COMP1321COMP1321Digital InfrastructuresDigital Infrastructures

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

April April 20132013

Week 19 Communications: Week 19 Communications: Securing Web PagesSecuring Web Pages

Objectives:Objectives:Explain how HTTPS/SSL/TLS fits into the Explain how HTTPS/SSL/TLS fits into the

OSI seven layer modelOSI seven layer modelTake the necessary steps to implement an Take the necessary steps to implement an

SSL system on a www server that uses SSL system on a www server that uses EAP/TLSEAP/TLS

Apply PKI principles to produce a workable Apply PKI principles to produce a workable for protecting web pages at the client endfor protecting web pages at the client end

Secure Sockets Layer and Secure Sockets Layer and Secure HTTPSecure HTTP

Summary of SSL:Summary of SSL:devised by Netscapedevised by Netscapevery successfulvery successfulworks with HTTP-S to only display the web works with HTTP-S to only display the web

page in a secure environmentpage in a secure environmentnever been crackednever been crackedFurther developed by IETFFurther developed by IETF

But how does it all fit together?But how does it all fit together?

Back to the TCP/IP modelBack to the TCP/IP model

TELNET FTP

TCP/TLS

SMTP HTTPhttp-s

Session layer protocols: eg Unix “sockets”, SSL

Zoom in on TCP and the upper layers…Zoom in on TCP and the upper layers…

Level 7

Level 5

Level 4

Secure HTTP (https) Secure HTTP (https) and the session layerand the session layer

All application layer protocols communicate All application layer protocols communicate with TCP layer through unique TCP ports and with TCP layer through unique TCP ports and (optional) session layer logon(optional) session layer logon

Security can also be imposed, therefore, by Security can also be imposed, therefore, by authenticating at the “logon” layerauthenticating at the “logon” layer e.g. using Kerberos authenticatione.g. using Kerberos authentication username/password is required before data can username/password is required before data can

pass the session layer and be displayed by the pass the session layer and be displayed by the browserbrowser

Secure Sockets and the Secure Sockets and the Session LayerSession Layer

In the early days of Unix, someone devised In the early days of Unix, someone devised the concept of a “socket”:the concept of a “socket”: a protocol between application and transport a protocol between application and transport

layers that TCP could plug in to with the help of a layers that TCP could plug in to with the help of a TCP portTCP port

network authentication could be handled by the network authentication could be handled by the “socket”“socket”

The concept continued, and was assimilated The concept continued, and was assimilated into the session layerinto the session layer

When Windows interfaced with TCP/IP for the When Windows interfaced with TCP/IP for the first time, the term WINSOCK was introducedfirst time, the term WINSOCK was introduced

The trouble with HTTPThe trouble with HTTP General Internet principle of “anyone can go General Internet principle of “anyone can go

anywhere”anywhere” On a Windows system with www access:On a Windows system with www access:

TCP can link to HTTP through “Winsock”TCP can link to HTTP through “Winsock” session layer authentication not invokedsession layer authentication not invoked HTML data transferred directly to the presentation HTML data transferred directly to the presentation

and application layers for displayand application layers for display Problem:Problem:

the data is visible to anyone else on the Internet the data is visible to anyone else on the Internet who may have access to that machine and the who may have access to that machine and the data path to it!data path to it!

Secure HTTP and the user Secure HTTP and the user authentication problemauthentication problem

Makes use of the Makes use of the potential for requiring potential for requiring authentication at the authentication at the session layer session layer

SSL protocol can require SSL protocol can require a username/password a username/password combination before data combination before data passes through the passes through the socket from transport socket from transport layer to application layerlayer to application layer

application

transport

authentication required

Computer AuthenticationComputer Authentication SSL is able to use the PKI (remember that?)SSL is able to use the PKI (remember that?) When a user first attempts to communicate with When a user first attempts to communicate with

a web server over a secure connection:a web server over a secure connection: that server will present the web browser with that server will present the web browser with

authentication dataauthentication data presented as a server certificate (remember those?)presented as a server certificate (remember those?)

» verifies that the server is who and what it claims to verifies that the server is who and what it claims to bebe

Works both ways…Works both ways… protocol: EAP/TLSprotocol: EAP/TLS server may in return request client authentication via server may in return request client authentication via

username/passwordusername/password

SSL and EncryptionSSL and Encryption

Authenticating the user & server only Authenticating the user & server only helps when the data is at its at its source helps when the data is at its at its source or destinationor destinationdata also needs to be protected in transit…data also needs to be protected in transit…

SSL working at level 5/6 also ensures SSL working at level 5/6 also ensures that it is:that it is:

» encrypted before being sentencrypted before being sent» decrypted upon receipt and prior to decrypted upon receipt and prior to

processing for displayprocessing for display

Confidentiality & IntegrityConfidentiality & Integrity Encryption of SSL responses can beEncryption of SSL responses can be

Either Standard 40 bit RSAEither Standard 40 bit RSA» difficult to break difficult to break confidentialityconfidentiality

Or Secure 128 bit RSAOr Secure 128 bit RSA» virtually impossible to “crack”virtually impossible to “crack”

Guarantee that the data will not be Guarantee that the data will not be modified in transit by a third partymodified in transit by a third partyintegrityintegrity therefore also maintained therefore also maintained

Is an SSL Digital Certificate Is an SSL Digital Certificate Really Necessary?Really Necessary?

