Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An intro to web security

FHV
April 25, 2016

An intro to web security

FHV

April 25, 2016
Tweet

More Decks by FHV

Other Decks in Technology

Transcript

  1. An intro to web in/security 1. Some structural things about

    the web (with focus on DNS) 2. Some pranks/tools 3. How HTTPS helps 4. Using Let’s Encrypt
  2. Why is the internet so insecure? • Security is not

    built in • Data sent in the open
  3. Why is the internet so insecure? • Security is not

    built in • Data sent in the open • Huge and unmaintained
  4. Why is it hard to learn? • High level of

    abstraction in development
  5. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly.
  6. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly. • Security requires the foundations.
  7. DNS hey root DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know about .com go ask the .com TLD DNS server
  8. DNS hey .com DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know where the name servers for potter-weasley-family.com are! ns1.diagonalhosting.com
  9. browser OS router ISP authoritative nameserver find! cache for n

    seconds! cache for n seconds! cache for n seconds! cache for n seconds!
  10. TCP “polite request to chat” Hey buddy can I talk

    to you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK
  11. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com HTTP/1.1 200 OK <html>

    <head> <title>Harry’s blog</title> </head> <body> This is a blog. </body> </html>
  12. buy this thing! one weird trick wow wow Entrepreneur piverate

    integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable product driven sticky note convergence viral quantitative vs. qualitative. Sticky note affordances responsive parallax prototype thought leader bootstrapping pivot. Like this! Tweet this! You’ll never believe these animal pix! This comments section won’t offend you…. Boring text but there is a Youtube video below! buy my merch! Patreon GitTip Flattr Bitcoin
  13. External content • Ads • JS/CSS CDNs • Image/video hosting

    CDNs • Analytics like Google Analytics/Mixpanel • Social media counters • Social media buttons • E-commerce buttons (Flattr, Patreon, PayPal)
  14. browser OS router ISP authoritative nameserver find! cache poisoning x

    cache for n seconds! cache for n seconds! cache for n seconds!
  15. Problems • I can see what you’re saying • I

    can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too
  16. HTTP HTTP/1.1 200 OK <html> <body> Super secret info about

    the anti- Death Eater rally! </body> </html>
  17. HTTP :( not so secret now HTTP/1.1 200 OK <html>

    <body> Super secret info about the anti- Death Eater rally! </body> </html> Voldemort-in-the-middle
  18. HTTPS not so wow the rally is at this TOTALLY

    INCORRECT place dns wizardry
  19. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info.
  20. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info. I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info.
  21. Hello, I’d like to talk to Harry’s blog securely Yes

    this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.
  22. Why should I use HTTPS on my websites? • Protects

    your users from snooping. • Will raise hell if someone pretends to be you.
  23. What can I do as a user? • HTTPS everywhere

    browser extension • https://chrome.google.com/webstore/detail/https-everywhere/ gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock-origin/ cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger
  24. More resources • “Server Farm to Table” — http://jenna.is/server-farm-to- table-annotated.pdf

    • Computerphile “Man in the Middle attacks” — https:// www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https:// www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI • Wireshark — https://www.wireshark.org/