Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
1 of 105 2/23/15, 1:54 PM
Web SecurityBrian Sletten ( @bsletten)
02/23/2015
!
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
2 of 105 2/23/15, 1:54 PM
2015 Greater Wisconsin Software SymposiumMarch 13-14 (Two day event)
Early bird discount ends 2/23
JUG Discount: $50 off use the promo code: nfjsusergroup50
http://nofluffjuststuff.com
3/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
3 of 105 2/23/15, 1:54 PM
Speaker QualificationsSpecialize in next-generation technologiesAuthor of 'Resource-Oriented Architecture Patterns for Webs of Data'Speaks internationally about REST, Semantic Web, Data Science, Security,Visualization, ArchitectureWorked in Defense, Finance, Retail, Hospitality, Video Game, Health Care,Telecommunications and Publishing IndustriesInternational Pop Recording Artist
···
·
·
4/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
4 of 105 2/23/15, 1:54 PM
AgendaIntroductionSecurity EngineeringSoftware SecurityWeb SecurityBooks
·····
5/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
5 of 105 2/23/15, 1:54 PM
Introduction
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
6 of 105 2/23/15, 1:54 PM
7/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
7 of 105 2/23/15, 1:54 PM
The Ones You've Heard Of...TJ MaxxTargetMichaelsKMartHome DepotJP Morgan
······
8/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
8 of 105 2/23/15, 1:54 PM
And...http://hackmageddon.com/2012-cyber-attacks-timeline-master-index/
http://hackmageddon.com/2013-cyber-attacks-timeline-master-index/http://hackmageddon.com/2014-cyber-attacks-timeline-master-index/
·https://paulsparrows.files.wordpress.com/2012/01/january-2012-cyber-attacks-timeline-part-1.pnghttps://paulsparrows.files.wordpress.com/2012/01/middle-east-cyber-war-timeline1.pnghttps://paulsparrows.files.wordpress.com/2012/02/february-2012-cyber-attacks-timeline-part-i.png
·
·
·
··
9/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
9 of 105 2/23/15, 1:54 PM
10/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
10 of 105 2/23/15, 1:54 PM
Credit: http://xkcd.com/936
11/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
11 of 105 2/23/15, 1:54 PM
Credit: http://xkcd.com/936
12/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
12 of 105 2/23/15, 1:54 PM
Credit: http://xkcd.com/936
13/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
13 of 105 2/23/15, 1:54 PM
Through 20 years of effort, we've successfullytrained everyone to use passwords that arehard for humans to remember, but easy forcomputers to guess.
“
”
http://xkcd.com/936/
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
14 of 105 2/23/15, 1:54 PM
Choose a password you can't remember, anddon't write it down.
“”
Ross J. Anderson
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
15 of 105 2/23/15, 1:54 PM
Credit: http://xkcd.com/936
16/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
16 of 105 2/23/15, 1:54 PM
17/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
17 of 105 2/23/15, 1:54 PM
18/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
18 of 105 2/23/15, 1:54 PM
A name......is a name...is a name...is a name...is an attack vector
····
19/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
19 of 105 2/23/15, 1:54 PM
Where Does This Go?http://example.com&gibberish=1234@167772161
http://10.0.0.1
20/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
20 of 105 2/23/15, 1:54 PM
Do the Math!http://example.com&gibberish=1234@167772161
String: 10.0.0.1Binary: 00001010 . 00000000 . 00000000 . 00000001Integer: 167772161
(10 * 16777216) + (0 * 65536) + (0 * 256) + (1 * 1) = 167772161
21/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
21 of 105 2/23/15, 1:54 PM
How About?http://example.com\@coredump.cx
In Firefox, http://coredump.cx
22/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
22 of 105 2/23/15, 1:54 PM
Or Maybe...http://example.com;.coredump.cx
In IE, http://coredump.cx
Safari, it's an error.
Others, http://example.com/;.coredump.cx
23/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
23 of 105 2/23/15, 1:54 PM
The web is an information space. When youexplore it, you don't end up buying stuff,agreeing to anything, or - in this case, losingyour domain name...
“
”
Tim Berners-Lee
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
24 of 105 2/23/15, 1:54 PM
From: <[email protected]>Date: Fri Apr 11, 2003 19:31:28 US/EasternTo: [email protected]: Confirm Domain Transfer
A Transfer Request was submitted for the following domains.Click on the following link to confirm the domain transfer request for these domains.
https://secure.registerapi.com/order/trx/confirm.php?id=cesO...
