Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to web security

Ba0668208a6e892c6849d75e083c4b41?s=47 FHV
May 19, 2016

Intro to web security

Montreal All Girl Hack Night, May 20, 2016.

Ba0668208a6e892c6849d75e083c4b41?s=128

FHV

May 19, 2016
Tweet

Transcript

  1. An intro to web security Florencia Herra Vega CTO, Peerio

  2. An intro to web in/security 1. Some structural things about

    the web (with focus on DNS) 2. Some ways the web breaks 3. How HTTPS helps
  3. Why is the internet so insecure? • Security is not

    built in
  4. Why is the internet so insecure? • Security is not

    built in • Data sent in the open
  5. Why is the internet so insecure? • Security is not

    built in • Data sent in the open • Huge and unmaintained
  6. Why is it hard to learn? • High level of

    abstraction in development
  7. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly.
  8. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly. • Security requires the foundations.
  9. Why is it hard to learn? • High level of

    abstraction in development • The foundations are ugly. • Security requires the foundations. • The illusion of state
  10. What happens when you request a webpage in your browser?

    show me that blog text! images!
  11. What happens when you request a webpage in your browser?

    log in! special text! racy images!
  12. What happens when you request a webpage in your browser?

  13. http://harryblogs.potter-weasley-family.com

  14. What happens when you request a webpage in your browser?

  15. What happens when you request a webpage in your browser?

  16. What happens when you request a webpage in your browser?

    hosting ISP ?
  17. What happens when you request a webpage in your browser?

    hosting ISP
  18. http://harryblogs.potter-weasley-family.com

  19. http://harryblogs.potter-weasley-family.com where do I find blog?

  20. 159.203.37.70 149.102.21.10

  21. Domain Name System (DNS)

  22. Domain Name System (DNS) The address book of the internetz.

  23. Domain Name System (DNS) The recursive address books of the

    internetz.
  24. DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope

  25. DNS hey OS, do you know about harryblogs.potter- weasley-family.com? nope

  26. DNS hey router, do you know about harryblogs.potter- weasley-family.com? nope

  27. DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? nope

  28. DNS hey root DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know about .com go ask the .com TLD DNS server
  29. DNS hey .com DNS server, do you know about harryblogs.potter-weasley-family.com?

    nope, but I know where the name servers for potter-weasley-family.com are! ns1.diagonalhosting.com
  30. DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70

  31. DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70

    AUTHORITATIVE
  32. browser OS router ISP authoritative nameserver find!

  33. browser OS router ISP authoritative nameserver find! cache for n

    seconds! cache for n seconds! cache for n seconds! cache for n seconds!
  34. DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? YES

    159.203.37.70
  35. Okay, now we know who to talk to. #

  36. Insurance Company Inc. ISP Inc. 159.203.37.70

  37. Insurance Company Inc. ISP Inc. 159.203.37.70

  38. TCP “polite request to chat” Hey buddy can I talk

    to you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK
  39. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com

  40. HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com HTTP/1.1 200 OK <html>

    <head> <title>Harry’s blog</title> </head> <body> This is a blog. </body> </html>
  41. buy this thing! one weird trick wow wow Entrepreneur piverate

    integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable product driven sticky note convergence viral quantitative vs. qualitative. Sticky note affordances responsive parallax prototype thought leader bootstrapping pivot. Like this! Tweet this! You’ll never believe these animal pix! This comments section won’t offend you…. Boring text but there is a Youtube video below! buy my merch! Patreon GitTip Flattr Bitcoin
  42. External content • Ads • JS/CSS CDNs • Image/video hosting

    CDNs • Analytics like Google Analytics/Mixpanel • Social media counters • Social media buttons • E-commerce buttons (Flattr, Patreon, PayPal)
  43. Insurance Company Inc. ISP Inc. 159.203.37.70

  44. Insurance Company Inc. ISP Inc. 159.203.37.70 I see you.

  45. How can we break this perfectly simple and logical system?

  46. Insurance Company Inc. ISP Inc. 159.203.37.70

  47. A simple prank vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

  48. A simple prank vi /etc/hosts

  49. A simple prank vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com

  50. browser OS router ISP authoritative nameserver find! insert records

  51. Some DNS only resolves locally.

  52. browser OS router ISP authoritative nameserver find! cache poisoning x

    cache for n seconds! cache for n seconds! cache for n seconds!
  53. Problems • I can see what you’re saying • I

    can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too
  54. “Voldemort in the middle”

  55. HTTP HTTP/1.1 200 OK <html> <body> Super secret info about

    the anti- Death Eater rally! </body> </html>
  56. HTTP :( not so secret now HTTP/1.1 200 OK <html>

    <body> Super secret info about the anti- Death Eater rally! </body> </html> Voldemort-in-the-middle
  57. HTTPS wow ? AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB

  58. HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/

    OtxhEHNfhlB dns wizardry
  59. HTTPS not so wow the rally is at this TOTALLY

    INCORRECT place dns wizardry
  60. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info.
  61. HTTPS not so wow I want to join Dumbledore’s Army

    and this is my name, address, bank account, and other unnecessarily personal info. I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info.
  62. Encryption keys are unique!

  63. Certificate: public key + metadata!

  64. Signed Certificates

  65. Signed Certificates

  66. Chain of trust

  67. Chain of trust Root certificate authority certificates are installed on

    your computer/ phone/browser.
  68. Hello, I’d like to talk to Harry’s blog securely Yes

    this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities.
  69. Try your DNS tricks now, Voldy!

  70. Why should I use HTTPS on my websites? • Protects

    your users from snooping. • Will raise hell if someone pretends to be you.
  71. Why doesn’t everybody do this? • Money. • Pain. Bureaucracy

    + encryption = not cute.
  72. Let’s Encrypt! • nginx https://www.digitalocean.com/community/ tutorials/how-to-secure-nginx-with-let-s-encrypt-on- ubuntu-14-04 • apache https://www.digitalocean.com/community/

    tutorials/how-to-secure-apache-with-let-s-encrypt- on-ubuntu-14-04
  73. None
  74. Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web- Hosting-Supporting-LE

  75. What can I do as a user? • HTTPS everywhere

    browser extension • https://chrome.google.com/webstore/detail/https-everywhere/ gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock-origin/ cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger
  76. What can I do as a developer? • Learn how

    to be evil! • Starting with https://wireshark.org • cybrary.it • Books from NoStarch Press: The Tangled Web, Silence on the Wire, Penetration Testing, etc. • Learn about the security features in the tools and frameworks you use!
  77. More resources • “Server Farm to Table” — http://jenna.is/server-farm-to- table-annotated.pdf

    • Computerphile “Man in the Middle attacks” — https:// www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https:// www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI • pi-hole.net — connect to your router to block ads