Dipping your toes into web security

Transcript

1. Dipping your toes into web security part I: how https

   helps Florencia Herra Vega CTO, Peerio

2. Why is the internet so insecure?

3. Why is the internet so insecure? why is learning about

   security hard?

4. Why is the internet so insecure? why is learning about

   security hard? why does learning about security matter?

5. What happens when you request a webpage in your browser?

6. What happens when you request a webpage in your browser?

7. what assumptions do we make about the cloud?

8. http://harryblogs.potter-weasley-family.com

9. What happens when you request a webpage in your browser?

   0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

10. What happens when you request a webpage in your browser?

    0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

11. What happens when you request a webpage in your browser?

12. What happens when you request a webpage in your browser?

13. http://harryblogs.potter-weasley-family.com wtf?

14. 104.236.208.232 101.222.28.111 92.32.112.30

15. Domain Name System browser OS router ISP authoritative nameserver found!

    ? ? ? ?

16. DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope

17. DNS hey OS, do you know about harryblogs.potter-weasley-family.com? nope

18. DNS hey router, do you know about harryblogs.potter-weasley-family.com? nope

19. DNS hey ISP, do you know about harryblogs.potter-weasley-family.com? nope

20. DNS hey root domain name server, do you know about

    harryblogs.potter-weasley-family.com? nope… but I know about .com go ask the .com TLD DNS server root

21. DNS nope… but I know about potter-weasley- family.com: ns1.diagonalhosting.com .com

    hey .com TLD name server, do you know about harryblogs.potter-weasley-family.com?

22. DNS WHY YES here is an IP: 159.203.37.70 .com hey

    ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? authoritative nameserver

23. browser OS router ISP find! cache for n seconds! TTL

    cache for n seconds! cache for n seconds! cache for n seconds! authoritative nameserver

24. DNS hey ISP, do you know about harryblogs.potter-weasley-family.com? WHY YES

    here is an IP: 159.203.37.70

25. all this for an address…

26. diagonal hosting old pc in luna lovegood’s basement some isp

27. old pc in luna lovegood’s basement some isp

28. TCP: SHALL WE DANCE? Hey buddy can I talk to

    you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK

29. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

30. HTTP HTTP/1.1 200 OK <html> <head> <title>Harry’s blog</title> </head> <body>

    This is a v political blog. </body> </html> GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

31. larger broomsticks & love potions 4 u one weird trick

    wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable. Like this! Tweet this! fave wizardvine clips yay comments muggle studies cancelled!? buy my signed quidditch robes Patreon GitTip Flattr Bitcoin

32. How can we break this perfectly simple and logical system?

33. diagonal hosting some isp 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001 0110100101000111011011001010101010010101001

34. A simple prank > vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

35. A simple prank > vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

36. browser OS router ISP find! cache for n seconds! authoritative

    nameserver insert a record A simple prank

37. Some DNS only resolves locally.

38. insert malicious record browser OS router ISP find! cache for

    n seconds! cache for n seconds! cache for n seconds! authoritative nameserver cache poisoning

39. Problems • I can see what you’re saying • I

    can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too

40. Defence against the dark arts

41. Cleartext I want to volunteer! Here is my personal info

42. wow math encrypt all the things!

43. HTTPS wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7HafG jXMfDdvm2KRd3qXhxOoeTP9vyddrZ05o4 PkE86q54ySQOJA6UwwHt0NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB

44. HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7HafGjXMfD dvm2KRd3qXhxOoeTP9vyddrZ05o4PkE86q54yS QOJA6UwwHt0NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/OtxhEHNfhlB

45. HTTPS not so wow Thanks! meet me at this totally

    legit location!

46. HTTPS not so wow I want to volunteer! Here is

    my personal info

47. math can do better!

48. symmetrical encryption let us use this one key for magic

    math stuff … I will send it to you by carrier pigeon

49. Asymmetrical encryption from this secret key i shall derive a

    public key which I shall publish and you will use it for magic math stuff

50. your public key is unique!

51. your public key is unique!

52. your public key is unique! domain: harryblogs.potter-weasley- family.com owner: harry

    potter

53. Signed Certificate Diagonal Hosting 1 Diagon Alley SEAL of APPROVAL

54. Chain of trust domain: diagonalhosting.com owner: diagonal Ltd

55. Chain of trust GRINGOTTS IDENTITIES 22 goblin lane SEAL of

    APPROVAL diagonalhosting.com

56. Chain of trust

57. Hello, I’d like to talk to Harry’s blog securely Yes

    this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.

58. Try your DNS tricks now, Voldy! your connection is not

    private attackers may steal etc

59. Why should I use HTTPS on my websites? • Protects

    your users from snooping. • Will raise hell if someone pretends to be you.

60. Why doesn’t everybody do this? • Money. • Pain. Bureaucracy

    + encryption = not cute.

61. Let’s Encrypt! • Certbot — https://certbot.eff.org/ • nginx guide —

    https://www.digitalocean.com/ community/tutorials/how-to-secure-nginx-with-let-s- encrypt-on-ubuntu-14-04 • apache guide — https://www.digitalocean.com/ community/tutorials/how-to-secure-apache-with-let-s- encrypt-on-ubuntu-14-04
62. None

63. Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web-Hosting- Supporting-LE

64. What can I do as a user? • HTTPS everywhere

    browser extension • https://chrome.google.com/webstore/detail/https- everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https- everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock- origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger

65. What can I do as a developer? • Learn how

    to be evil! • play with Wireshark https://wireshark.org • Books from NoStarch Press: The Tangled Web, Silence on the Wire, Penetration Testing, etc. • Learn about the security features in the tools and frameworks you use!

66. More resources • “Server Farm to Table” — http://jenna.is/ server-farm-to-table-annotated.pdf

    • Computerphile “Man in the Middle attacks” — https://www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https://www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI

67. get in touch! @flohdot