Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to web security

FHV
May 19, 2016
Programming
0
63

Intro to web security

Montreal All Girl Hack Night, May 20, 2016.

FHV

May 19, 2016
Tweet

More Decks by FHV

See All by FHV
Electron: From Awesome To Scary And Back Again (ScotlandJS)
flohdot
0
390
Intro to digital security
flohdot
1
76
A Beginner's Toolkit for Securing Web Apps
flohdot
0
63
Dipping your toes into web security
flohdot
0
59
Digital Harm Reduction by Floh & Cleve (Perverscité 2016)
flohdot
0
110
An intro to web security
flohdot
0
190
Intro to Riak at montreal.rb
flohdot
0
81

Other Decks in Programming

See All in Programming
Quine, Polyglot, 良いコード
qnighy
4
640
subpath importsで始めるモック生活
10tera
0
300
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
330
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
4
640
CSC509 Lecture 11
javiergs
PRO
0
180
Macとオーディオ再生 2024/11/02
yusukeito
0
370
距離関数を極める! / SESSIONS 2024
gam0022
0
280
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
150
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.7k

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
860
How GitHub (no longer) Works
holman
310
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Building Applications with DynamoDB
mza
90
6.1k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
How STYLIGHT went responsive
nonsquared
95
5.2k

Transcript

  1. An intro to web security Florencia Herra Vega CTO, Peerio

  2. An intro to web in/security 1. Some structural things about

    the web (with focus on DNS) 2. Some ways the web breaks 3. How HTTPS helps

  3. Why is the internet so insecure? • Security is not

    built in

  4. Why is the internet so insecure? • Security is not

    built in • Data sent in the open

  5. Why is the internet so insecure? • Security is not

    built in • Data sent in the open • Huge and unmaintained

  6. Why is it hard to learn? • High level of

    abstraction in development

  7. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly.

  8. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly. • Security requires the foundations.

  9. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly. • Security requires the foundations. • The illusion of state

  10. What happens when you request a webpage in your browser?

    show me that blog text! images!

  11. What happens when you request a webpage in your browser?

    log in! special text! racy images!

  12. What happens when you request a webpage in your browser?

  13. http://harryblogs.potter-weasley-family.com

  14. What happens when you request a webpage in your browser?

  15. What happens when you request a webpage in your browser?

  16. What happens when you request a webpage in your browser?

    hosting ISP ?

  17. What happens when you request a webpage in your browser?

    hosting ISP

  18. http://harryblogs.potter-weasley-family.com

  19. http://harryblogs.potter-weasley-family.com where do I find blog?

  20. 159.203.37.70 149.102.21.10

  21. Domain Name System (DNS)

  22. Domain Name System (DNS) The address book of the internetz.

  23. Domain Name System (DNS) The recursive address books of the

    internetz.

  24. DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope

  25. DNS hey OS, do you know about harryblogs.potter- weasley-family.com? nope

  26. DNS hey router, do you know about harryblogs.potter- weasley-family.com? nope

  27. DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? nope

  28. DNS hey root DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know about .com go ask the .com TLD DNS server

  29. DNS hey .com DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know where the name servers for potter-weasley-family.com are! ns1.diagonalhosting.com

  30. DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70

  31. DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70

    AUTHORITATIVE

  32. browser OS router ISP authoritative nameserver find!

  33. browser OS router ISP authoritative nameserver find! cache for n

    seconds! cache for n seconds! cache for n seconds! cache for n seconds!

  34. DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? YES

    159.203.37.70

  35. Okay, now we know who to talk to. #

  36. Insurance Company Inc. ISP Inc. 159.203.37.70

  37. Insurance Company Inc. ISP Inc. 159.203.37.70

  38. TCP “polite request to chat” Hey buddy can I talk

    to you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK

  39. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

  40. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com HTTP/1.1 200 OK <html>

    <head> <title>Harry’s blog</title> </head> <body> This is a blog. </body> </html>

  41. buy this thing! one weird trick wow wow Entrepreneur piverate

    integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable product driven sticky note convergence viral quantitative vs. qualitative. Sticky note affordances responsive parallax prototype thought leader bootstrapping pivot. Like this! Tweet this! You’ll never believe these animal pix! This comments section won’t offend you…. Boring text but there is a Youtube video below! buy my merch! Patreon GitTip Flattr Bitcoin

  42. External content • Ads • JS/CSS CDNs • Image/video hosting

    CDNs • Analytics like Google Analytics/Mixpanel • Social media counters • Social media buttons • E-commerce buttons (Flattr, Patreon, PayPal)

  43. Insurance Company Inc. ISP Inc. 159.203.37.70

  44. Insurance Company Inc. ISP Inc. 159.203.37.70 I see you.

  45. How can we break this perfectly simple and logical system?

  46. Insurance Company Inc. ISP Inc. 159.203.37.70

  47. A simple prank vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

  48. A simple prank vi /etc/hosts

  49. A simple prank vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

  50. browser OS router ISP authoritative nameserver find! insert records

  51. Some DNS only resolves locally.

  52. browser OS router ISP authoritative nameserver find! cache poisoning x

    cache for n seconds! cache for n seconds! cache for n seconds!

  53. Problems • I can see what you’re saying • I

    can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too

  54. “Voldemort in the middle”

  55. HTTP HTTP/1.1 200 OK <html> <body> Super secret info about

    the anti- Death Eater rally! </body> </html>

  56. HTTP :( not so secret now HTTP/1.1 200 OK <html>

    <body> Super secret info about the anti- Death Eater rally! </body> </html> Voldemort-in-the-middle

  57. HTTPS wow ? AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB

  58. HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/

    OtxhEHNfhlB dns wizardry

  59. HTTPS not so wow the rally is at this TOTALLY

    INCORRECT place dns wizardry

  60. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info.

  61. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info. I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info.

  62. Encryption keys are unique!

  63. Certificate: public key + metadata!

  64. Signed Certificates

  65. Signed Certificates

  66. Chain of trust

  67. Chain of trust Root certificate authority certificates are installed on

    your computer/ phone/browser.

  68. Hello, I’d like to talk to Harry’s blog securely Yes

    this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.

  69. Try your DNS tricks now, Voldy!

  70. Why should I use HTTPS on my websites? • Protects

    your users from snooping. • Will raise hell if someone pretends to be you.

  71. Why doesn’t everybody do this? • Money. • Pain. Bureaucracy

    + encryption = not cute.

  72. Let’s Encrypt! • nginx https://www.digitalocean.com/community/ tutorials/how-to-secure-nginx-with-let-s-encrypt-on- ubuntu-14-04 • apache https://www.digitalocean.com/community/

    tutorials/how-to-secure-apache-with-let-s-encrypt- on-ubuntu-14-04
  73. None

  74. Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web- Hosting-Supporting-LE

  75. What can I do as a user? • HTTPS everywhere

    browser extension • https://chrome.google.com/webstore/detail/https-everywhere/ gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock-origin/ cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger

  76. What can I do as a developer? • Learn how

    to be evil! • Starting with https://wireshark.org • cybrary.it • Books from NoStarch Press: The Tangled Web, Silence on the Wire, Penetration Testing, etc. • Learn about the security features in the tools and frameworks you use!

  77. More resources • “Server Farm to Table” — http://jenna.is/server-farm-to- table-annotated.pdf

    • Computerphile “Man in the Middle attacks” — https:// www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https:// www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI • pi-hole.net — connect to your router to block ads