© 2010 Cisco and/or its affiliates. All rights reserved. 1

Web Security Fear, Surprise, and Ruthless Efficiency

Mary Ellen Zurko

© 2010 Cisco and/or its affiliates. All rights reserved. 2

© 2010 Cisco and/or its affiliates. All rights reserved. 3

• Authentication

And Password/Secret management

• A secret is something you tell to one person

at a time

• Or

It’s not turtles all the way down

© 2010 Cisco and/or its affiliates. All rights reserved. 4

• Defense in depth matters

• Compliance

• Passwords – users vs system parts

• Web server and files

© 2010 Cisco and/or its affiliates. All rights reserved. 5

• Security the way Sir Tim intended

• Server says: WWW-Authenticate: Basic realm="insert realm”

• User prompted for their password

• Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=

User agent remembers and sends for that domain/realm

© 2010 Cisco and/or its affiliates. All rights reserved. 6

• Everyone does their own authentication

No Single Sign On

Password proliferation

• Password unprotected

Encoding is not encrypting

• Who’s asking you for your password?

© 2010 Cisco and/or its affiliates. All rights reserved. 7

• Who vouches for the information on this web page?

• Trust, Trustworthy, and Trust for What?

There’s encryption; it’s Secure!

• What have you been told about detecting or avoiding phishing?

© 2010 Cisco and/or its affiliates. All rights reserved. 8

• Citigroup.com

• Citibank.com

• Cititigroup.com

• Citigroup.de

• Citibank.co.uk

• Citigroup.org

• Thisiscitigroup.org

• Citibank.info

• Citicards.com

• Citicreditcards.com

• Citibank-cards.us

• Citimoney.com

• Citigold.net

• Citībank.org

• Citibānk.org

• Citigrøup.org

© 2010 Cisco and/or its affiliates. All rights reserved. 9

© 2010 Cisco and/or its affiliates. All rights reserved. 10

• Early on, there was S-HTTP

• Encryption of the HTML document

• Headers defined to specify type of encryption, type of key management, nonces

Supports pre arranged keys, public/private keys, PGP, etc.

Server and client negotiate which enhancements they’ll use

• Flexible

• End to end (resists Man in the Middle)

© 2010 Cisco and/or its affiliates. All rights reserved. 11

• Encryption! Authentication! Security!

• Network protocol that wraps HTTP

• Encryption of the tunnel for confidentiality and tamper detection

• Authentication of the server using public key certificate

• My browser has 182 “System Roots”

• Authentication of the client using public key certificate is an option

• Phishing for passwords and identities

© 2010 Cisco and/or its affiliates. All rights reserved. 12

• Who put the D in DHTML?

• Data and Code should not mix

Code is dangerous. Data is not.

Speech vs action

© 2010 Cisco and/or its affiliates. All rights reserved. 13

• Major technical university’s web site

• Cross Site Scripting (XSS)

Every link modified to redirect through proxy

Links to other web sites (e.g. LinkedIn, Facebook)

• Insecure Direct Object Reference

Walk the OS file system

© 2010 Cisco and/or its affiliates. All rights reserved. 14

• Who vouches for the code on this web site?

Javascript

Sandbox + same origin policy

Java

Permissions

“Should this code access your file system, the network?”

• Web mail

Cross site scripting (XSS)

• HTML escaping of any data

Where are my bold text and dancing pigs?

Whitelist vs Blacklist

• Mobile apps – every game creator is a web browser implementer

Thank you.

Mary Ellen Zurko

mzurko@cisco.com

Questions? Comments? Brickbats?