Your Transfer Request Code IS: ces[...]cbIhttps://secure.registerapi.com/order/trx/confirm.php
Domains:WWW.ORG
If you did not request the transfer of these domains then DO NOT click on the above links. By not clicking you are preventing a domain registrar transfer from taking place.
Thank you, The Automated Domain Transfer System
25/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
25 of 105 2/23/15, 1:54 PM
Cross Site Request Forgery (CSRF)http://bank.example.com/withdraw?acct=Bob&amt=1000000&for=Fred
<img src="http://bank.example.com/withdraw?acct=Bob&amt=1000000 &for=Fred"/>
26/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
26 of 105 2/23/15, 1:54 PM
Role-Based Access Control<security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint></security-constraint>
27/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
27 of 105 2/23/15, 1:54 PM
Security Engineering
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
28 of 105 2/23/15, 1:54 PM
If you spend more on coffee than on ITsecurity, then you will be hacked. What'smore, you deserve to be hacked.
“
”
Richard Clarke, former U.S. Cybersecurity Czar
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
29 of 105 2/23/15, 1:54 PM
The main objective of secure system design is to make breaking the system
more costly than the value of the protected assets , where the 'cost' should be
measured in monetary value but also in more abstract terms such as effort or
reputation .
“
”
Christof Paar and Jan PelzlUnderstanding Cryptography: A Textbook for Students and Practitioners
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
30 of 105 2/23/15, 1:54 PM
Security Engineering...is about buildingsystems to remain dependable in the face ofmalice, error, or mischance.
“
”
Ross J. Anderson
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
31 of 105 2/23/15, 1:54 PM
Whoever thinks his problem can be solvedusing cryptography, doesn't understand hisproblem and doesn't understandcryptography.
“
”
Roger Needham/Butler Lampson
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
32 of 105 2/23/15, 1:54 PM
Vulnerability + Threat = Potential Security Breach
33/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
33 of 105 2/23/15, 1:54 PM
Indeed protocol vulnerabilities usually giverise to more, and simpler, attacks thancryptographic weaknesses do.
“
”
Ross J. Anderson
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
34 of 105 2/23/15, 1:54 PM
Systems Fail...People protect the wrong thingsProtect the right things the wrong way
··
35/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
35 of 105 2/23/15, 1:54 PM
There is all too often a cultural and physicalseparation between the softwaredevelopment staff and the informationsecurity staff in large enterprises.
“
”
van Wyk, Graff, Peters and BurleyEnterprise Software Security: A Confluence of Disciplines
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
36 of 105 2/23/15, 1:54 PM
Incentive MismatchPolicy makers don't have to live with the resultsPolicy makers don't suffer when things failHave political or CYA incentives
···
37/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
37 of 105 2/23/15, 1:54 PM
TSA14.7 billion (USD) on aggressive passenger screening100 million (USD) reinforcing cockpit doorsWe seem to be reverting w/ TSA Pre
···
38/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
38 of 105 2/23/15, 1:54 PM
Strictly speaking, strengthening anything butthe weakest link is useless.
“”
Bruce Schneier
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
39 of 105 2/23/15, 1:54 PM
40/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
40 of 105 2/23/15, 1:54 PM
41/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
41 of 105 2/23/15, 1:54 PM
Defense in DepthStrengthen potentially weakest linksStrengthen multiple potential weakest linksFailure of one may be blocked by success of another
···
42/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
42 of 105 2/23/15, 1:54 PM
Time Favors the AttackerWe design systems today that must survive in the futureThey need to find a single flaw, we must protect against all of them
··
43/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
43 of 105 2/23/15, 1:54 PM
Word StewSecrecyPrivacyConfidentialityIntegrityAuthenticity
·····
44/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
44 of 105 2/23/15, 1:54 PM
45/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
45 of 105 2/23/15, 1:54 PM
Only amateurs attack machines; professionalstarget people.
“”
Bruce Schneier
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
46 of 105 2/23/15, 1:54 PM
Software Security
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
47 of 105 2/23/15, 1:54 PM
Software security... is not security software.“ ”
Gary McGraw
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
48 of 105 2/23/15, 1:54 PM
Software security... the idea of engineeringsoftware so that it continues to functioncorrectly under malicious attack.
“
”
Gary McGraw
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
49 of 105 2/23/15, 1:54 PM
Problem is Getting WorseConnectivityExtensibilityComplexity
···
50/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
50 of 105 2/23/15, 1:54 PM
Bugs vs FlawsBugs : Implementation issueFlaws : Design problemRoughly 50/50Need to address both
····
51/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
51 of 105 2/23/15, 1:54 PM
Security is an emergent property of yoursystem.
