An intro to web security Florencia Herra Vega CTO, Peerio 

An intro to web in/security 1. Some structural things about the web (with focus on DNS) 2. Some ways the web breaks 3. How HTTPS helps 

Why is the internet so insecure? • Security is not built in 

Why is the internet so insecure? • Security is not built in • Data sent in the open 

Why is the internet so insecure? • Security is not built in • Data sent in the open • Huge and unmaintained 

Why is it hard to learn? • High level of abstraction in development 

Why is it hard to learn? • High level of abstraction in development • The foundations are ugly. 

Why is it hard to learn? • High level of abstraction in development • The foundations are ugly. • Security requires the foundations. 

Why is it hard to learn? • High level of abstraction in development • The foundations are ugly. • Security requires the foundations. • The illusion of state 

What happens when you request a webpage in your browser? show me that blog text! images! 

What happens when you request a webpage in your browser? log in! special text! racy images! 

What happens when you request a webpage in your browser? 

http://harryblogs.potter-weasley-family.com 

What happens when you request a webpage in your browser? 

What happens when you request a webpage in your browser? 

What happens when you request a webpage in your browser? hosting ISP ? 

What happens when you request a webpage in your browser? hosting ISP 

http://harryblogs.potter-weasley-family.com 

http://harryblogs.potter-weasley-family.com where do I find blog? 

159.203.37.70 149.102.21.10 

Domain Name System (DNS) 

Domain Name System (DNS) The address book of the internetz. 

Domain Name System (DNS) The recursive address books of the internetz. 

DNS hey browser, do you know about harryblogs.potter-weasley-family.com? nope 

DNS hey OS, do you know about harryblogs.potter- weasley-family.com? nope 

DNS hey router, do you know about harryblogs.potter- weasley-family.com? nope 

DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? nope 

DNS hey root DNS server, do you know about harryblogs.potter-weasley-family.com? nope, but I know about .com go ask the .com TLD DNS server 

DNS hey .com DNS server, do you know about harryblogs.potter-weasley-family.com? nope, but I know where the name servers for potter-weasley-family.com are! ns1.diagonalhosting.com 

DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70 

DNS hey ns1.diagonalhosting.com, do you know about harryblogs.potter-weasley-family.com? YES 159.203.37.70 AUTHORITATIVE 

browser OS router ISP authoritative nameserver find! 

browser OS router ISP authoritative nameserver find! cache for n seconds! cache for n seconds! cache for n seconds! cache for n seconds! 

DNS hey ISP, do you know about harryblogs.potter- weasley-family.com? YES 159.203.37.70 

Okay, now we know who to talk to. # 

Insurance Company Inc. ISP Inc. 159.203.37.70 

Insurance Company Inc. ISP Inc. 159.203.37.70 

TCP “polite request to chat” Hey buddy can I talk to you for a second? SYN Me? You wanna talk to me? SYN/ACK Yes you! ACK 

HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com 

HTTP GET / HTTP/1.1 Host: harryblogs.potter-weasley-family.com HTTP/1.1 200 OK Harry’s blog This is a blog. 

buy this thing! one weird trick wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable product driven sticky note convergence viral quantitative vs. qualitative. Sticky note affordances responsive parallax prototype thought leader bootstrapping pivot. Like this! Tweet this! You’ll never believe these animal pix! This comments section won’t offend you…. Boring text but there is a Youtube video below! buy my merch! Patreon GitTip Flattr Bitcoin 

External content • Ads • JS/CSS CDNs • Image/video hosting CDNs • Analytics like Google Analytics/Mixpanel • Social media counters • Social media buttons • E-commerce buttons (Flattr, Patreon, PayPal) 

Insurance Company Inc. ISP Inc. 159.203.37.70 

Insurance Company Inc. ISP Inc. 159.203.37.70 I see you. 

How can we break this perfectly simple and logical system? 

