DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web...
Transcript of DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web...
![Page 1: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/1.jpg)
@PhilippeDeRyck
DID WE LOSE THE BATTLE FOR A SECURE WEB?
PhilippeDeRyckGuestlecture“CapitaSelecta”,UCLL,December14th 2016
https://www.websec.be
![Page 2: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/2.jpg)
@PhilippeDeRyck
ABOUT ME – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications− In-housetrainingprogramsatvariouscompanies−HostedwebsecuritytrainingcoursesatDistriNet (KULeuven)− Talksatvariousdeveloperconferences− Slides,videosandblogpostsonhttps://www.websec.be
§ Ihaveabroadsecurityexpertise,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity
§ PartoftheorganizingcommitteeofSecAppDev.org−Week-longcoursefocusedonpracticalsecurity
2
![Page 3: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/3.jpg)
@PhilippeDeRyck 3
![Page 4: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/4.jpg)
@PhilippeDeRyck
THE WEB STARTED OUT AS SERVER-CENTRIC
4
![Page 5: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/5.jpg)
@PhilippeDeRyck
DATA BREACHES ARE SOPHISTICATED ATTACKS
5
![Page 6: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/6.jpg)
@PhilippeDeRyck
COMMAND INJECTION IN 2016
https://securityledger.com/2016/12/vulnerability-prompts-warning-stop-using-netgear-wifi-routers/http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
6
![Page 7: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/7.jpg)
@PhilippeDeRyck
THE SIN IOTSTANDS FOR SECURITY
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
7
![Page 8: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/8.jpg)
@PhilippeDeRyck
THE SIN IOTSTANDS FOR SECURITY
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
root xc3511root vizxvroot adminadmin adminroot 888888root xmhdipcroot defaultroot juantechroot 123456root 54321support supportroot (none)admin passwordroot rootroot 12345user useradmin (none)root pass
admin admin1234root 1111admin smcadminadmin 1111root 666666root passwordroot 1234root klv123Administrator adminservice servicesupervisor supervisorguest guestguest 12345guest 12345admin1 passwordAdministrator 1234666666 666666888888 888888
ubnt ubntroot klv1234root Zte521root hi3518root jvbzdroot ankoroot zlxx.root 7ujMko0vizxvroot 7ujMko0adminroot systemroot ikwbroot dreamboxroot userroot realtekroot 00000000admin 1111111admin 1234admin 12345
8
![Page 9: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/9.jpg)
@PhilippeDeRyck
THE SIN IOTSTANDS FOR SECURITY
https://twitter.com/MalwareTechBlog/status/
9
![Page 10: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/10.jpg)
@PhilippeDeRyck
http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
TRADITIONAL SERVER-SIDE SECURITY PROBLEMS REMAIN …
10
![Page 11: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/11.jpg)
@PhilippeDeRyck
http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
TRADITIONAL SERVER-SIDE SECURITY PROBLEMS REMAIN …
11
![Page 12: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/12.jpg)
@PhilippeDeRyck
DATA BREACHES HAVE BECOME EXTREMELY COMMON
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
12
![Page 13: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/13.jpg)
@PhilippeDeRyck
ACCOUNT COMPROMISE THROUGH PASSWORD REUSE
java -jar shard-1.5.jar -u [email protected] -p test123410:16:18.713 [+] Selected single-user single-password mode10:16:18.715 [+] Running 12 modules10:16:31.103 [+] [email protected]:test1234 - BitBucket
http://arstechnica.com/security/2016/07/password-reuse-tool-makes-it-easy-to-id-vulnerable-accounts-on-other-sites/
13
![Page 14: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/14.jpg)
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
14
![Page 15: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/15.jpg)
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/
15
![Page 16: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/16.jpg)
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
16
![Page 17: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/17.jpg)
@PhilippeDeRyck
NUMEROUS SERVICES GET CREDENTIAL STORAGE WRONG
http://arstechnica.com/security/2016/11/adultfriendfinder-hacked-exposes-400-million-hookup-users/
17
![Page 18: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/18.jpg)
@PhilippeDeRyck
MEET SAGITTA BRUTALIS GTX1080
MD5 200000millionhashes/second
SHA1 68771millionhashes/second
SHA256 23012millionhashes/second
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
18
![Page 19: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/19.jpg)
@PhilippeDeRyck
IMAGINE WHAT SECURITY IS LIKE IN THE CLIENT-CENTRIC WEB
19
![Page 20: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/20.jpg)
@PhilippeDeRyck
HIJACKING VNCSERVERS WITH WEBSOCKETS
https://bugs.launchpad.net/nova/+bug/1409142
20
![Page 21: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/21.jpg)
@PhilippeDeRyck
TOTALLY OWNING A BROWSER WITH XSS
http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/
21
![Page 22: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/22.jpg)
@PhilippeDeRyck
READING EMAILS USING XSSVULNERABILITIES
http://www.zdnet.com/article/yahoo-fixes-flaw-letting-attacker-read-victims-emails/
22
![Page 23: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/23.jpg)
@PhilippeDeRyck
EXTRACTING MALWARE FROM IMAGES USING JS
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
23
![Page 24: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/24.jpg)
@PhilippeDeRyck
WTF?