“”
Gary McGraw
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
52 of 105 2/23/15, 1:54 PM
ApproachRisk ManagementTouchpointsKnowledge
···
53/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
53 of 105 2/23/15, 1:54 PM
54/105
Requirements and Use Cases
Architecture and Design Test Plans Code Tests and
Test Results
Feedbackfrom
Deployed Systems
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
54 of 105 2/23/15, 1:54 PM
55/105
Requirements and Use Cases
Architecture and Design Test Plans Code Tests and
Test Results
Feedbackfrom
Deployed Systems
ExternalReview
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
55 of 105 2/23/15, 1:54 PM
56/105
Requirements and Use Cases
Architecture and Design Test Plans Code Tests and
Test Results
Feedbackfrom
Deployed Systems
CodeReview Risk
Analysis
PenetrationTesting
SecurityOperations
Risk-basedSecurity
Tests
ExternalReview
RiskAnalysis
SecurityRequirements
AbuseCases
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
56 of 105 2/23/15, 1:54 PM
57/105
Requirements and Use Cases
Architecture and Design Test Plans Code Tests and
Test Results
Feedbackfrom
Deployed Systems
CodeReview Risk
Analysis
PenetrationTesting
SecurityOperations
Risk-basedSecurity
Tests
ExternalReview
RiskAnalysis
SecurityRequirements
AbuseCases
122
3
4
5
6
7
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
57 of 105 2/23/15, 1:54 PM
Credit: http://bsimm.com
58/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
58 of 105 2/23/15, 1:54 PM
[threat modeling] is the use of abstractions toaid in thinking about risks.
“”
Adam Shostack
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
59 of 105 2/23/15, 1:54 PM
Reasons to Threat ModelFind Security Bugs EarlyUnderstand Your Security RequirementsImproved QualityAddress Issues Other Techniques Won't
····
60/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
60 of 105 2/23/15, 1:54 PM
STRIDESpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege
······
61/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
61 of 105 2/23/15, 1:54 PM
Web Security
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
62 of 105 2/23/15, 1:54 PM
63/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
63 of 105 2/23/15, 1:54 PM
Web SecurityIdentityAuthenticationAuthorizationProtected ChannelsNon-Repudiation
·····
64/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
64 of 105 2/23/15, 1:54 PM
65/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
65 of 105 2/23/15, 1:54 PM
Same Origin PolicySchemeHostPort
···
66/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
66 of 105 2/23/15, 1:54 PM
JSONP<script type="application/javascript" src="http://server2.bosatsu.net/order/id/16234?jsonp=updateOrder"></script>
updateOrder({"Order" : "16234", "Status" : "Shipped"});
67/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
67 of 105 2/23/15, 1:54 PM
CORS// 1. Origin Header from browser to http://server2.bosatsu.netOrigin: http://server1.bosatsu.net
// 2. Response from http://server2.bosatsu.netAccess-Control-Allow-Origin: http://server1.bosatsu.net
68/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
68 of 105 2/23/15, 1:54 PM
JSONP vs CORSPrefer CORS, but JSONP works w/ older browsersJSONP is GET onlyCORS involves the browser
···
69/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
69 of 105 2/23/15, 1:54 PM
TLS/SSLEncryptionParty IdentificationCipherSuite selectionCertificate managementHMACProtection against downgrade
······
70/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
70 of 105 2/23/15, 1:54 PM
HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhost
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm="report"
71/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
71 of 105 2/23/15, 1:54 PM
HTTP Basic AuthGET /dir/index.html HTTP/1.1Host: localhostAuthorization : c2NvdHQ6dGlnZXI=
HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984
72/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
72 of 105 2/23/15, 1:54 PM
Base64 != EncryptionBase64Decode(c2NvdHQ6dGlnZXI=) ====> scott:tiger
73/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
73 of 105 2/23/15, 1:54 PM
HTTP Digest#qop = auth or not-specifiedHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI)response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2) orresponse=MD5(HA1:nonce:HA2)
#qop = auth-intHA1 = MD5(username:realm:password)HA2 = MD5(method:digestURI:MD5(entityBody))response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)
74/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
74 of 105 2/23/15, 1:54 PM
HTTP DigestGET /dir/index.html HTTP/1.1Host: localhost
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="[email protected]", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"
75/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
75 of 105 2/23/15, 1:54 PM
HTTP DigestGET /dir/index.html HTTP/1.1Host: localhostAuthorization: Digest username="Mufasa", realm="[email protected]", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"
