why traditional web security technologies no …
TRANSCRIPT
@PhilippeDeRyck
WHY TRADITIONAL WEB SECURITY TECHNOLOGIESNO LONGER SUFFICE TO KEEP YOU SAFE
PhilippeDeRyckOWASPBelgium,February2017
https://www.websec.be
@PhilippeDeRyck
WHICH SCENARIO WOULD YOU CONSIDER TO BE SECURE?
(a)Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
(b)
(c)
@PhilippeDeRyck
ABOUT ME – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications− In-housetrainingprogramsatvariouscompanies−HostedwebsecuritytrainingcoursesatDistriNet (KULeuven)− Talksatvariousdeveloperconferences− Slides,videosandblogpostsonhttps://www.websec.be
§ Ihaveabroadsecurityexpertise,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity
§ PartoftheorganizingcommitteeofSecAppDev.org−Week-longcoursefocusedonpracticalsecurity
3
@PhilippeDeRyck
@PhilippeDeRyck
THE WEB USED TO BE SERVER-CENTRIC
@PhilippeDeRyck
http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
WITH A LOT OF SERVER-SIDE PROBLEMS
@PhilippeDeRyck
http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids
WITH A LOT OF SERVER-SIDE PROBLEMS
@PhilippeDeRyck
THE WEB HAS BECOME CLIENT-CENTRIC
@PhilippeDeRyck
NETWORKS ARE EVERYWHERE
§Wehappilyconnecttoanynetworkwecanfind−Withoutknowingwhohascontroloverthenetwork
§ Peopleknowabouteavesdroppingattacks− Sniffingusernames,passwords,sessionidentifiers,…
9
https://www.flickr.com/photos/djimison/222214205/http://codebutler.com/firesheep/
@PhilippeDeRyck
THE COMMUNICATION CHANNEL IS INSECURE
§ ButweuseHTTPSforsensitivedata− Sufficienttocounterpassiveeavesdroppingattacks−Butwhataboutactivenetworkattacks?
10
ManintheMiddle ManontheSide
@PhilippeDeRyck
3VARYING LEVELS OF HTTPS
(a)Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
Visitwebsite,browsepublicpages
Loginwithusernameandpassword
Consultprivateinformation
(b)
(c)
@PhilippeDeRyck
PREVENTING THE TRANSITION FROM HTTPTO HTTPS
@PhilippeDeRyck
PREVENTING THE TRANSITION FROM HTTPTO HTTPS
some-shop.com
Visithttp://some-shop.com
Welcome,pleaselogin
LoginasPhilippe
WelcomePhilippe
Visithttp://some-shop.com
LoginasPhilippe
WelcomePhilippe
RewriteHTTPStoHTTP
@PhilippeDeRyck
TIME TO MOVE TOWARDS HTTPS
some-shop.com
Visithttp://some-shop.com
Welcome,pleaselogin
LoginasPhilippe
WelcomePhilippe
Visithttps://some-shop.com
LoginasPhilippe
WelcomePhilippe
@PhilippeDeRyck
HTTPWEAKENS HTTPSSITES
https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html
15
@PhilippeDeRyck
SNEAKY SSLSTRIPPING ATTACKS PREVENT THE USE OF HTTPS
@PhilippeDeRyck
SNEAKY SSLSTRIPPING ATTACKS PREVENT THE USE OF HTTPS
GET http://www.websec.be
200 OK<html>…</html>
www.websec.be
GET http://…
301 Moved …
GET https://…
200 OKRewriteHTTPSURLStoHTTP
POST http://www.websec.be
200 OK<html>…</html>
POST https://…
200 OKRewriteHTTPSURLStoHTTP
17
@PhilippeDeRyck
§ StrictTransportSecurityconvertsallHTTPrequeststoHTTPS
§ModernbrowserssupportHTTPStrictTransportSecurity(HSTS)−HTTPresponseheadertoenableStrictTransportSecurity−Whenenabled,thebrowserwillnotsendanHTTPrequestanymore
STRICT TRANSPORT SECURITY AGAINST SSLSTRIPPING
GET https://www.websec.be
200 OK<html>…</html>
www.websec.be
4 4 7 11Fromversion… 4.4.4 7.1
18
@PhilippeDeRyck
HSTSCAN BE ENABLED WITH A SIMPLE ONE-LINER
§ ThepolicyiscontrolledbytheStrict-Transport-Security header− max-age specifieshowlongthepolicyshouldbeenforcedinseconds−Makesurethisislongenoughtocovertwosubsequentvisits− Ifnecessary,thepolicycanbedisabledbysettingmax-age to0
§ Thepolicycanbeextendedtoautomaticallyincludesubdomains− ThisbehavioriscontrolledbytheincludeSubDomains flag−Beforeenablingthis,carefullyanalyzetheservicesyouarerunningonyourdomain
