Upload
sara-harrison
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. 1
(Early) Web SecurityMind The Gap
Mary Ellen Zurko (aka Mez)
© 2010 Cisco and/or its affiliates. All rights reserved. 3
Mind the Gap – Authentication • Authentication means password/secret management
• A secret is something you tell to one personat a time
• It’s not turtles all the way down
© 2010 Cisco and/or its affiliates. All rights reserved. 4
Story break:Always tell (the customer) the truth
• Lesson: Defense in depth matters
• Themes:Passwords – users vs system parts
Web server and filesCompliance
© 2010 Cisco and/or its affiliates. All rights reserved. 5
It’s 1992. You’re Tim Berners-Lee. What security do you put in your World Wide Web proposal?
© 2010 Cisco and/or its affiliates. All rights reserved. 6
(Basic) Authentication• Security the way Tim intended
• Server says: WWW-Authenticate: Basic realm="insert realm”
• User prompted for their password
• Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=User agent remembers and sends for that domain/realm
© 2010 Cisco and/or its affiliates. All rights reserved. 7
(Basic) Authentication Issues• Every site does their own authentication
No Single Sign On
Password proliferation
• Password unprotectedEncoding is not encrypting
• Who’s asking you for your password?
For what?
© 2010 Cisco and/or its affiliates. All rights reserved. 8
Mind the Gap – Encryption • There’s Encryption; it’s Secure!
• Encryption is to Security as Caching is to Performance
• Trust, Trustworthy, and Trust for What?
• Who vouches for the information on this web page?
© 2010 Cisco and/or its affiliates. All rights reserved. 9
Encryption – What Is It Good For? • Confidentiality
Requiring brute force guessing
Two flavors – reversible and not
• Authentication Proof of a secret/key
• Integrity (Tamper Detection)Blind changes are recognized
Splicing attacks
• Replay detection
© 2010 Cisco and/or its affiliates. All rights reserved. 10
It’s 1994. You want to protect passwords on the web. How do you do it?
© 2010 Cisco and/or its affiliates. All rights reserved. 11
Digest Authentication • Hash the password
• With the username and realmDefense against Rainbow Tables
• Nonces for replay protection
• No passing the password itself in the protocol
• No need to store the password in the clearStore it hashed with the username and realm
© 2010 Cisco and/or its affiliates. All rights reserved. 12
Digest Authentication Issues • The world is no longer a clean slate
Needs both browser support and server support to work
The protocol for negotiating mutual support allows a Man in the Middle to spoof lack of support
Gets the password anyway
Lesson: Deployment/rollout of client and server software is hard
• Three tier architecturesCalling a back end service as the user
Sometimes you need that password to propagate the user authentication to some system type not supporting Digest
• Why put in the resources to support this? No attacks in the wild, no high value web site interactions
© 2010 Cisco and/or its affiliates. All rights reserved. 13
It’s 1994. You want to protect the content in web pages. How do you do it?
© 2010 Cisco and/or its affiliates. All rights reserved. 14
We Need Encryption!• S-HTTP:
• Encryption of the HTML documentPage data and submitted data – not the headers
Specific URL moved into encrypted portion
• Headers defined to specify type of encryption, type of key management, nonces
Supports pre arranged keys, public/private keys, PGP, etc.
Server and client negotiate which enhancements they’ll use
• Flexible
• End to end (resists Man in the Middle)
© 2010 Cisco and/or its affiliates. All rights reserved. 15
Why Didn’t S-HTTP Take Over The World?
• End to end protection meant client side deployment of secretsA challenge still not overcome today
Scale of client deployment much larger than server deployment
End user had to interact with secret for web pages
Lesson: Deployment at user/file scale is beyond hard
• Flexible framework meant (too) many choices for deploymentWhich type of secrets do which users have?
Which type of secrets do which web pages require?
© 2010 Cisco and/or its affiliates. All rights reserved. 16
SSL/TLS – HTTPS:• Encryption! Authentication! Security!