Insurance Company Inc. ISP Inc. 159.203.37.70 

A simple prank vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com 

A simple prank vi /etc/hosts 

A simple prank vi /etc/hosts 104.16.126.167 your-friends-favourite-blog.com 

browser OS router ISP authoritative nameserver find! insert records 

Some DNS only resolves locally. 

browser OS router ISP authoritative nameserver find! cache poisoning x cache for n seconds! cache for n seconds! cache for n seconds! 

Problems • I can see what you’re saying • I can see your passwords • I can fool you into accessing the wrong website through DNS • I can fool you into accessing the wrong website a bunch of other ways too 

“Voldemort in the middle” 

HTTP HTTP/1.1 200 OK Super secret info about the anti- Death Eater rally! 

HTTP :( not so secret now HTTP/1.1 200 OK Super secret info about the anti- Death Eater rally! Voldemort-in-the-middle 

HTTPS wow ? AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB 

HTTPS not so wow AmfhZQFJ6lBRRWWRyHfOwmLnF4Zi7 HafGjXMfDdvm2KRd3qXhxOoeTP9vy ddrZ05o4PkE86q54ySQOJA6UwwHt0 NxQ+0RO0/ DnRbbPs1phgVX6wrZ93PVRLP xxHPwNBOQZg0qcxvEcl2fixs/ OtxhEHNfhlB dns wizardry 

HTTPS not so wow the rally is at this TOTALLY INCORRECT place dns wizardry 

HTTPS not so wow I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info. 

HTTPS not so wow I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info. I want to join Dumbledore’s Army and this is my name, address, bank account, and other unnecessarily personal info. 

Encryption keys are unique! 

Certificate: public key + metadata! 

Signed Certificates 

Signed Certificates 

Chain of trust 

Chain of trust Root certificate authority certificates are installed on your computer/ phone/browser. 

Hello, I’d like to talk to Harry’s blog securely Yes this is Harry’s blog, v secure! Hold up, why should I trust that you’re actually Harry? Because Diagon Alley Hosting says so. Hey Diagon Alley Hosting, do you know this guy? Yes, we can vouch for him. But how do I know who you are? Look me up with Gringotts Identities. 

Try your DNS tricks now, Voldy! 

Why should I use HTTPS on my websites? • Protects your users from snooping. • Will raise hell if someone pretends to be you. 

Why doesn’t everybody do this? • Money. • Pain. Bureaucracy + encryption = not cute. 

Let’s Encrypt! • nginx https://www.digitalocean.com/community/ tutorials/how-to-secure-nginx-with-let-s-encrypt-on- ubuntu-14-04 • apache https://www.digitalocean.com/community/ tutorials/how-to-secure-apache-with-let-s-encrypt- on-ubuntu-14-04 

No content

Shared hosting providers that support Let’s Encrypt https://github.com/letsencrypt/letsencrypt/wiki/Web- Hosting-Supporting-LE 

What can I do as a user? • HTTPS everywhere browser extension • https://chrome.google.com/webstore/detail/https-everywhere/ gcbommkclmclpchllfjekcdonpmejbdp?hl=en • https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/ • Ad and tracker blocking • https://chrome.google.com/webstore/detail/ublock-origin/ cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en • https://www.eff.org/privacybadger 

What can I do as a developer? • Learn how to be evil! • Starting with https://wireshark.org • cybrary.it • Books from NoStarch Press: The Tangled Web, Silence on the Wire, Penetration Testing, etc. • Learn about the security features in the tools and frameworks you use! 

More resources • “Server Farm to Table” — http://jenna.is/server-farm-to- table-annotated.pdf • Computerphile “Man in the Middle attacks” — https:// www.youtube.com/watch?v=-enHfpHMBo4 • Computerphile “Public key cryptography” — https:// www.youtube.com/watch?v=GSIDS_lvRv4 • “Cat DNS” — https://www.youtube.com/watch? v=qDPhW9P44fI • pi-hole.net — connect to your router to block ads