How to tell if your designing an insecure website

Tags:

Post on 12-May-2015

815 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

A rambling talk about how the same things that comprise of effective design are misused to create effective phishing pages. Additionally the browser UI and security controls focus on things that most people completely ignore. The idea of the presentation was to plant a seed of an idea that designers might be able to shape and take the lead in designing secure solutions meant for ordinary non-technical users if they start thinking about security as part of their deliverable. This can even be done by ensuring that security team and designers collaborate on more projects together. The presentation makes a lot more sense with the accompanying video http://hasgeek.tv/metarefresh/2013/497-how-to-tell-if-youre-designing-an-insecure-site

Transcript

Akash Mahajan at Meta Refresh 2013

HOW TO Tell if your designing an

insecure website

HOW TO Tell if your designing an insecure website

Hasgeek Doesn’t Allow How-tos As

Talks But I Got In !! :P

Does this bother you?

Joke

Insecure WebsitesDesign and UI/UXThis is not a how to, this

is more like a series of thoughts

DISCLAIMER

Talking About Effective Design

Effective Design, UI

or UX

Can we say effective design is

Something that compels a user to do what the

designer wanted?

Gmail ; A Great Example of Effective Design

Phishing Attack or Effective Design

Close Look at our example

Even closer look at our example

1. Favicon FTW

2. Bookmark link

Phishing with a ph!

Salient features of effective design

Assumptions – maybe based on data like heat maps etc.

Call to action – green button = go

Visual cues and logos to inspire trust

Salient features of phishing

Most people don’t

Notice what is in the

address bar

People love to fill login

forms

Address bar/URL can look like

scheme://[login[:password]@](host_name|host_address)[:port][/hierarchical/path/to/resource[?search_string][#fragment_id]]From Browser Security Handbook http://code.google.com/p/browsersec/wiki/Part1

Design Thinking?

Maybe Don’t Think == Impulsive

im·pul·sive /imˈpəlsiv/Adjective

Acting or done without forethought: "young impulsive teenagers shoppers".

phish·ingmade up word

is the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a

trustworthy entity in an electronic communication.

Effective Design/UI/UX is about generating

TRUST

People trust big shiny locks

Best piece of advice from a show about

aliens

Two examples where this trust collides with effective design and makes the UI/UX bad for the user

1. Password Reset/Change feature2. An SSL enabled website

How password reset should work

akashmahajan@gmail.com

Enter email to reset password

YourSuperSecretPassword

What went down behind the scenes

• Code loaded in the browser sent that email to server.

What went down behind the scenes

• Server did bunch of things like check if email was in database, generated password etc.

The difficult part & UI nightmare

How does the server know that it is you who filled the

email and you are the owner of this email address?

So how is it supposed to work?

• Using out of band communication.• Code loaded in the browser sent that email to

server.

And…..?

• Web server will email you a unique link. Hoping that the email address is in your hands

• You click on the link and go back to the server.

• Server confirms the link is proper it allows you to reset the password

Just FYI, that the email address you sent to the

server and the password you got back were in

CLEARTEXT

People/stuff between you & the server

• Wireless Network• Helpful IT admin monitoring for “bad traffic”• ISP gateway with helpful IT admin “monitoring”• Country level gateway with helpful govt. IT

admin “monitoring” – Think Tunisia, Egypt, Iran• Helpful Server admin “monitoring”• And who knows what else is out there.

Just to recap!

• Effective Design/UI/UX inspires trust. • People trust based on strong visual cues• These cues can be faked. • So ideally trust no one• If we use common sense approach to

generating a new password we will need to trust multiple intermediaries.

Finally a problem worthy of philosoraptor

So how do we create secure websites?

SSL

HTTP + SSL/TLS = HTTPS

Akash Mahajan
Did not know the full-form of SSL and TLS.

SSL/TLS

Encrypted Communication – Nobody can see your message hence can’t change it

Secure Identification of a Network – Are you talking to the right server?

http://www.trailofbits.com/resources/creating_a_rogue_ca_cert_slides.pdf

Bad Things can Happen

Comodo an affiliate of a root CA was hacked.

DigiNotar another affiliate was hacked.

Hundreds of certificates for google, yahoo,

mozilla, MS windows update were released.

Rougue SSL Certificate

EVS

SL

Secure By Design

Will cover this next year!

I don’t have any answers for you

• I am not a designer. I understand security in systems.

• I understand that people want to use systems to do things, not get stopped due to security or insecurity.

• The idea was to get your attention and see if these problems can be solved using design.

@makash Akash Mahajan

That Web Application Security Guy

top related

Insecure Mag 30
Documents
Stop Being Insecure-How To Overcome Being An Insecure person
Self Improvement
Ü G ber uard Insecure Storage. Ü G ber uard What is...
Documents
Insecure indexing
Engineering
3.3 Designing Data TypesObject Oriented Programming...
Documents
Meghan Cook | Rachel Kenny | Austin Richards · Did...
Documents
Insecure Mag 6
Documents
DOCSIS Insecure by Design[Self]
Documents
INSECURE 2016
Technology
Insecure coding in C (and C++)
Software
The insecure brand
Marketing
Understanding Insecure Work · UNDERSTANDING INSECURE WORK....
Documents
Parenting While Food Insecure - fsnep.ucdavis.edu
Documents
Java Security Concepts Within 'Insecure...
Documents
Insecure work - tuc.org.uk
Documents
Introduction to Insecure Deserialization
Documents