web in security
play

Web (In)Security: Remediation Efforts - Status and Outlook Jeff - PowerPoint PPT Presentation

Mar 25, 2024 •568 likes •971 views

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal February 2011 Overall Agenda The Current Web Has Some Holes Help is On The Way (Some Anyway) Solving Real World Problems Still A Ways To Go 2

  1. Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal February 2011

  2. Overall Agenda The Current Web Has Some Holes Help is On The Way (Some Anyway) Solving Real World Problems Still A Ways To Go 2

  3. The Current Web Has Some Holes 3

  4. Sort of Like This: 4

  5. It Is Hard To Do Even Simple Things Safely • Include an ad on your site • Use third-party Site-Analytics • Allow user input (“Rich” or otherwise) • Uniform use of HTTPS 5

  6. What Are Some of the Holes? • Cross Site Request Forgery (CSRF) • Cross Site Scripting (XSS) • Clickjacking • Malvertising • TLS/SSL Man In The Middle (MITM) • For example - sslstrip 6

  7. Why Do These Attacks Exist • Core protocol/technology weaknesses • Too much required of each and every developer • Lack of Security Policy Mechanisms 7

  8. Core Protocols/Technologies Have Weaknesses • Cookies are broken: • Their scope rules are broken • “Secure” Flag doesn’t really mean the same thing everywhere • “ HTTPonly ” and “Secure” only partially effective • Network MiTM attacker can overwrite cookies by spoofing.. http://www.example.com ..to overwrite real “secure cookies” for.. http s ://www.example.com • Practically anything can be interpreted as JavaScript • Browsers default to HTTP first (Not HTTPS ) 8

  9. Too Much Required of Each and Every Developer • To Implement a “Strong” Security Policy…… • Every Cookie has to have HTTPonly and Secure Flag • Every link generated has to have the right scheme (HTTP vs. HTTPS) • Every page must have the right content encoding • This is TOO HARD 9

  10. Lack of “Site” Security Policy Mechanisms • A Developer or WebSite Administrator has no coherent way to say, for example: • Treat all my cookies “Securely”, • Only load HTTPS Content, • And don’t frame my site. 10

  11. Help is On The Way (Some Anyway) 11

  12. Web Security Today http://commons.wikimedia.org/wiki/File:Professor_Lucifer_Butts.gif However, help is on the way... 12

  13. Help is on the Way Though, it might not be quite what you want…. 13

  14. “Emerging” Web Security Standards • X-Frame-Options • HTTP Strict-Transport-Security (HSTS) • Mozilla Content Security Policy (CSP) • NoScript Application Boundary Enforcer (ABE) • Cross Origin Resource Sharing (CORS) • X-Content-Type-Options: nosniff 14

  15. Some Details On... X-Frame-Options HTTP Strict Transport Security Content Security Policy (CSP) 15

  16. Control Who Can Frame Your Site (X-Frame-Options) • Doing this in JavaScript is an exercise in futility • X-Frame-Options (Invented by Microsoft In 2009) • HTTP header that tells a browser whether to allow framing (and by whom) • Now widely implemented • Not very flexible • Doesn’t solve all use cases HTTP/1.1 200 OK Content-Type: text/xml; charset=UTF-8 Date: Fri, 07 Jan 2011 17:38:01 GMT X-Frame-Options: SAMEORIGIN 16

  17. Force Your Entire Site to HTTPS (HTTP Strict Transport Security) • ForceHTTPS conceived by Jackson and Barth in 2007 • In response to others' approaches (e.g. Locked-Same-Origin) • Presented at WWW 2008 (April) [1] • General notion discussed sporadically since publication • Initially spec was known as ForceTLS • Presently a draft specification at the IETF [1] https://crypto.stanford.edu/forcehttps/ 17

  18. Force Your Entire Site to HTTPS (HTTP Strict Transport Security) • Ostensibly simple high-level use case: • Web browser users wish use sites securely • Web site deployer wishes to offer site securely • STS Server declares STS policy by returning STS response header: HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Strict-Transport-Security: max-age=31536000 • Helps mitigate attacks such as sslstrip and malicious network operators 18

  19. Content Security Policy (CSP) • Mozilla developed CSP to help prevent common web attacks such as XSS • Side Benefit - Clickjacking Protection • Allows a site to specific how and from where content (scripts, images, css, etc) will load/execute. 19

  20. What Can You Do With CSP? • Force all JavaScript to load from include file, not inline • Eliminate certain JavaScript usage (e.g. “ eval ()”) • Whitelist where JS can be loaded from (eliminate injections) • Detect violations of your defined web security policy • Control who can frame your content • And much more… • https://wiki.mozilla.org/Security/CSP/Specification HTTP/1.1 200 OK Content-Type: text/xml; charset=UTF-8 X-Content-Security-Policy: allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script- src trustedscripts.example.com 20

