web security fear, surprise, and ruthless efficiency
DESCRIPTION
Web Security Fear, Surprise, and Ruthless Efficiency. Mary Ellen Zurko. Web security – what do you think of?. Mind the Gap – Fear. Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/1.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 1
Web SecurityFear, Surprise, and Ruthless Efficiency Mary Ellen Zurko
![Page 2: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/2.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 2
![Page 3: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/3.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 3
• AuthenticationAnd Password/Secret management
• A secret is something you tell to one personat a time
• OrIt’s not turtles all the way down
![Page 4: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/4.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 4
• Defense in depth matters
• Compliance
• Passwords – users vs system parts
• Web server and files
![Page 5: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/5.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 5
• Security the way Sir Tim intended
• Server says: WWW-Authenticate: Basic realm="insert realm”
• User prompted for their password
• Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=User agent remembers and sends for that domain/realm
![Page 6: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/6.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 6
• Everyone does their own authentication No Single Sign On
Password proliferation
• Password unprotectedEncoding is not encrypting
• Who’s asking you for your password?
![Page 7: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/7.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 7
• Who vouches for the information on this web page?
• Trust, Trustworthy, and Trust for What? There’s encryption; it’s Secure!
• What have you been told about detecting or avoiding phishing?
![Page 8: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/8.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 8
• Citigroup.com
• Citibank.com
• Cititigroup.com
• Citigroup.de
• Citibank.co.uk
• Citigroup.org
• Thisiscitigroup.org
• Citibank.info
• Citicards.com
• Citicreditcards.com
• Citibank-cards.us
• Citimoney.com
• Citigold.net
• Citībank.org
• Citibānk.org
• Citigrøup.org
![Page 9: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/9.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 9
![Page 10: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/10.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 10
• Early on, there was S-HTTP
• Encryption of the HTML document
• Headers defined to specify type of encryption, type of key management, nonces
Supports pre arranged keys, public/private keys, PGP, etc.
Server and client negotiate which enhancements they’ll use
• Flexible
• End to end (resists Man in the Middle)
![Page 11: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/11.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 11
• Encryption! Authentication! Security!
• Network protocol that wraps HTTP
• Encryption of the tunnel for confidentiality and tamper detection
• Authentication of the server using public key certificate
• My browser has 182 “System Roots”
• Authentication of the client using public key certificate is an option
• Phishing for passwords and identities
![Page 12: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/12.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 12
• Who put the D in DHTML?
• Data and Code should not mixCode is dangerous. Data is not.
Speech vs action
![Page 13: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/13.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 13
• Major technical university’s web site
• Cross Site Scripting (XSS)Every link modified to redirect through proxy
Links to other web sites (e.g. LinkedIn, Facebook)
• Insecure Direct Object ReferenceWalk the OS file system
![Page 14: Web Security Fear, Surprise, and Ruthless Efficiency](https://reader035.vdocument.in/reader035/viewer/2022062315/568158f4550346895dc6302b/html5/thumbnails/14.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. 14
• Who vouches for the code on this web site? Javascript
Sandbox + same origin policy
Java
Permissions
“Should this code access your file system, the network?”
• Web mailCross site scripting (XSS)
• HTML escaping of any dataWhere are my bold text and dancing pigs?
Whitelist vs Blacklist
• Mobile apps – every game creator is a web browser implementer