network addresses of hosts; could be used for Denial-of-Service attack

15 IM Applications Do not use well-known TCP ports for communication and file transfers; use registered ports Ports can be filtered to restrict certain functionalities or prevent usage altogether

16 Vulnerabilities of Web Tools Security of Web applications and online services is as important as intended functionality  JavaScript  ActiveX  Buffers  Cookies  Signed applets  Common Gateway Interface (CGI)  Simple Mail Transfer Protocol (SMTP) relay

17 JavaScript Scripting language developed by Netscape to enable Web authors to design interactive sites Code is typically embedded into an HTML document and placed between the and tags Programs can perform tasks outside user’s control

18 JavaScript Security Loopholes Monitoring Web browsing Reading password and other system files Reading browser’s preferences

19 ActiveX Loosely defined set of technologies developed by Microsoft  Outgrowth of OLE (Object Linking and Embedding) and COM (Component Object Model) Provides tools for linking desktop applications to WWW content Utilizes embedded Visual Basic code that can compromise integrity, availability,and confidentiality of a target system

20 Buffer Temporary storage area, usually in RAM Acts as a holding area, enabling the CPU to manipulate data before transferring it to a device

21 Buffer Overflow Attacks Triggered by sending large amounts of data that exceeds capacity of receiving application within a given field Take advantage of poor application programming that does not check size of input field Not easy to coordinate; prerequisites:  Place necessary code into program’s address space  Direct application to read and execute embedded code through effective manipulation of registers and memory of system

22 Cookies Messages given to Web browsers by Web servers  Browser stores message in a text file  Message is sent back to server each time browser requests a page from server Verify a user’s session Designed to enhance browsing experience

23 Vulnerabilities of Cookies Contain tools that are easily exploited to provide information about users without consent  Attacker convinces user to follow malicious hyperlink to targeted server to obtain the cookie through error handling process on the server  User must be logged on during time of attack To guard against EHE attacks  Do not return unescaped data back to user  Do not echo 404 file requests back to user

24 Java Applets Internet applications (written in Java programming language) that can operate on most client hardware and software platforms Stored on Web servers from where they can be downloaded onto clients when first accessed With subsequent server access, the applet is already cached on the client and can be executed with no download delay

25 Signed Applets Technique of adding a digital signature to an applet to prove that it came unaltered from a particular trusted source Can be given more privileges than ordinary applets Unsigned applets are subject to sandbox restrictions

26 Unsigned Applets

27 Sandbox Model Prevent the applet from:  Performing required operations on local system resources  Connecting to any Web site except the site from which the applet was loaded  Accessing client’s local printer  Accessing client’s system clipboard and properties

28 Signed Applets

29 Reasons for Using Code Signing Features To release the application from sandbox restrictions imposed on unsigned code To provide confirmation regarding source of the applications code

30 Common Gateway Interface (CGI) Interface specification that allows communication between client programs and Web servers that understand HTTP Uses TCP/IP Can be written in any programming language Parts of a CGI script  Executable program on the server (the script itself)  HTML page that feeds input to the executable

31 Typical Form Submission

32 CGI Interactive nature leads to security loopholes  Allowing input from other systems to a program that runs on a local server exposes the system to potential security hazards

33 Precautions to Take When Running Scripts on a Server Deploy IDS, access list filtering, and screening on the border of the network Design and code applications to check size and content of input received from clients Create different user groups with different permissions; restrict access to hierarchical file system based on those groups Validate security of a prewritten script before deploying it in your production environment

34 Simple Mail Transfer Protocol (SMTP) Standard Internet protocol for global e-mail communications Transaction takes place between two SMTP servers Designed as a simple protocol  Easy to understand and troubleshoot  Easily exploited by malicious users

35 Vulnerabilities of SMTP Relay Spam via SMTP relay can lead to:  Loss of bandwidth  Hijacked mail servers that may no longer be able to serve their legitimate purpose Mail servers of innocent organizations can be subject to blacklisting

36 Chapter Summary Protocols commonly implemented for secure message transmissions  Secure Socket Layer  Transport Layer Security Data encryption across the Internet through Secure Hyper Text Transfer Protocol in relation to SSL/TSL continued…

37 Chapter Summary Instant Messaging  Common uses  Vulnerabilities Well-known vulnerabilities associated with web development tools

Download ppt "Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates."

Similar presentations

Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.

PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Layer 7- Application Layer

Layer 7- Application Layer
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Internet…issues Managing the Internet

Internet…issues Managing the Internet
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google