05 a9 insufficient transport layer protections.pptx
-
Upload
rap-payne -
Category
Technology
-
view
66 -
download
0
description
Transcript of 05 a9 insufficient transport layer protections.pptx
![Page 1: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/1.jpg)
A9 Insufficient Transport Layer Protection
Problem and Protection
![Page 2: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/2.jpg)
![Page 3: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/3.jpg)
o Lost 45.7 Million credit card numbers o 455K drivers license numbers o Considered a 'worst-case scenario'. o The attack went for two years before
uncovered. o Cause: WEP traffic was not encrypted well.
The attackers basically authenticated themselves inside the firewall.
![Page 4: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/4.jpg)
Insufficient Transport Layer Protection
o Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
o When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.
![Page 5: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/5.jpg)
How attackers do it
o They use packet sniffers to read the communications over a network
o Anything unencrypted can be read easily • Pages (duh)
o But we forget about encrypting • Cookies • Web services • Intranet communications • Database requests • AJAX communication
o Anything encrypted weakly can be cracked
![Page 6: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/6.jpg)
How we protect ourselves
o Require TLS for all sensitive pages • Especially login pages!
o Set the ‘secure’ flag on all sensitive cookies o Configure TLS provider to only support
strong algorithms o Ensure your certificate is valid, not expired,
not revoked, and matches all domains used by the site
o Don't neglect the backend communications
![Page 7: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/7.jpg)
Require SSL for all sensitive pages
o Non-SSL requests to these pages should be redirected to the SSL page
o Every Login page should use TLS • Because the username and password would be
sent in clear text if they didn't
![Page 8: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/8.jpg)
Make cookies secure
o Set the secure flag on all sensitive cookies o This requires them to be sent via SSL HttpCookie c = new HttpCookie("PetsName","Mouser"); c.Secure = true;
o Do the same for ASP.NET forms authentication cookies in web.config.
<authentication mode="Forms"> <forms loginUrl="Login.aspx" requireSSL="true" .../> …
</authentication>
![Page 9: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/9.jpg)
Use only strong encryption
o FIPS 140-2 compliant algorithms • Use AES or Blowfish for symmetric cryptography • Use SHA-256 or SHA-512 for hashing • Use RSA for asymmetric (but all are okay)
o If you use SHA-1 or MD5, please expect to be compromised
![Page 10: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/10.jpg)
Ensure comprehensive certificates
o Certificate errors desensitizes users to future alerts
o Keep your certs up-to-date and valid o Use wildcards for domains
• Ex: if we have a cert for www.tic.com and we open reports.tic.com, the user sees a certificate error
• Get a cert for *.tic.com instead of www.tic.com
![Page 11: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/11.jpg)
Don't forget about the back end
o Sniffers can see more than just web pages. o When sensitive, you should use TLS for:
• JavaScript files with business logic • AJAX calls • XML web services • Database communications
![Page 12: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/12.jpg)
Summary
o Attackers use network sniffers to get to our sensitive data
o We should use TLS/SSL to protect: • Pages (especially login pages) • Cookies • Web services & other backend processes
o Only use strong cryptographic ciphers like AES and SHA-256
![Page 13: 05 a9 insufficient transport layer protections.pptx](https://reader034.fdocuments.us/reader034/viewer/2022051323/5492a1f1b479593d4d8b4675/html5/thumbnails/13.jpg)
Further study
o Secure cookies white paper: • http://bit.ly/SecureCookies
o How to harden databases: • http://bit.ly/HardeningDatabases
o Wireshark information and download: • http://wireshark.org