  21. Solving Real World Problems 21

  22. Solving Real World Problems: Agenda Prevent Framing of Your Site Make All Your Cookies “Secure” Make Your Entire Website HTTPS Only 22

  23. Prevent Framing of Your Site • Harder than it looks – should do ALL of these: • Deploy “ Framebusting ” JavaScript • Though, most are relatively easily defeated (see [2]) • Deploy X-Frame-Options Headers HTTP/1.1 200 OK Content-Type: text/xml; charset=UTF-8 Date: Fri, 07 Jan 2011 17:38:01 GMT X-Frame-Options: DENY • Note: Not supported in older browsers! • For Clients running Firefox-4 • Use CSP to control frame-ancestors • [2] http://seclab.stanford.edu/websec/framebusting/index.php 23

  24. Make All Your Cookies “Secure” HTTP/1.1 200 OK Date: Fri, 07 Jan 2011 17:52:34 GMT Server: Apache Set-Cookie: Name=Value; domain=paypal.com; path=/; • Lacking “ HTTPOnly ” and “Secure” flags 24

  25. Make All Your Cookies “Secure” HTTP/1.1 200 OK Date: Fri, 07 Jan 2011 17:52:34 GMT Server: Apache Set-Cookie: Name=Value; domain=paypal.com; path=/; Secure;HttpOnly • No “standard approach” that makes this easy for you • Web Application Firewalls or Servlet Filters can help • E.g. if using Apache server, then use ModSecurity to... • Craft ruleset that checks for cookies lacking either/both flags and adds them if needed [3] • [3] http://blog.spiderlabs.com/2008/12/fixing-both-missing-httponly-and-secure-cookie-flags.html 25

  26. Make Your Entire Website HTTPS Only • Convert your entire website to serve all content over HTTPS • Convert all links you generate to “https:” • Beware of content served from other domains! • e.g. Images you include, web analytics Javascript • Make sure you redirect from HTTP to HTTPS with an HTTP-301 (SEO reasons) • And, deploy HSTS headers: HTTP/1.1 200 OK Date: Fri, 07 Jan 2011 17:19:03 GMT Server: Apache Cache-Control: private Pragma: no-cache Strict-Transport-Security: max-age=31536000 26

  27. Still a Ways To Go 27

  28. Still a Ways to Go... • Remember that list of things you couldn’t do safely? • Include an ad on your site • Use third-party Site-Analytics • Allow user input (“Rich” or otherwise) • Uniform use of HTTPS • etc. • You still can’t in some cases 28

  29. Why? Some Current Constraints... • Lack of standards for general purpose Security Policy mechanisms • Can’t safely frame third -party content directly without lots of “attack surface” • Can’t safely embed third -party script • Not all deployed browsers implement the new security features/standards • And also because... • You can't “break the Web” 29

  30. Some Goals for Approaches • Should not rely on every developer (and user) “getting it right” 100% of the time • Security mechanisms should be “declarative policy and configuration” • separate from “code” • Reduce the need for new individual HTTP headers for each specific issue • Overall – create security mechanisms that allow/enforce the concept of Least Privilege 30

  31. How Do We Get Started • What we need.. • Commonly agreed to terms and definitions of Web security concepts • e.g. “origin”, “site” • Web Security Policy Framework • and coherent notions of what that means • Forums in which to have the discussion 31

  32. Some Work In Progress • IETF WebSec Working Group • W3C WebAppSec and WebApps Working Groups • Related: • IETF DANE WG (a.k.a. “Keys in DNS (KIDNS)” and “ KeyAssure ”) 32

  33. Some Work In Progress • IETF WebSec WG • Newly-established: 12-Oct-2010 • Charter: http://tools.ietf.org/wg/websec/charters • Initial existing specifications… • HSTS – HTTP Strict Transport Security • draft-ietf-websec-strict-transport-sec • Origin definition and explicit header • draft-ietf-websec-origin • Content Sniffing Rules • draft-ietf-websec-mime-sniff • Will develop… • HTTP app security "problem statement and requirements" doc 33

  34. Some Work In Progress • W3C WebAppSec and WebApps Working Groups • WebAppSec WG • Nascent • Proposed charter: http://www.w3.org/2010/07/appsecwg- charter.html • Mission: • “… to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross- site communication .” • Have security-oriented specs from WebApps move to WebAppSec … • Cross-Origin Resource Sharing (CORS) • Uniform Messaging Policy (UMP) • Content Security Policy (CSP) (from Mozilla, yet to appear as a W3C draft) • ( Security-oriented portions of HTML5 ? ) • WebApps working group: http://www.w3.org/2008/webapps/ 34

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election Security = Physical Security + Cybersecurity Physical Security Security plans Secure storage of voting machines and electronic pollbooks

341 views • 13 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides

More recommend