new vulnerabilities from next world wide web kudo at chroot.org

New Vulnerabilities from next New Vulnerabilities from next World Wide WebWorld Wide Web

Kudo AT chroot.orgKudo AT chroot.org

OutlineOutline

What is next WWW ?What is next WWW ?• From history storiesFrom history stories• What’s the problem of current WWWWhat’s the problem of current WWW• Introduce to next WWWIntroduce to next WWW

New vulnerabilitiesNew vulnerabilities DemoDemo ConclusionConclusion

From history storiesFrom history stories

The Birth of WWWThe Birth of WWW• In 1980In 1980• By Berners-LeeBy Berners-Lee• Solve the problem Solve the problem

of data publishing of data publishing between different between different file type.file type.

• Make sharing Make sharing been easier.been easier.


HypertextHypertext HTMLHTML URIURI


Web 2.0Web 2.0• Users can Users can

participate in participate in the web the web publication.publication.

DecentralizationDecentralization

• BlogBlog• WikiWiki• CommunityCommunity

What’s the problem of current What’s the problem of current WWWWWW

Data sharing is not easy, especially Data sharing is not easy, especially at at uploadinguploading


Why not use FTP or P2P applications Why not use FTP or P2P applications for uploading?for uploading?

YES! But not intuitionalYES! But not intuitional• It has nothing to do with WWWIt has nothing to do with WWW• You should open another window or You should open another window or

install other programs.install other programs.• What you see is lots of filenames, not a What you see is lots of filenames, not a

good, human nature good, human nature viewview


Traditional FTP Client Traditional FTP Client only have filenames view.only have filenames view.

• Flickr Uploadr – Flickr Uploadr –

33rdrd party application party application


In WEB 2.0, it’s also centralize.In WEB 2.0, it’s also centralize. Data stores in center servers.Data stores in center servers.

• Although users can participate, but not Although users can participate, but not really own the data.really own the data.

• The long long TOS.The long long TOS.• The cases of wretch.ccThe cases of wretch.cc

Personal secretPersonal secret


In the other hand, service providers In the other hand, service providers would finally yield themselves to the would finally yield themselves to the hardware cost, hardware cost, power costpower cost

Since more and more people would Since more and more people would surf the Internet.surf the Internet.

How to save or distribute the cost ? How to save or distribute the cost ?


Could we get some idea from our Could we get some idea from our history !?history !?

YES!YES!

From: http://www.pro-classic.com/ethnicgv/cmaps/others/ldf06.htm

From: http://www.wikilib.com/wiki?title=Image:Qinmap.png&variant=zh-tw

From: http://www.wikilib.com/wiki?title=Image:Sanguo.jpg&variant=zh-hk


WorkstationWorkstation


PC WorldPC World


WEB 2.0 ModelWEB 2.0 Model


P2P !!P2P !!

Introduce to next WWWIntroduce to next WWW

Inherit Windows UI/Behavior to WWWInherit Windows UI/Behavior to WWW Make users feel identical with local Make users feel identical with local

and Web.and Web.• Different files Different files viewview• Mouse dragMouse drag

More powerful browserMore powerful browser Or user land HTTP serverOr user land HTTP server


Web + P2P Web + P2P • Share the duplicated dataShare the duplicated data• Been relay for other people when they Been relay for other people when they

are offlineare offline ApplicationsApplications

• PhotosPhotos• Video/AudioVideo/Audio• E-Mail attachmentE-Mail attachment


Possible bottleneckPossible bottleneck• BandwidthBandwidth• SPAM / SEXSPAM / SEX• CopyrightCopyright• SecuritySecurity

New VulnerabilitiesNew Vulnerabilities

Inherit Windows UI/Behavior to WWWInherit Windows UI/Behavior to WWW In traditional/general Web In traditional/general Web

programming, we cannot access programming, we cannot access local file system data (except upload local file system data (except upload form)form)• HTMLHTML• Java scriptJava script• AJAXAJAX


We need more powerful browserWe need more powerful browser• Can access local file system dataCan access local file system data• File operation transforms to upload formsFile operation transforms to upload forms

It’s traditional CGI Security.It’s traditional CGI Security.

• A more powerful client side script than A more powerful client side script than JavaScriptJavaScript

Malicious scriptMalicious script Gain your administratorGain your administrator Copy malicious executables to your computerCopy malicious executables to your computer


Web + P2P Web + P2P • You might store relay data from other You might store relay data from other

people in your computerpeople in your computer• You can extract these dataYou can extract these data

A protected place in your computer, A protected place in your computer, you cannot access thereyou cannot access there

EncryptionEncryption


How could we do ?How could we do ? Securely developSecurely develop Malicious script detectionMalicious script detection

DemoDemo

NUWebNUWeb Integrate WWW with local file systemIntegrate WWW with local file system User land HTTP Server User land HTTP Server User land mplayerUser land mplayer User land Web applicationUser land Web application

• PHP ScriptPHP Script …… ……

DemoDemo

DemoDemo

AllpeersAllpeers ParakeyParakey

ConclusionConclusion

After Web 2.0, there must be After Web 2.0, there must be somethingsomething

We provide some idea and forecast We provide some idea and forecast some potential security issuesome potential security issue

Sorry that we have no more Sorry that we have no more appropriate demonstrations, since appropriate demonstrations, since the times is not going therethe times is not going there

ThanksThanks

Q&A TimeQ&A Time