![Page 25: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/25.jpg)
@PhilippeDeRyck
HOW DO YOU KNOW IF YOU’RE COMPROMISED?
https://haveibeenpwned.com/
25
![Page 26: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/26.jpg)
@PhilippeDeRyck
HOW DO YOU KNOW IF YOU’RE COMPROMISED?
https://haveibeenpwned.com/
26
![Page 27: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/27.jpg)
@PhilippeDeRyck
GETTING CREDENTIAL STORAGE RIGHT
§Oldcommonpracticesnolongersuffice− Itusedtoberecommendedtouseasaltandahashingalgorithm−Buthashingalgorithmsaredesignedtobefast
§Modernapproachesusepassword-basedkeyderivationfunctions− Theiroriginalgoalistocreateakeyfromapasswordforcryptographicuse− Thesefunctionsareslowandresource-hungry,andwellsuitedforcredentialstorage− Examplesarebcrypt,scrypt andPBKDF2
8xNVIDIAGTX1080 200000millionMD5/second 68771millionSHA1/second 100thousandBCRYPT/second
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
Password
Test1234
Salt
s1L1GQbpvlksIfFOVmVQwu
SHA1
946e48b8c174c730e5111c9e7b5f4261b8f81b9a
27
![Page 28: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/28.jpg)
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Algorithm 28
![Page 29: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/29.jpg)
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Costparameter 29
![Page 30: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/30.jpg)
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Salt 30
![Page 31: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/31.jpg)
@PhilippeDeRyck
STORING CREDENTIALS IN NODEJS WITH BCRYPTvar pass = "Supahs3cr3t";
var bcrypt = require('bcrypt');bcrypt.genSalt(10, function(err, salt) {
bcrypt.hash(pass, salt, function(err, hash) {// Store hash in your password DB.
});});
// Load hash from DBbcrypt.compare('nots3cr3t', hash, function(err, res) {
// res == false});
$2a$10$s1L1GQbpvlksIfFOVmVQwuHyDxAwBk6DFYzTpJpYd4HytXKL3WA/2
Hash 31
![Page 32: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/32.jpg)
@PhilippeDeRyck
PASSWORD MANAGERS ARE GAME CHANGERS
§ Passwordmanagersaddressthemostimportantproblemswithpasswords− Theyallowyoutogeneratelongandrandompasswords−Auniquepasswordforeveryapplicationavoidspasswordre-use−Autofillfeatureshelpprotectagainstphishing
32
![Page 33: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/33.jpg)
@PhilippeDeRyck
ALOOK UNDER THE HOOD OF A PASSWORD MANAGER
secret123pazzwordGuessmeJ
Generatekeyfrommasterpassword
Providemasterpassword
Decryptdatabaseondevice
ThereCanBeOnlyOne
Syncencryptedfile
33
![Page 34: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/34.jpg)
@PhilippeDeRyck
BUT MULTI-FACTOR AUTHENTICATION IS EVEN BETTER
https://www.yubico.com/products/yubikey-hardware/
34
![Page 35: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/35.jpg)
@PhilippeDeRyck
FORTUNATELY,BROWSERS ARE TAKING SECURITY SERIOUSLY
§ SinceHTML5,newfeaturesaredesignedwithsecurityinmind−Newfeaturesshouldnotcreatevulnerabilitiesforlegacyapplications− Securitytakesprecedenceoverfunctionality,tobuildtowardsasecureweb
§ Browserstrytomakeasecuritystance−Bystartingtorejectorblockinsecurebehavior− Thisisaslowprocess,withlargegraceperiodstoavoidtoomuchbreakage
