web security fear surprise and ruthless efficiency n.
Download
Skip this Video
Download Presentation
Web Security Fear, Surprise, and Ruthless Efficiency

Loading in 2 Seconds...

play fullscreen
1 / 15

Web Security Fear, Surprise, and Ruthless Efficiency - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

Web Security Fear, Surprise, and Ruthless Efficiency. Mary Ellen Zurko. Web security – what do you think of?. Mind the Gap – Fear. Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Web Security Fear, Surprise, and Ruthless Efficiency' - idania


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mind the gap fear
Mind the Gap – Fear
  • Authentication
    • And Password/Secret management
  • A secret is something you tell to one person
    • at a time
  • Or
    • It’s not turtles all the way down
always tell the customer the truth
Always tell (the customer) the truth
  • Defense in depth matters
  • Compliance
  • Passwords – users vs system parts
  • Web server and files
basic authentication
(Basic) Authentication
  • Security the way Sir Tim intended
  • Server says: WWW-Authenticate: Basic realm="insert realm”
  • User prompted for their password
  • Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
    • User agent remembers and sends for that domain/realm
basic authentication issues
(Basic) Authentication Issues
  • Everyone does their own authentication
    • No Single Sign On
    • Password proliferation
  • Password unprotected
    • Encoding is not encrypting
  • Who’s asking you for your password?
mind the gap surprise
Mind the Gap - Surprise
  • Who vouches for the information on this web page?
  • Trust, Trustworthy, and Trust for What?
    • There’s encryption; it’s Secure!
  • What have you been told about detecting or avoiding phishing?
which of these domains are not owned by citibank
Which of these domains are not owned by Citibank?
  • Citigroup.com
  • Citibank.com
  • Cititigroup.com
  • Citigroup.de
  • Citibank.co.uk
  • Citigroup.org
  • Thisiscitigroup.org
  • Citibank.info
  • Citicards.com
  • Citicreditcards.com
  • Citibank-cards.us
  • Citimoney.com
  • Citigold.net
  • Citībank.org
  • Citibānk.org
  • Citigrøup.org
we need encryption
We Need Encryption!
  • Early on, there was S-HTTP
  • Encryption of the HTML document
  • Headers defined to specify type of encryption, type of key management, nonces
    • Supports pre arranged keys, public/private keys, PGP, etc.
    • Server and client negotiate which enhancements they’ll use
  • Flexible
  • End to end (resists Man in the Middle)
then came ssl tls https
Then came SSL/TLS - HTTPS
  • Encryption! Authentication! Security!
  • Network protocol that wraps HTTP
  • Encryption of the tunnel for confidentiality and tamper detection
  • Authentication of the server using public key certificate
    • My browser has 182 “System Roots”
  • Authentication of the client using public key certificate is an option
  • Phishing for passwords and identities
mind the gap ruthless efficiency
Mind the Gap – Ruthless Efficiency
  • Who put the D in DHTML?
  • Data and Code should not mix
    • Code is dangerous. Data is not.
    • Speech vs action
there are always bugs
There are always bugs
  • Major technical university’s web site
  • Cross Site Scripting (XSS)
    • Every link modified to redirect through proxy
    • Links to other web sites (e.g. LinkedIn, Facebook)
  • Insecure Direct Object Reference
    • Walk the OS file system
is it safe
Is It Safe?
  • Who vouches for the code on this web site?
    • Javascript
    • Sandbox + same origin policy
    • Java
    • Permissions
    • “Should this code access your file system, the network?”
  • Web mail
    • Cross site scripting (XSS)
  • HTML escaping of any data
    • Where are my bold text and dancing pigs?
    • Whitelist vs Blacklist
  • Mobile apps – every game creator is a web browser implementer
slide15

Questions? Comments? Brickbats?

Mary Ellen Zurko

mzurko@cisco.com