© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko
© 2010 Cisco and/or its affiliates. All rights reserved. 1
Web SecurityFear, Surprise, and Ruthless Efficiency Mary Ellen Zurko
© 2010 Cisco and/or its affiliates. All rights reserved. 2
© 2010 Cisco and/or its affiliates. All rights reserved. 3
• AuthenticationAnd Password/Secret management
• A secret is something you tell to one personat a time
• OrIt’s not turtles all the way down
© 2010 Cisco and/or its affiliates. All rights reserved. 4
• Defense in depth matters
• Compliance
• Passwords – users vs system parts
• Web server and files
© 2010 Cisco and/or its affiliates. All rights reserved. 5
• Security the way Sir Tim intended
• Server says: WWW-Authenticate: Basic realm="insert realm”
• User prompted for their password
• Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=User agent remembers and sends for that domain/realm
© 2010 Cisco and/or its affiliates. All rights reserved. 6
• Everyone does their own authentication No Single Sign On
Password proliferation
• Password unprotectedEncoding is not encrypting
• Who’s asking you for your password?
© 2010 Cisco and/or its affiliates. All rights reserved. 7
• Who vouches for the information on this web page?
• Trust, Trustworthy, and Trust for What? There’s encryption; it’s Secure!
• What have you been told about detecting or avoiding phishing?
© 2010 Cisco and/or its affiliates. All rights reserved. 8
• Citigroup.com
• Citibank.com
• Cititigroup.com
• Citigroup.de
• Citibank.co.uk
• Citigroup.org
• Thisiscitigroup.org
• Citibank.info
• Citicards.com
• Citicreditcards.com
• Citibank-cards.us
• Citimoney.com
• Citigold.net
• Citībank.org
• Citibānk.org
• Citigrøup.org
© 2010 Cisco and/or its affiliates. All rights reserved. 9
© 2010 Cisco and/or its affiliates. All rights reserved. 10
• Early on, there was S-HTTP
• Encryption of the HTML document
• Headers defined to specify type of encryption, type of key management, nonces
Supports pre arranged keys, public/private keys, PGP, etc.
Server and client negotiate which enhancements they’ll use
• Flexible
• End to end (resists Man in the Middle)
© 2010 Cisco and/or its affiliates. All rights reserved. 11
• Encryption! Authentication! Security!
• Network protocol that wraps HTTP
• Encryption of the tunnel for confidentiality and tamper detection
• Authentication of the server using public key certificate
• My browser has 182 “System Roots”
• Authentication of the client using public key certificate is an option
• Phishing for passwords and identities
© 2010 Cisco and/or its affiliates. All rights reserved. 12
• Who put the D in DHTML?
• Data and Code should not mixCode is dangerous. Data is not.
Speech vs action
© 2010 Cisco and/or its affiliates. All rights reserved. 13
• Major technical university’s web site
• Cross Site Scripting (XSS)Every link modified to redirect through proxy
Links to other web sites (e.g. LinkedIn, Facebook)
• Insecure Direct Object ReferenceWalk the OS file system
© 2010 Cisco and/or its affiliates. All rights reserved. 14
• Who vouches for the code on this web site? Javascript
Sandbox + same origin policy
Java
Permissions
“Should this code access your file system, the network?”
• Web mailCross site scripting (XSS)
• HTML escaping of any dataWhere are my bold text and dancing pigs?
Whitelist vs Blacklist
• Mobile apps – every game creator is a web browser implementer