An intro to web security

Ba0668208a6e892c6849d75e083c4b41?s=47 FHV
April 25, 2016

An intro to web security

Ba0668208a6e892c6849d75e083c4b41?s=128

FHV

April 25, 2016
Tweet

Transcript

  1. An intro to web security Florencia Herra Vega CTO, Peerio

  2. An intro to web in/security 1. Some structural things about

    the web (with focus on DNS) 2. Some pranks/tools 3. How HTTPS helps 4. Using Let’s Encrypt
  3. Why is the internet so insecure? • Security is not

    built in
  4. Why is the internet so insecure? • Security is not

    built in • Data sent in the open
  5. Why is the internet so insecure? • Security is not

    built in • Data sent in the open • Huge and unmaintained
  6. Why is it hard to learn? • High level of

    abstraction in development
  7. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly.
  8. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly. • Security requires the foundations.
  9. What happens when you request a webpage in your browser?

    show me that blog text! images!
  10. What happens when you request a webpage in your browser?

  11. http://harryblogs.potter-weasley-family.com

  12. What happens when you request a webpage in your browser?

  13. What happens when you request a webpage in your browser?

  14. What happens when you request a webpage in your browser?

    hosting ISP ?
  15. What happens when you request a webpage in your browser?

    hosting ISP
  16. http://harryblogs.potter-weasley-family.com

  17. http://harryblogs.potter-weasley-family.com where do I find blog?

  18. http://harryblogs.potter-weasley-family.com ok this is an address 159.203.37.70

  19. Domain Name System (DNS)

  20. Domain Name System (DNS) The address book of the internetz.

  21. Domain Name System (DNS) The recursive address books of the

    internetz.
  22. DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope

  23. DNS hey OS, do you know about harryblogs.potter- weasley-family.com? nope

  24. DNS hey router, do you know about harryblogs.potter- weasley-family.com? nope

  25. DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? nope

  26. DNS hey root DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know about .com go ask the .com TLD DNS server
  27. DNS hey .com DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know where the name servers for potter-weasley-family.com are! ns1.diagonalhosting.com
  28. DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70

  29. DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70

    AUTHORITATIVE
  30. browser OS router ISP authoritative nameserver find!

  31. browser OS router ISP authoritative nameserver find! cache for n

    seconds! cache for n seconds! cache for n seconds! cache for n seconds!
  32. DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? YES

    159.203.37.70
  33. Okay, now we know who to talk to. "

  34. Insurance Company Inc. ISP Inc. 159.203.37.70

  35. Insurance Company Inc. ISP Inc. 159.203.37.70

  36. TCP “polite request to chat” Hey buddy can I talk

    to you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK
  37. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

  38. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com HTTP/1.1 200 OK <html>

    <head> <title>Harry’s blog</title> </head> <body> This is a blog. </body> </html>
  39. Let’s see it all in action. # Wireshark!

  40. buy this thing! one weird trick wow wow Entrepreneur piverate

    integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable product driven sticky note convergence viral quantitative vs. qualitative. Sticky note affordances responsive parallax prototype thought leader bootstrapping pivot. Like this! Tweet this! You’ll never believe these animal pix! This comments section won’t offend you…. Boring text but there is a Youtube video below! buy my merch! Patreon GitTip Flattr Bitcoin
  41. External content • Ads • JS/CSS CDNs • Image/video hosting

    CDNs • Analytics like Google Analytics/Mixpanel • Social media counters • Social media buttons • E-commerce buttons (Flattr, Patreon, PayPal)
  42. Let’s try to break it.

  43. Insurance Company Inc. ISP Inc. 159.203.37.70

  44. [A quick and dirty DNS prank] /etc/hosts

  45. Some DNS only resolves locally.

  46. browser OS router ISP authoritative nameserver find! insert records

  47. browser OS router ISP authoritative nameserver find! cache poisoning x

    cache for n seconds! cache for n seconds! cache for n seconds!
  48. Problems • I can see what you’re saying • I

    can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too
  49. Solutions?

  50. HTTP HTTP/1.1 200 OK <html> <body> Super secret info about

    the anti- Death Eater rally! </body> </html>
  51. HTTP :( not so secret now HTTP/1.1 200 OK <html>

    <body> Super secret info about the anti- Death Eater rally! </body> </html> Voldemort-in-the-middle
  52. HTTPS wow ? AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB

  53. HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/

    OtxhEHNfhlB dns wizardry
  54. HTTPS not so wow the rally is at this TOTALLY

    INCORRECT place dns wizardry
  55. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info.
  56. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info. I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info.
  57. Encryption keys are unique!

  58. Certificate: public key + metadata!

  59. Signed Certificates

  60. Signed Certificates

  61. Chain of trust

  62. Chain of trust Root certificate authority certificates are installed on

    your computer/ phone/browser.
  63. Hello, I’d like to talk to Harry’s blog securely Yes

    this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.
  64. [Let’s mess with DNS again.]

  65. Why should I use HTTPS on my websites? • Protects

    your users from snooping. • Will raise hell if someone pretends to be you.
  66. Why doesn’t everybody do this? • Money. • Pain.

  67. Why doesn’t everybody do this? • Money. • Pain. Bureaucracy

    + encryption = not cute.
  68. Let’s encrypt! The easiest way to set up HTTPS with

    Apache ever…
  69. Let’s Encrypt! • nginx https://www.digitalocean.com/community/ tutorials/how-to-secure-nginx-with-let-s-encrypt-on- ubuntu-14-04 • apache https://www.digitalocean.com/community/

    tutorials/how-to-secure-apache-with-let-s-encrypt- on-ubuntu-14-04
  70. None
  71. Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web- Hosting-Supporting-LE

  72. What can I do as a user? • HTTPS everywhere

    browser extension • https://chrome.google.com/webstore/detail/https-everywhere/ gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock-origin/ cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger
  73. More resources • “Server Farm to Table” — http://jenna.is/server-farm-to- table-annotated.pdf

    • Computerphile “Man in the Middle attacks” — https:// www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https:// www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI • Wireshark — https://www.wireshark.org/