web security fear surprise and ruthless efficiency n.
Skip this Video
Download Presentation
Web Security Fear, Surprise, and Ruthless Efficiency

Loading in 2 Seconds...

play fullscreen
1 / 15

Web Security Fear, Surprise, and Ruthless Efficiency - PowerPoint PPT Presentation

  • Uploaded on

Web Security Fear, Surprise, and Ruthless Efficiency. Mary Ellen Zurko. Web security – what do you think of?. Mind the Gap – Fear. Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Web Security Fear, Surprise, and Ruthless Efficiency' - idania

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mind the gap fear
Mind the Gap – Fear
  • Authentication
    • And Password/Secret management
  • A secret is something you tell to one person
    • at a time
  • Or
    • It’s not turtles all the way down
always tell the customer the truth
Always tell (the customer) the truth
  • Defense in depth matters
  • Compliance
  • Passwords – users vs system parts
  • Web server and files
basic authentication
(Basic) Authentication
  • Security the way Sir Tim intended
  • Server says: WWW-Authenticate: Basic realm="insert realm”
  • User prompted for their password
  • Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
    • User agent remembers and sends for that domain/realm
basic authentication issues
(Basic) Authentication Issues
  • Everyone does their own authentication
    • No Single Sign On
    • Password proliferation
  • Password unprotected
    • Encoding is not encrypting
  • Who’s asking you for your password?
mind the gap surprise
Mind the Gap - Surprise
  • Who vouches for the information on this web page?
  • Trust, Trustworthy, and Trust for What?
    • There’s encryption; it’s Secure!
  • What have you been told about detecting or avoiding phishing?
which of these domains are not owned by citibank
Which of these domains are not owned by Citibank?
  • Citigroup.com
  • Citibank.com
  • Cititigroup.com
  • Citigroup.de
  • Citibank.co.uk
  • Citigroup.org
  • Thisiscitigroup.org
  • Citibank.info
  • Citicards.com
  • Citicreditcards.com
  • Citibank-cards.us
  • Citimoney.com
  • Citigold.net
  • Citībank.org
  • Citibānk.org
  • Citigrøup.org
we need encryption
We Need Encryption!
  • Early on, there was S-HTTP
  • Encryption of the HTML document
  • Headers defined to specify type of encryption, type of key management, nonces
    • Supports pre arranged keys, public/private keys, PGP, etc.
    • Server and client negotiate which enhancements they’ll use
  • Flexible
  • End to end (resists Man in the Middle)
then came ssl tls https
Then came SSL/TLS - HTTPS
  • Encryption! Authentication! Security!
  • Network protocol that wraps HTTP
  • Encryption of the tunnel for confidentiality and tamper detection
  • Authentication of the server using public key certificate
    • My browser has 182 “System Roots”
  • Authentication of the client using public key certificate is an option
  • Phishing for passwords and identities
mind the gap ruthless efficiency
Mind the Gap – Ruthless Efficiency
  • Who put the D in DHTML?
  • Data and Code should not mix
    • Code is dangerous. Data is not.
    • Speech vs action
there are always bugs
There are always bugs
  • Major technical university’s web site
  • Cross Site Scripting (XSS)
    • Every link modified to redirect through proxy
    • Links to other web sites (e.g. LinkedIn, Facebook)
  • Insecure Direct Object Reference
    • Walk the OS file system
is it safe
Is It Safe?
  • Who vouches for the code on this web site?
    • Javascript
    • Sandbox + same origin policy
    • Java
    • Permissions
    • “Should this code access your file system, the network?”
  • Web mail
    • Cross site scripting (XSS)
  • HTML escaping of any data
    • Where are my bold text and dancing pigs?
    • Whitelist vs Blacklist
  • Mobile apps – every game creator is a web browser implementer

Questions? Comments? Brickbats?

Mary Ellen Zurko