Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dipping your toes into web security

Ba0668208a6e892c6849d75e083c4b41?s=47 FHV
September 22, 2016

Dipping your toes into web security

HTTPS! DNS! The pipes of the internet, in Harry Potter metaphors, suitable for muggles.

Ba0668208a6e892c6849d75e083c4b41?s=128

FHV

September 22, 2016
Tweet

Transcript

  1. Dipping your toes into web security part I: how https

    helps Florencia Herra Vega CTO, Peerio
  2. Why is the internet so insecure?

  3. Why is the internet so insecure? why is learning about

    security hard?
  4. Why is the internet so insecure? why is learning about

    security hard? why does learning about security matter?
  5. What happens when you request a webpage in your browser?

  6. What happens when you request a webpage in your browser?

  7. what assumptions do we make about the cloud?

  8. http://harryblogs.potter-weasley-family.com

  9. What happens when you request a webpage in your browser?

    0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001
  10. What happens when you request a webpage in your browser?

    0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001
  11. What happens when you request a webpage in your browser?

  12. What happens when you request a webpage in your browser?

  13. http://harryblogs.potter-weasley-family.com wtf?

  14. 104.236.208.232 101.222.28.111 92.32.112.30

  15. Domain Name System browser OS router ISP authoritative nameserver found!

    ? ? ? ?
  16. DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope

  17. DNS hey OS, do you know about harryblogs.potter-weasley-family.com? nope

  18. DNS hey router, do you know about harryblogs.potter-weasley-family.com? nope

  19. DNS hey ISP, do you know about harryblogs.potter-weasley-family.com? nope

  20. DNS hey root domain name server, do you know about

    harryblogs.potter-weasley-family.com? nope… but I know about .com go ask the .com TLD DNS server root
  21. DNS nope… but I know about potter-weasley- family.com: ns1.diagonalhosting.com .com

    hey .com TLD name server, do you know about harryblogs.potter-weasley-family.com?
  22. DNS WHY YES here is an IP: 159.203.37.70 .com hey

    ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? authoritative nameserver
  23. browser OS router ISP find! cache for n seconds! TTL

    cache for n seconds! cache for n seconds! cache for n seconds! authoritative nameserver
  24. DNS hey ISP, do you know about harryblogs.potter-weasley-family.com? WHY YES

    here is an IP: 159.203.37.70
  25. all this for an address…

  26. diagonal hosting old pc in luna lovegood’s basement some isp

  27. old pc in luna lovegood’s basement some isp

  28. TCP: SHALL WE DANCE? Hey buddy can I talk to

    you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK
  29. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

  30. HTTP HTTP/1.1 200 OK <html> <head> <title>Harry’s blog</title> </head> <body>

    This is a v political blog. </body> </html> GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com
  31. larger broomsticks & love potions 4 u one weird trick

    wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable. Like this! Tweet this! fave wizardvine clips yay comments muggle studies cancelled!? buy my signed quidditch robes Patreon GitTip Flattr Bitcoin
  32. How can we break this perfectly simple and logical system?

  33. diagonal hosting some isp 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

  34. A simple prank > vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

  35. A simple prank > vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

  36. browser OS router ISP find! cache for n seconds! authoritative

    nameserver insert a record A simple prank
  37. Some DNS only resolves locally.

  38. insert malicious record browser OS router ISP find! cache for

    n seconds! cache for n seconds! cache for n seconds! authoritative nameserver cache poisoning
  39. Problems • I can see what you’re saying • I

    can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too
  40. Defence against the dark arts

  41. Cleartext I want to volunteer! Here is my personal info

  42. wow math encrypt all the things!

  43. HTTPS wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7HafG jXMfDdvm2KRd3qXhxOoeTP9vyddrZ05o4 PkE86q54ySQOJA6UwwHt0NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB

  44. HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7HafGjXMfD dvm2KRd3qXhxOoeTP9vyddrZ05o4PkE86q54yS QOJA6UwwHt0NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/OtxhEHNfhlB

  45. HTTPS not so wow Thanks! meet me at this totally

    legit location!
  46. HTTPS not so wow I want to volunteer! Here is

    my personal info
  47. math can do better!

  48. symmetrical encryption let us use this one key for magic

    math stuff … I will send it to you by carrier pigeon
  49. Asymmetrical encryption from this secret key i shall derive a

    public key which I shall publish and you will use it for magic math stuff
  50. your public key is unique!

  51. your public key is unique!

  52. your public key is unique! domain: harryblogs.potter-weasley- family.com owner: harry

    potter
  53. Signed Certificate Diagonal Hosting 1 Diagon Alley SEAL of APPROVAL

  54. Chain of trust domain: diagonalhosting.com owner: diagonal Ltd

  55. Chain of trust GRINGOTTS IDENTITIES 22 goblin lane SEAL of

    APPROVAL diagonalhosting.com
  56. Chain of trust

  57. Hello, I’d like to talk to Harry’s blog securely Yes

    this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.
  58. Try your DNS tricks now, Voldy! your connection is not

    private attackers may steal etc
  59. Why should I use HTTPS on my websites? • Protects

    your users from snooping. • Will raise hell if someone pretends to be you.
  60. Why doesn’t everybody do this? • Money. • Pain. Bureaucracy

    + encryption = not cute.
  61. Let’s Encrypt! • Certbot — https://certbot.eff.org/ • nginx guide —

    https://www.digitalocean.com/ community/tutorials/how-to-secure-nginx-with-let-s- encrypt-on-ubuntu-14-04 • apache guide — https://www.digitalocean.com/ community/tutorials/how-to-secure-apache-with-let-s- encrypt-on-ubuntu-14-04
  62. None
  63. Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web-Hosting- Supporting-LE

  64. What can I do as a user? • HTTPS everywhere

    browser extension • https://chrome.google.com/webstore/detail/https- everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https- everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock- origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger
  65. What can I do as a developer? • Learn how

    to be evil! • play with Wireshark https://wireshark.org • Books from NoStarch Press: The Tangled Web, Silence on the Wire, Penetration Testing, etc. • Learn about the security features in the tools and frameworks you use!
  66. More resources • “Server Farm to Table” — http://jenna.is/ server-farm-to-table-annotated.pdf

    • Computerphile “Man in the Middle attacks” — https://www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https://www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI
  67. get in touch! @flohdot