Upload
brenda-price
View
218
Download
0
Embed Size (px)
Citation preview
COMP1321COMP1321Digital InfrastructuresDigital Infrastructures
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
April April 20132013
Week 19 Communications: Week 19 Communications: Securing Web PagesSecuring Web Pages
Objectives:Objectives:Explain how HTTPS/SSL/TLS fits into the Explain how HTTPS/SSL/TLS fits into the
OSI seven layer modelOSI seven layer modelTake the necessary steps to implement an Take the necessary steps to implement an
SSL system on a www server that uses SSL system on a www server that uses EAP/TLSEAP/TLS
Apply PKI principles to produce a workable Apply PKI principles to produce a workable for protecting web pages at the client endfor protecting web pages at the client end
Secure Sockets Layer and Secure Sockets Layer and Secure HTTPSecure HTTP
Summary of SSL:Summary of SSL:devised by Netscapedevised by Netscapevery successfulvery successfulworks with HTTP-S to only display the web works with HTTP-S to only display the web
page in a secure environmentpage in a secure environmentnever been crackednever been crackedFurther developed by IETFFurther developed by IETF
But how does it all fit together?But how does it all fit together?
Back to the TCP/IP modelBack to the TCP/IP model
TELNET FTP
TCP/TLS
SMTP HTTPhttp-s
Session layer protocols: eg Unix “sockets”, SSL
Zoom in on TCP and the upper layers…Zoom in on TCP and the upper layers…
Level 7
Level 5
Level 4
Secure HTTP (https) Secure HTTP (https) and the session layerand the session layer
All application layer protocols communicate All application layer protocols communicate with TCP layer through unique TCP ports and with TCP layer through unique TCP ports and (optional) session layer logon(optional) session layer logon
Security can also be imposed, therefore, by Security can also be imposed, therefore, by authenticating at the “logon” layerauthenticating at the “logon” layer e.g. using Kerberos authenticatione.g. using Kerberos authentication username/password is required before data can username/password is required before data can
pass the session layer and be displayed by the pass the session layer and be displayed by the browserbrowser
Secure Sockets and the Secure Sockets and the Session LayerSession Layer
In the early days of Unix, someone devised In the early days of Unix, someone devised the concept of a “socket”:the concept of a “socket”: a protocol between application and transport a protocol between application and transport
layers that TCP could plug in to with the help of a layers that TCP could plug in to with the help of a TCP portTCP port
network authentication could be handled by the network authentication could be handled by the “socket”“socket”
The concept continued, and was assimilated The concept continued, and was assimilated into the session layerinto the session layer
When Windows interfaced with TCP/IP for the When Windows interfaced with TCP/IP for the first time, the term WINSOCK was introducedfirst time, the term WINSOCK was introduced
The trouble with HTTPThe trouble with HTTP General Internet principle of “anyone can go General Internet principle of “anyone can go
anywhere”anywhere” On a Windows system with www access:On a Windows system with www access:
TCP can link to HTTP through “Winsock”TCP can link to HTTP through “Winsock” session layer authentication not invokedsession layer authentication not invoked HTML data transferred directly to the presentation HTML data transferred directly to the presentation
and application layers for displayand application layers for display Problem:Problem:
the data is visible to anyone else on the Internet the data is visible to anyone else on the Internet who may have access to that machine and the who may have access to that machine and the data path to it!data path to it!
Secure HTTP and the user Secure HTTP and the user authentication problemauthentication problem
Makes use of the Makes use of the potential for requiring potential for requiring authentication at the authentication at the session layer session layer
SSL protocol can require SSL protocol can require a username/password a username/password combination before data combination before data passes through the passes through the socket from transport socket from transport layer to application layerlayer to application layer
application
transport
authentication required
Computer AuthenticationComputer Authentication SSL is able to use the PKI (remember that?)SSL is able to use the PKI (remember that?) When a user first attempts to communicate with When a user first attempts to communicate with
a web server over a secure connection:a web server over a secure connection: that server will present the web browser with that server will present the web browser with
authentication dataauthentication data presented as a server certificate (remember those?)presented as a server certificate (remember those?)