HTTP/1.1 200 OKDate: Sun, 10 Apr 2005 20:27:03 GMTContent-Type: text/htmlContent-Length: 7984
76/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
76 of 105 2/23/15, 1:54 PM
OpenIDIdentity as a ServiceStagnant adoption, concerns about UX issuesTechnology in search of a problem
···
77/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
77 of 105 2/23/15, 1:54 PM
OAuth 1.0AResource management and two-legged approachComplicated by the signing of requestsNo requirement for TLSFairly widely supported
····
78/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
78 of 105 2/23/15, 1:54 PM
OAuth 2.0Simplified ApproachDifferent use casesDifferent profiles
···
79/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
79 of 105 2/23/15, 1:54 PM
Bearer TokensOAuth Web Resource Authorization Profiles (WRAP)Requires TLSCertificate chain validationSupport for MAC Access Authentication
····
80/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
80 of 105 2/23/15, 1:54 PM
81/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
81 of 105 2/23/15, 1:54 PM
RegistrationRequests tied to appAllows revocation w/o changing credentialsClient receives client_id and client_secretClient specifies redirect_uri
····
82/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
82 of 105 2/23/15, 1:54 PM
OAuth 2.0 Roles
Credit: http://tutorials.jenkov.com/images/oauth2
83/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
83 of 105 2/23/15, 1:54 PM
GET /dir/index.html HTTP/1.1Host: localhostAuthorization: Bearer fa3c.FAFDLKERE
GET /dir/index.html?access_token=fa3c.FAFDLKERE HTTP/1.1Host: localhost
84/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
84 of 105 2/23/15, 1:54 PM
Client ProfilesServer-side Web AppClient-side Browser AppNative Application
···
85/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
85 of 105 2/23/15, 1:54 PM
Server-Side Web App
Credit: http://tutorials.jenkov.com/images/oauth2
86/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
86 of 105 2/23/15, 1:54 PM
Authorization Code Authorization FlowResource owner grants access and is returned to the redirect_uri w/authorization code as a parameterServer exchanges code for access token w/ client_id and client_secretAllows long-lived access via refresh tokensResource owner isn't given access to the tokens
·
···
87/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
87 of 105 2/23/15, 1:54 PM
Client-Side Web App
Credit: http://tutorials.jenkov.com/images/oauth2
88/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
88 of 105 2/23/15, 1:54 PM
Implicit Grant Authorization FlowResource owner grants accessAccess token is returned via a fragment identifierClient parses the URLs and strips off the token to make requestsNo long-lived access via refresh tokensUser agent has access to the application and API requests
·····
89/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
89 of 105 2/23/15, 1:54 PM
Native App
Credit: http://tutorials.jenkov.com/images/oauth2
90/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
90 of 105 2/23/15, 1:54 PM
Resource Owner Password Grant AuthorizationFlow
Resource owner grants access by exchanging credentials for access tokenPassword only need to establish access tokenToken is revokable and scoped to specific resourcesRequires trusted client
····
91/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
91 of 105 2/23/15, 1:54 PM
Client Credential Grant Authorization FlowClient credentials are pre-arranged and shared'Two-legged' Flow
··
92/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
92 of 105 2/23/15, 1:54 PM
93/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
93 of 105 2/23/15, 1:54 PM
94/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
94 of 105 2/23/15, 1:54 PM
The FutureOpenID Connect (http://openid.net/connect/)W3C Web Cryptography WG (http://www.w3.org/2012/webcrypto/)W3C Web Credentials CG (http://opencreds.org)Secure Messaging (https://web-payments.org/specs/source/secure-messaging/)
····
95/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
95 of 105 2/23/15, 1:54 PM
Books
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
96 of 105 2/23/15, 1:54 PM
97/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
97 of 105 2/23/15, 1:54 PM
98/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
98 of 105 2/23/15, 1:54 PM
99/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
99 of 105 2/23/15, 1:54 PM
100/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
100 of 105 2/23/15, 1:54 PM
101/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
101 of 105 2/23/15, 1:54 PM
102/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
102 of 105 2/23/15, 1:54 PM
103/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
103 of 105 2/23/15, 1:54 PM
104/105
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
104 of 105 2/23/15, 1:54 PM
Questions?
@bsletten
http://tinyurl.com/bjs-gplus
bsletten
"
!
+
$
Web Security http://localhost:8080/wink/wiki/2015/WebSecurity#1
105 of 105 2/23/15, 1:54 PM