§ SincetheSnowdenrevelations,companiesarepushingforsecurityaswell−Manyinitiativesbackedbylargetechnologycompanies− Tryingtoconvinceuserstotakesecurityseriouslyaswell
35
![Page 36: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/36.jpg)
@PhilippeDeRyck
AND IT’S WORKING …
36
https://nakedsecurity.sophos.com/2016/10/18/halfway-there-firefox-users-now-visit-over-50-of-pages-via-https/
![Page 37: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/37.jpg)
@PhilippeDeRyck
WE HAVE BETTER SECURITY TOOLS THAN EVER
§Newtechnologiesgiveusmoredefensivecapabilities−WecanfinallygetridofXSSonceandforall−Wecandefendagainstattackswhichusedtobeimpossible
§Mainlyavailableasserver-drivenbrowser-enforcedpolicies− Specifiedbytheserver,customizedtotheapplicationathand−Deliveredtothebrowser,typicallyinanHTTPheader− Enforcedbythebrowser,ontheclient-sidecontext
§ Backwardscompatiblewitholderbrowsers−Unknownheadersaresimplyignored
37
![Page 38: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/38.jpg)
@PhilippeDeRyck
SERVER-DRIVEN BROWSER-ENFORCED SECURITY POLICIES
§ Firstexamplearecookiesecurityflags− Setbytheserver,enforcedbythebrowser
§Numerousofthesepolicieshavebeenaddedtothebrowserrecently−HTTPStrictTransportSecurity−HTTPPublicKeyPinning−X-XSS-Protection−ContentSecurityPolicy− SubresourceIntegrity−Cross-OriginResourceSharing
38
![Page 39: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/39.jpg)
@PhilippeDeRyck
GETTING WEB SECURITY RIGHT
§ Thedeveloper’ssecuritytoolboxisbetterthanever−Browsersaretakingsecurityseriously,andsoshouldyou…−Mostattackscanbecounteredwithcurrentlyavailabletechnologies
§ Buildingsecurewebapplicationsrequiresknowledge−Knowledgeaboutcommonthreatsagainstwebapplications−Knowledgeaboutcountermeasures,howtheyworkandhowtousethem
§ ItistimetotakeWebSecurityseriously−Protectyourapplicationsusingthelatesttechnologies− Setanexampleonhowtodoitright− Shareyourexperiences,helpothersadvanceaswell
39
![Page 40: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/40.jpg)
@PhilippeDeRyck
BREAK
![Page 41: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/41.jpg)
@PhilippeDeRyck
SECURING THE COMMUNICATION CHANNEL
![Page 42: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/42.jpg)
@PhilippeDeRyck
3VARYING LEVELS OF HTTPS
(a)Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
(b)
(c)
42
![Page 43: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/43.jpg)
@PhilippeDeRyck
WE HEAVILY DEPEND ON (INSECURE)WIFI
https://www.flickr.com/photos/djimison/222214205/ 43
![Page 44: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/44.jpg)
@PhilippeDeRyck
AND THIS HAPPENS TO THE BEST OF US
http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/ 44
![Page 45: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/45.jpg)
@PhilippeDeRyck
EAVESDROPPING IS CHILD’S PLAY
45
http://codebutler.com/firesheep/
![Page 46: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/46.jpg)
@PhilippeDeRyck
THE COMMUNICATION CHANNEL IS INSECURE
§ ButweuseHTTPSforsensitivedata− Sufficienttocounterpassiveeavesdroppingattacks−Butwhataboutactivenetworkattacks?
