new vulnerabilities from next world wide web kudo at chroot.org
TRANSCRIPT
New Vulnerabilities from next New Vulnerabilities from next World Wide WebWorld Wide Web
Kudo AT chroot.orgKudo AT chroot.org
OutlineOutline
What is next WWW ?What is next WWW ?• From history storiesFrom history stories• What’s the problem of current WWWWhat’s the problem of current WWW• Introduce to next WWWIntroduce to next WWW
New vulnerabilitiesNew vulnerabilities DemoDemo ConclusionConclusion
From history storiesFrom history stories
The Birth of WWWThe Birth of WWW• In 1980In 1980• By Berners-LeeBy Berners-Lee• Solve the problem Solve the problem
of data publishing of data publishing between different between different file type.file type.
• Make sharing Make sharing been easier.been easier.
From history storiesFrom history stories
HypertextHypertext HTMLHTML URIURI
From history storiesFrom history stories
Web 2.0Web 2.0• Users can Users can
participate in participate in the web the web publication.publication.
DecentralizationDecentralization
• BlogBlog• WikiWiki• CommunityCommunity
What’s the problem of current What’s the problem of current WWWWWW
Data sharing is not easy, especially Data sharing is not easy, especially at at uploadinguploading
What’s the problem of current What’s the problem of current WWWWWW
Why not use FTP or P2P applications Why not use FTP or P2P applications for uploading?for uploading?
YES! But not intuitionalYES! But not intuitional• It has nothing to do with WWWIt has nothing to do with WWW• You should open another window or You should open another window or
install other programs.install other programs.• What you see is lots of filenames, not a What you see is lots of filenames, not a
good, human nature good, human nature viewview
What’s the problem of current What’s the problem of current WWWWWW
Traditional FTP Client Traditional FTP Client only have filenames view.only have filenames view.
• Flickr Uploadr – Flickr Uploadr –
33rdrd party application party application
What’s the problem of current What’s the problem of current WWWWWW
In WEB 2.0, it’s also centralize.In WEB 2.0, it’s also centralize. Data stores in center servers.Data stores in center servers.
• Although users can participate, but not Although users can participate, but not really own the data.really own the data.
• The long long TOS.The long long TOS.• The cases of wretch.ccThe cases of wretch.cc
Personal secretPersonal secret
What’s the problem of current What’s the problem of current WWWWWW
In the other hand, service providers In the other hand, service providers would finally yield themselves to the would finally yield themselves to the hardware cost, hardware cost, power costpower cost
Since more and more people would Since more and more people would surf the Internet.surf the Internet.
How to save or distribute the cost ? How to save or distribute the cost ?
What’s the problem of current What’s the problem of current WWWWWW
Could we get some idea from our Could we get some idea from our history !?history !?
YES!YES!
From: http://www.pro-classic.com/ethnicgv/cmaps/others/ldf06.htm
From: http://www.wikilib.com/wiki?title=Image:Qinmap.png&variant=zh-tw
From: http://www.wikilib.com/wiki?title=Image:Sanguo.jpg&variant=zh-hk
What’s the problem of current What’s the problem of current WWWWWW
WorkstationWorkstation
What’s the problem of current What’s the problem of current WWWWWW
PC WorldPC World
What’s the problem of current What’s the problem of current WWWWWW
WEB 2.0 ModelWEB 2.0 Model
What’s the problem of current What’s the problem of current WWWWWW
P2P !!P2P !!
Introduce to next WWWIntroduce to next WWW
Inherit Windows UI/Behavior to WWWInherit Windows UI/Behavior to WWW Make users feel identical with local Make users feel identical with local
and Web.and Web.• Different files Different files viewview• Mouse dragMouse drag
More powerful browserMore powerful browser Or user land HTTP serverOr user land HTTP server
Introduce to next WWWIntroduce to next WWW
Web + P2P Web + P2P • Share the duplicated dataShare the duplicated data• Been relay for other people when they Been relay for other people when they
are offlineare offline ApplicationsApplications
• PhotosPhotos• Video/AudioVideo/Audio• E-Mail attachmentE-Mail attachment
Introduce to next WWWIntroduce to next WWW
Possible bottleneckPossible bottleneck• BandwidthBandwidth• SPAM / SEXSPAM / SEX• CopyrightCopyright• SecuritySecurity
New VulnerabilitiesNew Vulnerabilities
Inherit Windows UI/Behavior to WWWInherit Windows UI/Behavior to WWW In traditional/general Web In traditional/general Web
programming, we cannot access programming, we cannot access local file system data (except upload local file system data (except upload form)form)• HTMLHTML• Java scriptJava script• AJAXAJAX
New VulnerabilitiesNew Vulnerabilities
We need more powerful browserWe need more powerful browser• Can access local file system dataCan access local file system data• File operation transforms to upload formsFile operation transforms to upload forms
It’s traditional CGI Security.It’s traditional CGI Security.
• A more powerful client side script than A more powerful client side script than JavaScriptJavaScript
Malicious scriptMalicious script Gain your administratorGain your administrator Copy malicious executables to your computerCopy malicious executables to your computer
New VulnerabilitiesNew Vulnerabilities
Web + P2P Web + P2P • You might store relay data from other You might store relay data from other
people in your computerpeople in your computer• You can extract these dataYou can extract these data
A protected place in your computer, A protected place in your computer, you cannot access thereyou cannot access there
EncryptionEncryption
New VulnerabilitiesNew Vulnerabilities
How could we do ?How could we do ? Securely developSecurely develop Malicious script detectionMalicious script detection
DemoDemo
NUWebNUWeb Integrate WWW with local file systemIntegrate WWW with local file system User land HTTP Server User land HTTP Server User land mplayerUser land mplayer User land Web applicationUser land Web application
• PHP ScriptPHP Script …… ……
DemoDemo
DemoDemo
DemoDemo
AllpeersAllpeers ParakeyParakey
ConclusionConclusion
After Web 2.0, there must be After Web 2.0, there must be somethingsomething
We provide some idea and forecast We provide some idea and forecast some potential security issuesome potential security issue
Sorry that we have no more Sorry that we have no more appropriate demonstrations, since appropriate demonstrations, since the times is not going therethe times is not going there
ThanksThanks
Q&A TimeQ&A Time