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000; includeSubDomains
19
@PhilippeDeRyck
HSTSIN ACTION
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
websec.be
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
www.websec.be
20
@PhilippeDeRyck
POLICY DETAILS OF HSTS
§HSTSdoesnotcareaboutTCPports−Policymatchesaredeterminedbasedonthehostnameonly−Port80istranslatedtoport443,butotherportsarepreserved
§HSTSpoliciescanonlybesetoverasecureconnection− Thecertificateusedmustbevalid−HSTSpoliciessetoninsecureconnectionsareignored
§ DisablingHSTSmustbedonebyexplicitlysettingmax-age to0−OmittingaHSTSheaderfromaHSTS-enabledhostdoesnothing
21
@PhilippeDeRyck
ENABLING HSTSIN PRACTICE
§ Thestep-by-stepguidetowardsenablingHSTS− SetupHTTPScorrectly− SendtheStrict-Transport-Security headerwithashortmax-age− Testyourconfiguration− Increasemax-ageaftersuccessfultesting
§ Chrome’snet-internals allowinspection− dynamic_sts istheHSTSmechanism
22
@PhilippeDeRyck
FUN FACT:CHROME HANDLES HSTSAS A REDIRECT
23
@PhilippeDeRyck
TIME TO GET ON THE HSTSTRAIN
https://trends.builtwith.com/docinfo/HSTS 24
@PhilippeDeRyck
BUT HOW DO YOU MAKE THE FIRST CONNECTION OVER HTTPS?
GET https://websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
websec.be
GET https://www.websec.be
200 OKStrict-Transport-Security: max-age=31536000; includeSubDomains
www.websec.be
25
@PhilippeDeRyck
HSTS==TOFU
http://www.bbcgoodfood.com/howto/guide/ingredient-focus-tofu 26
@PhilippeDeRyck
PRELOADING HSTSINTO THE BROWSER
https://hstspreload.appspot.com/?
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
27
@PhilippeDeRyck
PRELOADING IS ON THE RISE
https://trends.builtwith.com/docinfo/HSTS 28
@PhilippeDeRyck
ALL INTERACTIONS SHOULD HAPPEN OVER HTTPS
§ ThereisabigpushforHTTPSontheWeb−GoogleusesHTTPSasarankingsignal−Activemixedcontentisblockedinmoderndesktopbrowsers− TheSecureContextsspecificationlimitsuseofsensitivefeatures
§ ThereisplentyofsupportforeasilyenablingHTTPS−RateyourdeploymentwiththeSSLServerTest−Getfree,automatedcertificatesfromLet’sEncrypt
§HSTSisessentialforamodernHTTPSdeployment− Forcomplexenvironments,startwithsubdomains
29
https://www.ssllabs.com/ssltest/https://letsencrypt.org/
@PhilippeDeRyck
KNOWLEDGE IS THE KEY TO BUILDING SECURE APPLICATIONS
§ TheuseofHTTPSandHSTSisonlythetipoftheiceberg−Numerousnewsecuritypolicyhavebeenaddedinthelast5years
§ Thesenewtechnologiesrequireexplicitknowledgeandaction−Developersneedtowhyandhowtousethem
§WeofferspecializedtrainingcoveringtheWebsecuritylandscape−Hostedtrainingcoursesandcustomizablein-housetrainings−Broadspectrumoftopics,suchasHTTPS,authentication,authorization,XSS−VariousWebtechnologies,includingmodernMVCframeworks(AngularJS,…)− Effectivecombinationoflecturesandhands-onsessions
@PhilippeDeRyck
`
https://essentials.websec.be
Web Security EssentialsApril 24 – 25, Leuven, Belgium
Security in 4 key areasSecure communication
Strong authentication
Avoiding authorization bypasses
Neutralizing code injection attacks
Up-to-date & actionable adviceDirectly applicable security advice
Overview of essential best practices
Strong theoretical foundation
Practical hands-on experience
Thanks for providing this course packed with very up-to-date information.
I would recommend this training to all web developers and architects
Excellent hand-outs, providing concise but complete information
@PhilippeDeRyck
NOW IT’S UP TO YOU …
Secure ShareFollow
https://www.websec.be [email protected] /in/philippederyck