46
ManintheMiddle ManontheSide
![Page 47: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/47.jpg)
@PhilippeDeRyck
3VARYING LEVELS OF HTTPS
(a)Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
(b)
(c)
47
![Page 48: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/48.jpg)
@PhilippeDeRyck
PREVENTING THE TRANSITION FROM HTTPTO HTTPS
48
![Page 49: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/49.jpg)
@PhilippeDeRyck
PREVENTING THE TRANSITION FROM HTTPTO HTTPS
some-shop.com
Visithttp://some-shop.com
Welcome,pleaselogin
LoginasPhilippe
WelcomePhilippe
Visithttp://some-shop.com
LoginasPhilippe
WelcomePhilippe
RewriteHTTPStoHTTP
49
![Page 50: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/50.jpg)
@PhilippeDeRyck
TIME TO MOVE TOWARDS HTTPS
some-shop.com
Visithttp://some-shop.com
Welcome,pleaselogin
LoginasPhilippe
WelcomePhilippe
Visithttps://some-shop.com
LoginasPhilippe
WelcomePhilippe
50
![Page 51: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/51.jpg)
@PhilippeDeRyck
HTTPWEAKENS HTTPSSITES
https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
51
![Page 52: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/52.jpg)
@PhilippeDeRyck
SNEAKY SSLSTRIPPING ATTACKS PREVENT THE USE OF HTTPS
52
![Page 53: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/53.jpg)
@PhilippeDeRyck
SNEAKY SSLSTRIPPING ATTACKS PREVENT THE USE OF HTTPS
GET http://www.websec.be
200 OK<html>…</html>
www.websec.be
GET http://…
301 Moved …
GET https://…
200 OKRewriteHTTPSURLStoHTTP
POST http://www.websec.be
200 OK<html>…</html>
POST https://…
200 OKRewriteHTTPSURLStoHTTP
53
![Page 54: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/54.jpg)
@PhilippeDeRyck
§ StrictTransportSecurityconvertsallHTTPrequeststoHTTPS
§ModernbrowserssupportHTTPStrictTransportSecurity(HSTS)−HTTPresponseheadertoenableStrictTransportSecurity−Whenenabled,thebrowserwillnotsendanHTTPrequestanymore
STRICT TRANSPORT SECURITY AGAINST SSLSTRIPPING
GET https://www.websec.be
200 OK<html>…</html>
www.websec.be
4 4 7 11Fromversion… 4.4.4 7.1
54
![Page 55: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/55.jpg)
@PhilippeDeRyck
HSTSCAN BE ENABLED WITH A SIMPLE ONE-LINER
§ ThepolicyiscontrolledbytheStrict-Transport-Security header− max-age specifieshowlongthepolicyshouldbeenforcedinseconds−Makesurethisislongenoughtocovertwosubsequentvisits− Ifnecessary,thepolicycanbedisabledbysettingmax-age to0
§ Thepolicycanbeextendedtoautomaticallyincludesubdomains− ThisbehavioriscontrolledbytheincludeSubDomains flag−Beforeenablingthis,carefullyanalyzetheservicesyouarerunningonyourdomain
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000; includeSubDomains
55
![Page 56: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/56.jpg)
@PhilippeDeRyck
HSTSIN ACTION
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
websec.be
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
www.websec.be
56
![Page 57: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/57.jpg)
@PhilippeDeRyck
POLICY DETAILS OF HSTS
§HSTSdoesnotcareaboutTCPports−Policymatchesaredeterminedbasedonthehostnameonly−Port80istranslatedtoport443,butotherportsarepreserved
§HSTSpoliciescanonlybesetoverasecureconnection− Thecertificateusedmustbevalid−HSTSpoliciessetoninsecureconnectionsareignored
§ DisablingHSTSmustbedonebyexplicitlysettingmax-age to0−OmittingaHSTSheaderfromaHSTS-enabledhostdoesnothing
57
![Page 58: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/58.jpg)
@PhilippeDeRyck
ENABLING HSTSIN PRACTICE
§ Thestep-by-stepguidetowardsenablingHSTS− SetupHTTPScorrectly− SendtheStrict-Transport-Security headerwithashortmax-age− Testyourconfiguration− Increasemax-ageaftersuccessfultesting
§ Chrome’snet-internals allowinspection− dynamic_sts istheHSTSmechanism
58
![Page 59: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/59.jpg)
@PhilippeDeRyck
FUN FACT:CHROME HANDLES HSTSAS A REDIRECT
59
![Page 60: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/60.jpg)
@PhilippeDeRyck
TIME TO GET ON THE HSTSTRAIN
https://trends.builtwith.com/docinfo/HSTS
60
![Page 61: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/61.jpg)
@PhilippeDeRyck
BUT HOW DO YOU MAKE THE FIRST CONNECTION OVER HTTPS?