• Network protocol that wraps HTTP
• Encryption of the tunnel for confidentiality and tamper detection
• Authentication of the server using public key certificate
• Authentication of the client using public key certificate is an option
© 2010 Cisco and/or its affiliates. All rights reserved. 17
SSL/TLS Issues • What does it mean that the web site is authenticated?
• My browser has 214 “System Roots”. They’re all trusted to issue web site certificates. What are they trusted to do?
Associate the public key with the information in the certificate
• What does it mean if a server has a self signed certificate? Users learn to ignore warnings
• What identity is required of the server and why? Why we need the server to authenticate itself has changed since 1994
• Lesson: What happens when there are errors?
© 2010 Cisco and/or its affiliates. All rights reserved. 18
It’s 2012: Which of these domains are not owned by Citibank? • Citigroup.com
• Citibank.com
• Cititigroup.com
• Citigroup.de
• Citibank.co.uk
• Citigroup.org
• Thisiscitigroup.org
• Citibank.info
• Citicards.com
• Citicreditcards.com
• Citibank-cards.us
• Citimoney.com
• Citigold.net
• Citigrøup.org
© 2010 Cisco and/or its affiliates. All rights reserved. 22
How about tying web site authentication to the owning organization? • Extended Validation Certificates
• Extra validation happens to tie a legal entity to a domain nameThey cost more
• Browsers provide an indication of that the authentication of the server is particularly good
© 2010 Cisco and/or its affiliates. All rights reserved. 24
What do users do when web site authentication fails? • The Emperor’s New Security Indicators
• Lab study of bank customers (67)
• Removed HTTPS indicators – “https” in address bar and lock icon in bottom right
0 withheld password
• Removed the customer selected site-authentication image23 of 25 using their own accounts entered their password
As well as all 36 role playing
• Role playing participants behaved significantly less securely About half were security primed
© 2010 Cisco and/or its affiliates. All rights reserved. 25
It’s 1997. What does web site authentication mean when its no longer static content created by the site developers?
© 2010 Cisco and/or its affiliates. All rights reserved. 26
Mind the Gap – Web Programming
• Who put the D in DHTML? Dynamic HTML introduced in IE 4.0 in 1997
• Security Principle: Data and Code should not mixCode is dangerous. Data is not.
Speech vs action
© 2010 Cisco and/or its affiliates. All rights reserved. 27
Is It Safe? • Who vouches for the code on this web site?
Javascript
Sandbox + same origin policy
• Web mailEarliest web application serving data in pages not created by web site developers
Cross site scripting (XSS)
• Response - HTML escaping of any dataWhere are my bold text and dancing pigs?
• Next steps: Whitelist vs BlacklistWhat are the tradeoffs?
© 2010 Cisco and/or its affiliates. All rights reserved. 28
Story break:There are always bugs• Major technical university’s web site
• Cross Site Scripting (XSS)Every link modified to redirect through proxy
Links to other web sites (e.g. LinkedIn, Facebook)
• Insecure Direct Object ReferenceWalk the OS file system
• Lesson: Developers are (fallible) people too
© 2010 Cisco and/or its affiliates. All rights reserved. 29
It’s 2007 – there are Mobile Applications • Is It Safe?
What responsibility is assumed to be the user’s?
Who can the user rely on?
How much control can the user have?
Are users any good at making these decisions?
• Different mobile platforms make different choices Control of the lifecycle
Control of the store
Code signing
Installation time permissions
© 2010 Cisco and/or its affiliates. All rights reserved. 30
Android Permissions: User Attention, Comprehension, and Behavior (2012) • 17% of participants paid attention to permissions during installation
(self reported and lab experiment)42% aware permissions exist but do not always consider them
• 3% of Internet survey respondents could correctly answer all three permission comprehension questions
53% of the answers contain at least one correct choice
• READ_CALENDAR – 46% correct
• READ_PHONE_STATE – 4.7% correct
© 2010 Cisco and/or its affiliates. All rights reserved. 32
Is It Safe? • Who vouches for the code on this web site?
Javascript
Sandbox + same origin policy
Java
Permissions
“Should this code access your file system, the network?”
• Web mailCross site scripting (XSS)
• HTML escaping of any dataWhere are my bold text and dancing pigs?
Whitelist vs Blacklist