» verifies that the server is who and what it claims to verifies that the server is who and what it claims to bebe
Works both ways…Works both ways… protocol: EAP/TLSprotocol: EAP/TLS server may in return request client authentication via server may in return request client authentication via
username/passwordusername/password
SSL and EncryptionSSL and Encryption
Authenticating the user & server only Authenticating the user & server only helps when the data is at its at its source helps when the data is at its at its source or destinationor destinationdata also needs to be protected in transit…data also needs to be protected in transit…
SSL working at level 5/6 also ensures SSL working at level 5/6 also ensures that it is:that it is:
» encrypted before being sentencrypted before being sent» decrypted upon receipt and prior to decrypted upon receipt and prior to
processing for displayprocessing for display
Confidentiality & IntegrityConfidentiality & Integrity Encryption of SSL responses can beEncryption of SSL responses can be
Either Standard 40 bit RSAEither Standard 40 bit RSA» difficult to break difficult to break confidentialityconfidentiality
Or Secure 128 bit RSAOr Secure 128 bit RSA» virtually impossible to “crack”virtually impossible to “crack”
Guarantee that the data will not be Guarantee that the data will not be modified in transit by a third partymodified in transit by a third partyintegrityintegrity therefore also maintained therefore also maintained
Is an SSL Digital Certificate Is an SSL Digital Certificate Really Necessary?Really Necessary?
Yes:Yes: for sites involved in e-commerce and therefore for sites involved in e-commerce and therefore
involving digital payment with authenticationinvolving digital payment with authentication any other business transaction in which any other business transaction in which
authentication is importantauthentication is important No:No:
if an administrator simply wants to ensure that if an administrator simply wants to ensure that data being transmitted and received by the server data being transmitted and received by the server is private and cannot be snooped by anyone is private and cannot be snooped by anyone eavesdropping on the connectioneavesdropping on the connection
In such cases, a In such cases, a self-signedself-signed certificate is certificate is sufficientsufficient
The Web of Trust (PGP)The Web of Trust (PGP)
Based on individual trust networks built Based on individual trust networks built up between individualsup between individuals
Possible to “self sign” a digital certificatePossible to “self sign” a digital certificateif someone trusts you, a self-signature may if someone trusts you, a self-signature may
be all they needbe all they needOpenPGP identiity certificates are designed OpenPGP identiity certificates are designed
to be self-signedto be self-signed
Verisign Trust SystemVerisign Trust System Web of TrustWeb of Trust
OK for academics (“good” people?)OK for academics (“good” people?)but bad” people can do businessbut bad” people can do business
Verisign system presented as an Verisign system presented as an alternativealternativedeveloped so that people could trust developed so that people could trust
strangers in business transactionsstrangers in business transactionsfinancial institutions provide the “trust”financial institutions provide the “trust”
General Tips on General Tips on Running SSLRunning SSL
Secure websites…Secure websites… designed to be as efficient as securely possibledesigned to be as efficient as securely possible
» problem: encryption/decryption is computationally problem: encryption/decryption is computationally expensive from a performance standpointexpensive from a performance standpoint
not strictly necessary to run an entire Web not strictly necessary to run an entire Web application over SSLapplication over SSL» customary for a developer to find out decide which customary for a developer to find out decide which
pages require a secure connection and which do pages require a secure connection and which do notnot
» and create secure and non-secure folder structures and create secure and non-secure folder structures for the respective web pages for the respective web pages
When to use SSLWhen to use SSL
Whenever web pages require a secure Whenever web pages require a secure connection with the server e.g.:connection with the server e.g.:login pageslogin pagespersonal information pagespersonal information pagesshopping cart checkoutsshopping cart checkoutsany pages where credit card information any pages where credit card information
could possibly be transmittedcould possibly be transmitted
Running HTTPSRunning HTTPS A client-server service that runs on the Web A client-server service that runs on the Web