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
websec.be
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
www.websec.be
61
![Page 62: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/62.jpg)
@PhilippeDeRyck
HSTS==TOFU
http://www.bbcgoodfood.com/howto/guide/ingredient-focus-tofu 62
![Page 63: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/63.jpg)
@PhilippeDeRyck
PRELOADING HSTSINTO THE BROWSER
https://hstspreload.appspot.com/?
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
63
![Page 64: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/64.jpg)
@PhilippeDeRyck
PRELOADING IS ON THE RISE
https://trends.builtwith.com/docinfo/HSTS
64
![Page 65: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/65.jpg)
@PhilippeDeRyck
AWESOME SERVICES HELP IMPROVE HTTPSDEPLOYMENTS
https://letsencrypt.org/https://www.ssllabs.com/ssltest/https://observatory.mozilla.org/
65
![Page 66: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/66.jpg)
@PhilippeDeRyck
COMMON MISCONCEPTIONS ABOUT HTTPS
http://www.httpvshttps.com/
HTTPSisbadforperformance
66
![Page 67: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/67.jpg)
@PhilippeDeRyck
COMMON MISCONCEPTIONS ABOUT HTTPS
https://letsencrypt.org/
HTTPSiscomplexandexpensive
67
![Page 68: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/68.jpg)
@PhilippeDeRyck
COMMON MISCONCEPTIONS ABOUT HTTPS
http://www.consumerreports.org/cro/news/2014/04/windows-xp-is-a-bigger-hacker-threat-than-heartbleed/index.htm
YoucanonlyrunoneHTTPSsiteperIPaddress
68
![Page 69: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/69.jpg)
@PhilippeDeRyck
ALL INTERACTIONS SHOULD HAPPEN OVER HTTPS
§ ThereisabigpushforHTTPSontheWeb−GoogleusesHTTPSasarankingsignal−Activemixedcontentisblockedinmoderndesktopbrowsers− TheSecureContextsspecificationlimitsuseofsensitivefeatures
§ ThereisplentyofsupportforeasilyenablingHTTPS−RateyourdeploymentwiththeSSLServerTest−Getfree,automatedcertificatesfromLet’sEncrypt
§ ImproveyourHTTPSdeployment− EnableHTTPStrictTransportSecurity
69
https://www.ssllabs.com/ssltest/https://letsencrypt.org/
![Page 70: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/70.jpg)
@PhilippeDeRyck
KNOWLEDGE IS THE KEY TO BUILDING SECURE APPLICATIONS
§ TheuseofHTTPSandHSTSisonlythetipoftheiceberg−Numerousnewsecuritypolicieshavebeenaddedinthelast5years
§ Thesenewtechnologiesrequireexplicitknowledgeandaction−Developersneedtoknowwhyandhowtousethem
§WeofferspecializedtrainingcoveringtheWebsecuritylandscape−Hostedtrainingcoursesandcustomizablein-housetrainings−Broadspectrumoftopics,suchasHTTPS,authentication,authorization,XSS−VariousWebtechnologies,includingmodernMVCframeworks(AngularJS,…)− Effectivecombinationoflecturesandhands-onsessions
70
![Page 71: DID WE LOSE THE BATTLE FOR A SECURE WEBI have a broad security expertise, with a focus on Web Security −PhD in client-side web security −Main author of the Primer on client-side](https://reader033.fdocuments.us/reader033/viewer/2022050518/5fa23b93faa4691e2d705991/html5/thumbnails/71.jpg)
@PhilippeDeRyck
NOW IT’S UP TO YOU …
Secure ShareFollow
https://www.websec.be [email protected] /in/philippederyck