Web security fear surprise and ruthless efficiency
Download
1 / 15

Web Security Fear, Surprise, and Ruthless Efficiency - PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on

Web Security Fear, Surprise, and Ruthless Efficiency. Mary Ellen Zurko. Web security – what do you think of?. Mind the Gap – Fear. Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Web Security Fear, Surprise, and Ruthless Efficiency ' - idania


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Web security fear surprise and ruthless efficiency

Web SecurityFear, Surprise, and Ruthless Efficiency

Mary Ellen Zurko



Mind the gap fear
Mind the Gap – Fear

  • Authentication

    • And Password/Secret management

  • A secret is something you tell to one person

    • at a time

  • Or

    • It’s not turtles all the way down


Always tell the customer the truth
Always tell (the customer) the truth

  • Defense in depth matters

  • Compliance

  • Passwords – users vs system parts

  • Web server and files


Basic authentication
(Basic) Authentication

  • Security the way Sir Tim intended

  • Server says: WWW-Authenticate: Basic realm="insert realm”

  • User prompted for their password

  • Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=

    • User agent remembers and sends for that domain/realm


Basic authentication issues
(Basic) Authentication Issues

  • Everyone does their own authentication

    • No Single Sign On

    • Password proliferation

  • Password unprotected

    • Encoding is not encrypting

  • Who’s asking you for your password?


Mind the gap surprise
Mind the Gap - Surprise

  • Who vouches for the information on this web page?

  • Trust, Trustworthy, and Trust for What?

    • There’s encryption; it’s Secure!

  • What have you been told about detecting or avoiding phishing?


Which of these domains are not owned by citibank
Which of these domains are not owned by Citibank?

  • Citigroup.com

  • Citibank.com

  • Cititigroup.com

  • Citigroup.de

  • Citibank.co.uk

  • Citigroup.org

  • Thisiscitigroup.org

  • Citibank.info

  • Citicards.com

  • Citicreditcards.com

  • Citibank-cards.us

  • Citimoney.com

  • Citigold.net

  • Citībank.org

  • Citibānk.org

  • Citigrøup.org


We need encryption
We Need Encryption!

  • Early on, there was S-HTTP

  • Encryption of the HTML document

  • Headers defined to specify type of encryption, type of key management, nonces

    • Supports pre arranged keys, public/private keys, PGP, etc.

    • Server and client negotiate which enhancements they’ll use

  • Flexible

  • End to end (resists Man in the Middle)


Then came ssl tls https
Then came SSL/TLS - HTTPS

  • Encryption! Authentication! Security!

  • Network protocol that wraps HTTP

  • Encryption of the tunnel for confidentiality and tamper detection

  • Authentication of the server using public key certificate

    • My browser has 182 “System Roots”

  • Authentication of the client using public key certificate is an option

  • Phishing for passwords and identities


Mind the gap ruthless efficiency
Mind the Gap – Ruthless Efficiency

  • Who put the D in DHTML?

  • Data and Code should not mix

    • Code is dangerous. Data is not.

    • Speech vs action


There are always bugs
There are always bugs

  • Major technical university’s web site

  • Cross Site Scripting (XSS)

    • Every link modified to redirect through proxy

    • Links to other web sites (e.g. LinkedIn, Facebook)

  • Insecure Direct Object Reference

    • Walk the OS file system


Is it safe
Is It Safe?

  • Who vouches for the code on this web site?

    • Javascript

    • Sandbox + same origin policy

    • Java

    • Permissions

    • “Should this code access your file system, the network?”

  • Web mail

    • Cross site scripting (XSS)

  • HTML escaping of any data

    • Where are my bold text and dancing pigs?

    • Whitelist vs Blacklist

  • Mobile apps – every game creator is a web browser implementer


Questions? Comments? Brickbats?

Mary Ellen Zurko

[email protected]


ad