© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez) [email protected]

© 2010 Cisco and/or its affiliates. All rights reserved. 1

(Early) Web SecurityMind The Gap

Mary Ellen Zurko (aka Mez)

[email protected]


Web SecurityWhat do you think of?


Mind the Gap – Authentication • Authentication means password/secret management

• A secret is something you tell to one personat a time

• It’s not turtles all the way down


Story break:Always tell (the customer) the truth

• Lesson: Defense in depth matters

• Themes:Passwords – users vs system parts

Web server and filesCompliance


It’s 1992. You’re Tim Berners-Lee. What security do you put in your World Wide Web proposal?


(Basic) Authentication• Security the way Tim intended

• Server says: WWW-Authenticate: Basic realm="insert realm”

• User prompted for their password

• Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=User agent remembers and sends for that domain/realm


(Basic) Authentication Issues• Every site does their own authentication

No Single Sign On

Password proliferation

• Password unprotectedEncoding is not encrypting

• Who’s asking you for your password?

For what?


Mind the Gap – Encryption • There’s Encryption; it’s Secure!

• Encryption is to Security as Caching is to Performance

• Trust, Trustworthy, and Trust for What?

• Who vouches for the information on this web page?


Encryption – What Is It Good For? • Confidentiality

Requiring brute force guessing

Two flavors – reversible and not

• Authentication Proof of a secret/key

• Integrity (Tamper Detection)Blind changes are recognized

Splicing attacks

• Replay detection


It’s 1994. You want to protect passwords on the web. How do you do it?


Digest Authentication • Hash the password

• With the username and realmDefense against Rainbow Tables

• Nonces for replay protection

• No passing the password itself in the protocol

• No need to store the password in the clearStore it hashed with the username and realm


Digest Authentication Issues • The world is no longer a clean slate

Needs both browser support and server support to work

The protocol for negotiating mutual support allows a Man in the Middle to spoof lack of support

Gets the password anyway

Lesson: Deployment/rollout of client and server software is hard

• Three tier architecturesCalling a back end service as the user

Sometimes you need that password to propagate the user authentication to some system type not supporting Digest

• Why put in the resources to support this? No attacks in the wild, no high value web site interactions


It’s 1994. You want to protect the content in web pages. How do you do it?


We Need Encryption!• S-HTTP:

• Encryption of the HTML documentPage data and submitted data – not the headers

Specific URL moved into encrypted portion

• Headers defined to specify type of encryption, type of key management, nonces

Supports pre arranged keys, public/private keys, PGP, etc.

Server and client negotiate which enhancements they’ll use

• Flexible

• End to end (resists Man in the Middle)


Why Didn’t S-HTTP Take Over The World?

• End to end protection meant client side deployment of secretsA challenge still not overcome today

Scale of client deployment much larger than server deployment

End user had to interact with secret for web pages

Lesson: Deployment at user/file scale is beyond hard

• Flexible framework meant (too) many choices for deploymentWhich type of secrets do which users have?

Which type of secrets do which web pages require?


SSL/TLS – HTTPS:• Encryption! Authentication! Security!

• Network protocol that wraps HTTP

• Encryption of the tunnel for confidentiality and tamper detection

• Authentication of the server using public key certificate

• Authentication of the client using public key certificate is an option


SSL/TLS Issues • What does it mean that the web site is authenticated?

• My browser has 214 “System Roots”. They’re all trusted to issue web site certificates. What are they trusted to do?

Associate the public key with the information in the certificate

• What does it mean if a server has a self signed certificate? Users learn to ignore warnings

• What identity is required of the server and why? Why we need the server to authenticate itself has changed since 1994

• Lesson: What happens when there are errors?


It’s 2012: Which of these domains are not owned by Citibank? • Citigroup.com

• Citibank.com

• Cititigroup.com

• Citigroup.de

• Citibank.co.uk

• Citigroup.org

• Thisiscitigroup.org

• Citibank.info

• Citicards.com

• Citicreditcards.com

• Citibank-cards.us

• Citimoney.com

• Citigold.net

• Citigrøup.org




Story: Are warnings meaningful?


How about tying web site authentication to the owning organization? • Extended Validation Certificates

• Extra validation happens to tie a legal entity to a domain nameThey cost more

• Browsers provide an indication of that the authentication of the server is particularly good


Extended Validation Certificates


What do users do when web site authentication fails? • The Emperor’s New Security Indicators

• Lab study of bank customers (67)

• Removed HTTPS indicators – “https” in address bar and lock icon in bottom right

0 withheld password

• Removed the customer selected site-authentication image23 of 25 using their own accounts entered their password

As well as all 36 role playing

• Role playing participants behaved significantly less securely About half were security primed


It’s 1997. What does web site authentication mean when its no longer static content created by the site developers?


Mind the Gap – Web Programming

• Who put the D in DHTML? Dynamic HTML introduced in IE 4.0 in 1997

• Security Principle: Data and Code should not mixCode is dangerous. Data is not.

Speech vs action


Is It Safe? • Who vouches for the code on this web site?

Javascript

Sandbox + same origin policy

• Web mailEarliest web application serving data in pages not created by web site developers

Cross site scripting (XSS)

• Response - HTML escaping of any dataWhere are my bold text and dancing pigs?

• Next steps: Whitelist vs BlacklistWhat are the tradeoffs?


Story break:There are always bugs• Major technical university’s web site

• Cross Site Scripting (XSS)Every link modified to redirect through proxy

Links to other web sites (e.g. LinkedIn, Facebook)

• Insecure Direct Object ReferenceWalk the OS file system

• Lesson: Developers are (fallible) people too


It’s 2007 – there are Mobile Applications • Is It Safe?

What responsibility is assumed to be the user’s?

Who can the user rely on?

How much control can the user have?

Are users any good at making these decisions?

• Different mobile platforms make different choices Control of the lifecycle

Control of the store

Code signing

Installation time permissions


Android Permissions: User Attention, Comprehension, and Behavior (2012) • 17% of participants paid attention to permissions during installation

(self reported and lab experiment)42% aware permissions exist but do not always consider them

• 3% of Internet survey respondents could correctly answer all three permission comprehension questions

53% of the answers contain at least one correct choice

• READ_CALENDAR – 46% correct

• READ_PHONE_STATE – 4.7% correct

Thank you.

Mary Ellen [email protected]

Questions? Comments? Brickbats?


Is It Safe? • Who vouches for the code on this web site?

Javascript

Sandbox + same origin policy

Java

Permissions

“Should this code access your file system, the network?”

• Web mailCross site scripting (XSS)

• HTML escaping of any dataWhere are my bold text and dancing pigs?

Whitelist vs Blacklist

Documents

© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez) [email protected]