SECURITY #btsec @MrRio
SECURITY#btsec@MrRio
DIRECTOR/FOUNDER AT
jsPDF JAVASCRIPT PDF GENERATION LIBRARY
SECURITY
#btsec@MrRio
IS EVERYONE’SRESPONSIBILITY
DEBOOKEEFOR MAC
#btsec@MrRio
#btsec
CRACKING A WIFIPASSWORD IS EASY
#btsec@MrRio
#btsec@MrRio
HOW DOWE FIX THIS?!
#btsec@MrRio
#btsec@MrRio
WEBSITE OWNERS –
USE SSL
#btsec@MrRio
WEBSITE USERS –
USE VPN
WHAT ISCRYPTOGRAPHY?
#btsec@MrRio
SENDING A#btsec
SECURE MESSAGE(OFFLINE DEMO EDITION)
A CIPHERIS A DIGITAL
LOCK#btsec
CAESAR CIPHERUSED IN WARSAROUND 50BC
#btsec
ABCDEFGHIJKLM
XYZABCDEFGHIJ
#btsec
SHIFT CIPHER
I LOVE BT
I LOVE BT
0SHIFT VALUE (KEY)
INPUT
OUTPUT
#btsec
SHIFT CIPHER
I LOVE BT
J MPWF CU
1SHIFT VALUE (KEY)
INPUT
OUTPUT
#btsec
SHIFT CIPHER
I LOVE BT
K NQXG DV
2SHIFT VALUE (KEY)
INPUT
OUTPUT
#btsec
ONE-TIME PAD
ILOVEBT
JUTVHKZ
1950396KEY
INPUT
OUTPUT
#btsec
STREAM CIPHER
ILOVEBT
JUTVHKZ
7894KEY (SEED)
KEY STREAM (PRNG)
OUTPUT#btsec
1950396INPUT
HOW TO GET ASHAREDSECRET
WITH THIS ONE WEIRD TRICK#btsec
MARCSTEFAN
EVE#btsec
STEFAN MARC
EVE#btsec
EVE
STEFAN MARC
#btsec
EVE
STEFAN MARC
#btsec
EVE
STEFAN MARC
#btsec
EVE
STEFAN MARC
#btsec
EVE
STEFAN MARC
#btsec
INSTEAD OF COLOURS
#btsec
WE USE PRIME NUMBERS
(3^29) % 17 = 12
(3^??) % 17 = 12
EASY
HARD
32,416,190,071
USE SSL#btsec
(TLS)
TO FIX MITM
WITH SVG FILTERS
#btsec
HACKING SITES
#btsec
var lastTime = 0;!function loop(time) {! var delay = time – lastTime;! var fps = 1000/delay;! console.log(delay + ‘ ms’ + ‘ fps: ‘ + fps);! updateAnimation();! requestAnimationFrame(loop);! lastTime = time;!}!requestAnimationFrame(loop);
TIMING ATTACK
#btsec
<filter id="threshold" color-interpolation-filters="sRGB">! <feColorMatrix type="matrix" ! values="0.333 0.333 0.333 0 -.16! 0.333 0.333 0.333 0 -.16! 0.333 0.333 0.333 0 -.16! 0 0 0 0 1" />! <feComponentTransfer>! <feFuncR type="discrete" tableValues="1 0" />! <feFuncG type="discrete" tableValues="1 0" />! <feFuncB type="discrete" tableValues="1 0" />! </feCompnentTransfer>!</filter>!
TIMING ATTACK
#btsec
#btsec
<iframe src=”view-source:http://example.com#line77”></iframe>!
Source: http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf
X-FRAME-OPTIONS: SAMEORIGIN
DEMO 2
#btsec
The non-WiFi version
#btsec
#btsec
YOU CAN STRIP SSL EASILY
#btsec
I BUILT A SCARY APPsslstrip arpspoof
css3 3d transforms
node.js
websocketslasers(spelt the british way)
#btsec
#btsec
#btsec
Strict-Transport-Security: max-age=63072000
response.headers[‘Strict-Transport-Security’] = ‘max-age=63072000'
header(“Strict-Transport-Security: max-age=63072000”);
#btsec
HTTP Strict Transport Security (HSTS)
RECAPPROBLEM: HTTP Sucks
#btsec
SOLUTION: Use SSL or a VPN! (TLS)
PROBLEM: SSL Sucks!SOLUTION: Use HSTS headers
PROBLEM: IFRAMES suckSOLUTION: Use X-FRAME-OPTIONS: SAMEORIGIN
THANK YOU!#btsec@MrRio @parallax
ME MY COMPANY