how to tell if your designing an insecure website
DESCRIPTION
A rambling talk about how the same things that comprise of effective design are misused to create effective phishing pages. Additionally the browser UI and security controls focus on things that most people completely ignore. The idea of the presentation was to plant a seed of an idea that designers might be able to shape and take the lead in designing secure solutions meant for ordinary non-technical users if they start thinking about security as part of their deliverable. This can even be done by ensuring that security team and designers collaborate on more projects together. The presentation makes a lot more sense with the accompanying video http://hasgeek.tv/metarefresh/2013/497-how-to-tell-if-youre-designing-an-insecure-siteTRANSCRIPT
![Page 1: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/1.jpg)
Akash Mahajan at Meta Refresh 2013
HOW TO Tell if your designing an
insecure website
![Page 2: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/2.jpg)
HOW TO Tell if your designing an insecure website
Hasgeek Doesn’t Allow How-tos As
Talks But I Got In !! :P
Does this bother you?
![Page 3: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/3.jpg)
Joke
![Page 4: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/4.jpg)
Insecure WebsitesDesign and UI/UXThis is not a how to, this
is more like a series of thoughts
DISCLAIMER
![Page 5: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/5.jpg)
Talking About Effective Design
Effective Design, UI
or UX
![Page 6: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/6.jpg)
Can we say effective design is
Something that compels a user to do what the
designer wanted?
![Page 7: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/7.jpg)
Gmail ; A Great Example of Effective Design
![Page 8: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/8.jpg)
Phishing Attack or Effective Design
Close Look at our example
![Page 9: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/9.jpg)
Even closer look at our example
1. Favicon FTW
2. Bookmark link
![Page 10: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/10.jpg)
Phishing with a ph!
![Page 11: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/11.jpg)
Salient features of effective design
Assumptions – maybe based on data like heat maps etc.
Call to action – green button = go
Visual cues and logos to inspire trust
![Page 12: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/12.jpg)
Salient features of phishing
Most people don’t
Notice what is in the
address bar
People love to fill login
forms
![Page 13: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/13.jpg)
Address bar/URL can look like
scheme://[login[:password]@](host_name|host_address)[:port][/hierarchical/path/to/resource[?search_string][#fragment_id]]From Browser Security Handbook http://code.google.com/p/browsersec/wiki/Part1
![Page 14: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/14.jpg)
Design Thinking?
![Page 15: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/15.jpg)
Maybe Don’t Think == Impulsive
im·pul·sive /imˈpəlsiv/Adjective
Acting or done without forethought: "young impulsive teenagers shoppers".
![Page 16: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/16.jpg)
phish·ingmade up word
is the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a
trustworthy entity in an electronic communication.
![Page 17: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/17.jpg)
Effective Design/UI/UX is about generating
TRUST
![Page 18: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/18.jpg)
People trust big shiny locks
![Page 19: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/19.jpg)
Best piece of advice from a show about
aliens
![Page 20: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/20.jpg)
Two examples where this trust collides with effective design and makes the UI/UX bad for the user
1. Password Reset/Change feature2. An SSL enabled website
![Page 21: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/21.jpg)
How password reset should work
Enter email to reset password
YourSuperSecretPassword
![Page 22: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/22.jpg)
What went down behind the scenes
• Code loaded in the browser sent that email to server.
![Page 23: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/23.jpg)
What went down behind the scenes
• Server did bunch of things like check if email was in database, generated password etc.
![Page 24: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/24.jpg)
The difficult part & UI nightmare
How does the server know that it is you who filled the
email and you are the owner of this email address?
![Page 25: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/25.jpg)
So how is it supposed to work?
• Using out of band communication.• Code loaded in the browser sent that email to
server.
![Page 26: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/26.jpg)
And…..?
• Web server will email you a unique link. Hoping that the email address is in your hands
• You click on the link and go back to the server.
• Server confirms the link is proper it allows you to reset the password
![Page 27: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/27.jpg)
Just FYI, that the email address you sent to the
server and the password you got back were in
CLEARTEXT
![Page 28: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/28.jpg)
People/stuff between you & the server
• Wireless Network• Helpful IT admin monitoring for “bad traffic”• ISP gateway with helpful IT admin “monitoring”• Country level gateway with helpful govt. IT
admin “monitoring” – Think Tunisia, Egypt, Iran• Helpful Server admin “monitoring”• And who knows what else is out there.
![Page 29: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/29.jpg)
Just to recap!
• Effective Design/UI/UX inspires trust. • People trust based on strong visual cues• These cues can be faked. • So ideally trust no one• If we use common sense approach to
generating a new password we will need to trust multiple intermediaries.
![Page 30: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/30.jpg)
Finally a problem worthy of philosoraptor
So how do we create secure websites?
![Page 31: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/31.jpg)
SSL
![Page 32: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/32.jpg)
HTTP + SSL/TLS = HTTPS
![Page 33: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/33.jpg)
SSL/TLS
Encrypted Communication – Nobody can see your message hence can’t change it
Secure Identification of a Network – Are you talking to the right server?
![Page 34: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/34.jpg)
http://www.trailofbits.com/resources/creating_a_rogue_ca_cert_slides.pdf
![Page 35: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/35.jpg)
Bad Things can Happen
Comodo an affiliate of a root CA was hacked.
DigiNotar another affiliate was hacked.
Hundreds of certificates for google, yahoo,
mozilla, MS windows update were released.
![Page 36: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/36.jpg)
Rougue SSL Certificate
![Page 37: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/37.jpg)
EVS
SL
![Page 38: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/38.jpg)
![Page 39: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/39.jpg)
Secure By Design
Will cover this next year!
![Page 40: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/40.jpg)
I don’t have any answers for you
• I am not a designer. I understand security in systems.
• I understand that people want to use systems to do things, not get stopped due to security or insecurity.
• The idea was to get your attention and see if these problems can be solved using design.
![Page 41: How to tell if your designing an insecure website](https://reader033.vdocument.in/reader033/viewer/2022052823/55511737b4c905f10b8b4f0d/html5/thumbnails/41.jpg)
@makash Akash Mahajan
That Web Application Security Guy