server (like http, smtp, and ftp)server (like http, smtp, and ftp) uniquely designed so it will not run on a server uniquely designed so it will not run on a server
without an installed and active server certificatewithout an installed and active server certificate Once the service has been set up, https will Once the service has been set up, https will
require users to establish an encrypted require users to establish an encrypted channel with the server channel with the server i.e. https:// i.e. https:// rather than http://rather than http://
Until the user does use https they will get an Until the user does use https they will get an error, rather than the pop up that proceeds the error, rather than the pop up that proceeds the secure web pagesecure web page
Running HTTPSRunning HTTPS Use of encryption can interfere with access to Use of encryption can interfere with access to
data… (i.e. availability)data… (i.e. availability) an encrypted channel running https requires that the an encrypted channel running https requires that the
user's Web browser and the Web server BOTH user's Web browser and the Web server BOTH support the same encryption scheme support the same encryption scheme
For example:For example: IF an IIS Web Server is set to use default secure IF an IIS Web Server is set to use default secure
communication settingscommunication settings THEN the client Web browser must support a THEN the client Web browser must support a
session key strength of 40 bits, or greatersession key strength of 40 bits, or greater
Accessing a Web Page Accessing a Web Page using HTTPSusing HTTPS
If the client is to request a page that needs If the client is to request a page that needs SSL:SSL: in the HTML code that will call that page, prefix the in the HTML code that will call that page, prefix the
address with address with https://https:// instead of instead of http://http://» the system will do the rest…the system will do the rest…
Any pages which absolutely require a secure Any pages which absolutely require a secure connection need to:connection need to: check the protocol type associated with the page check the protocol type associated with the page
requestrequest take appropriate action if take appropriate action if https:https: is not specified is not specified
Screen Prompts that a Web Screen Prompts that a Web Page has been delivered Page has been delivered
securely using SSLsecurely using SSL 1. (depending on browser settings)1. (depending on browser settings)
pop up appears…pop up appears… informs the client that they are entering a secure informs the client that they are entering a secure
client-server connectionclient-server connection must be acknowledged to continuemust be acknowledged to continue
2. Web page displayed:2. Web page displayed: https:// will appear before the URLhttps:// will appear before the URL ““lock” symbol appears on the bottom left of the screenlock” symbol appears on the bottom left of the screen
How secure are How secure are your mobile apps?your mobile apps?
Possible vulnerabilities:Possible vulnerabilities:MITM attack (capture of code en route)MITM attack (capture of code en route)
» Much easier on wireless networksMuch easier on wireless networks
SQL injectionSQL injection» unprotected data windowsunprotected data windows» needs input validation controlsneeds input validation controls
DOS & DDOSDOS & DDOS» exploitation that invokes ping exploitation that invokes ping
CWE Top 25 faults (1)CWE Top 25 faults (1)Rank ID Name
1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 CWE-352 Cross-Site Request Forgery (CSRF)5 CWE-285 Improper Access Control (Authorization)6 CWE-807 Reliance on Untrusted Inputs in a Security Decision7 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')8 CWE-434 Unrestricted Upload of File with Dangerous Type9 CWE-78 Improper Sanitization of Special Elements used in an OS
Command ('OS Command Injection')10 CWE-311 Missing Encryption of Sensitive Data11 CWE-798 Use of Hard-coded Credentials12 CWE-805 Buffer Access with Incorrect Length Value13 CWE-98 Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183]© Copyright 2003-2012
CWE Top 25 faults (2)CWE Top 25 faults (2)Rank ID Name
14 CWE-129 Improper Validation of Array Index15 CWE-754 Improper Check for Unusual or Exceptional
Conditions16 CWE-209 Information Exposure Through an Error Message17 CWE-190 Integer Overflow or Wraparound18 CWE-131 Incorrect Calculation of Buffer Size19 CWE-306 Missing Authentication for Critical Function20 CWE-494 Download of Code Without Integrity Check21 CWE-732 Incorrect Permission Assignment for Critical
Resource22 CWE-770 Allocation of Resources Without Limits or Throttling23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm25 CWE-362 Race Condition
[TSI/2012/183]© Copyright 2003-2012
Thanks for ListeningThanks for Listening