1 / 15

Web Security Fear, Surprise, and Ruthless Efficiency

Web Security Fear, Surprise, and Ruthless Efficiency. Mary Ellen Zurko. Web security – what do you think of?. Mind the Gap – Fear. Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down.

idania
Download Presentation

Web Security Fear, Surprise, and Ruthless Efficiency

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web SecurityFear, Surprise, and Ruthless Efficiency Mary Ellen Zurko

  2. Web security – what do you think of?

  3. Mind the Gap – Fear • Authentication • And Password/Secret management • A secret is something you tell to one person • at a time • Or • It’s not turtles all the way down

  4. Always tell (the customer) the truth • Defense in depth matters • Compliance • Passwords – users vs system parts • Web server and files

  5. (Basic) Authentication • Security the way Sir Tim intended • Server says: WWW-Authenticate: Basic realm="insert realm” • User prompted for their password • Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= • User agent remembers and sends for that domain/realm

  6. (Basic) Authentication Issues • Everyone does their own authentication • No Single Sign On • Password proliferation • Password unprotected • Encoding is not encrypting • Who’s asking you for your password?

  7. Mind the Gap - Surprise • Who vouches for the information on this web page? • Trust, Trustworthy, and Trust for What? • There’s encryption; it’s Secure! • What have you been told about detecting or avoiding phishing?

  8. Which of these domains are not owned by Citibank? • Citigroup.com • Citibank.com • Cititigroup.com • Citigroup.de • Citibank.co.uk • Citigroup.org • Thisiscitigroup.org • Citibank.info • Citicards.com • Citicreditcards.com • Citibank-cards.us • Citimoney.com • Citigold.net • Citībank.org • Citibānk.org • Citigrøup.org

  9. We Need Encryption! • Early on, there was S-HTTP • Encryption of the HTML document • Headers defined to specify type of encryption, type of key management, nonces • Supports pre arranged keys, public/private keys, PGP, etc. • Server and client negotiate which enhancements they’ll use • Flexible • End to end (resists Man in the Middle)

  10. Then came SSL/TLS - HTTPS • Encryption! Authentication! Security! • Network protocol that wraps HTTP • Encryption of the tunnel for confidentiality and tamper detection • Authentication of the server using public key certificate • My browser has 182 “System Roots” • Authentication of the client using public key certificate is an option • Phishing for passwords and identities

  11. Mind the Gap – Ruthless Efficiency • Who put the D in DHTML? • Data and Code should not mix • Code is dangerous. Data is not. • Speech vs action

  12. There are always bugs • Major technical university’s web site • Cross Site Scripting (XSS) • Every link modified to redirect through proxy • Links to other web sites (e.g. LinkedIn, Facebook) • Insecure Direct Object Reference • Walk the OS file system

  13. Is It Safe? • Who vouches for the code on this web site? • Javascript • Sandbox + same origin policy • Java • Permissions • “Should this code access your file system, the network?” • Web mail • Cross site scripting (XSS) • HTML escaping of any data • Where are my bold text and dancing pigs? • Whitelist vs Blacklist • Mobile apps – every game creator is a web browser implementer

  14. Questions? Comments? Brickbats? Mary Ellen Zurko mzurko@cisco.com

More Related