Yes:Yes: for sites involved in e-commerce and therefore for sites involved in e-commerce and therefore

involving digital payment with authenticationinvolving digital payment with authentication any other business transaction in which any other business transaction in which

authentication is importantauthentication is important No:No:

if an administrator simply wants to ensure that if an administrator simply wants to ensure that data being transmitted and received by the server data being transmitted and received by the server is private and cannot be snooped by anyone is private and cannot be snooped by anyone eavesdropping on the connectioneavesdropping on the connection

In such cases, a In such cases, a self-signedself-signed certificate is certificate is sufficientsufficient

The Web of Trust (PGP)The Web of Trust (PGP)

Based on individual trust networks built Based on individual trust networks built up between individualsup between individuals

Possible to “self sign” a digital certificatePossible to “self sign” a digital certificateif someone trusts you, a self-signature may if someone trusts you, a self-signature may

be all they needbe all they needOpenPGP identiity certificates are designed OpenPGP identiity certificates are designed

to be self-signedto be self-signed

Verisign Trust SystemVerisign Trust System Web of TrustWeb of Trust

OK for academics (“good” people?)OK for academics (“good” people?)but bad” people can do businessbut bad” people can do business

Verisign system presented as an Verisign system presented as an alternativealternativedeveloped so that people could trust developed so that people could trust

strangers in business transactionsstrangers in business transactionsfinancial institutions provide the “trust”financial institutions provide the “trust”

General Tips on General Tips on Running SSLRunning SSL

Secure websites…Secure websites… designed to be as efficient as securely possibledesigned to be as efficient as securely possible

» problem: encryption/decryption is computationally problem: encryption/decryption is computationally expensive from a performance standpointexpensive from a performance standpoint

not strictly necessary to run an entire Web not strictly necessary to run an entire Web application over SSLapplication over SSL» customary for a developer to find out decide which customary for a developer to find out decide which

pages require a secure connection and which do pages require a secure connection and which do notnot

» and create secure and non-secure folder structures and create secure and non-secure folder structures for the respective web pages for the respective web pages

When to use SSLWhen to use SSL

Whenever web pages require a secure Whenever web pages require a secure connection with the server e.g.:connection with the server e.g.:login pageslogin pagespersonal information pagespersonal information pagesshopping cart checkoutsshopping cart checkoutsany pages where credit card information any pages where credit card information

could possibly be transmittedcould possibly be transmitted

Running HTTPSRunning HTTPS A client-server service that runs on the Web A client-server service that runs on the Web

server (like http, smtp, and ftp)server (like http, smtp, and ftp) uniquely designed so it will not run on a server uniquely designed so it will not run on a server

without an installed and active server certificatewithout an installed and active server certificate Once the service has been set up, https will Once the service has been set up, https will

require users to establish an encrypted require users to establish an encrypted channel with the server channel with the server i.e. https:// i.e. https:// rather than http://rather than http://

Until the user does use https they will get an Until the user does use https they will get an error, rather than the pop up that proceeds the error, rather than the pop up that proceeds the secure web pagesecure web page

Running HTTPSRunning HTTPS Use of encryption can interfere with access to Use of encryption can interfere with access to

data… (i.e. availability)data… (i.e. availability) an encrypted channel running https requires that the an encrypted channel running https requires that the

user's Web browser and the Web server BOTH user's Web browser and the Web server BOTH support the same encryption scheme support the same encryption scheme

For example:For example: IF an IIS Web Server is set to use default secure IF an IIS Web Server is set to use default secure

communication settingscommunication settings THEN the client Web browser must support a THEN the client Web browser must support a

session key strength of 40 bits, or greatersession key strength of 40 bits, or greater

Accessing a Web Page Accessing a Web Page using HTTPSusing HTTPS

If the client is to request a page that needs If the client is to request a page that needs SSL:SSL: in the HTML code that will call that page, prefix the in the HTML code that will call that page, prefix the

address with address with https://https:// instead of instead of http://http://» the system will do the rest…the system will do the rest…

Any pages which absolutely require a secure Any pages which absolutely require a secure connection need to:connection need to: check the protocol type associated with the page check the protocol type associated with the page

requestrequest take appropriate action if take appropriate action if https:https: is not specified is not specified

Screen Prompts that a Web Screen Prompts that a Web Page has been delivered Page has been delivered

securely using SSLsecurely using SSL 1. (depending on browser settings)1. (depending on browser settings)

pop up appears…pop up appears… informs the client that they are entering a secure informs the client that they are entering a secure

client-server connectionclient-server connection must be acknowledged to continuemust be acknowledged to continue

2. Web page displayed:2. Web page displayed: https:// will appear before the URLhttps:// will appear before the URL ““lock” symbol appears on the bottom left of the screenlock” symbol appears on the bottom left of the screen

How secure are How secure are your mobile apps?your mobile apps?

Possible vulnerabilities:Possible vulnerabilities:MITM attack (capture of code en route)MITM attack (capture of code en route)

» Much easier on wireless networksMuch easier on wireless networks

SQL injectionSQL injection» unprotected data windowsunprotected data windows» needs input validation controlsneeds input validation controls

DOS & DDOSDOS & DDOS» exploitation that invokes ping exploitation that invokes ping

CWE Top 25 faults (1)CWE Top 25 faults (1)Rank ID Name

1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')

2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')

3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

4 CWE-352 Cross-Site Request Forgery (CSRF)5 CWE-285 Improper Access Control (Authorization)6 CWE-807 Reliance on Untrusted Inputs in a Security Decision7 CWE-22 Improper Limitation of a Pathname to a Restricted

Directory ('Path Traversal')8 CWE-434 Unrestricted Upload of File with Dangerous Type9 CWE-78 Improper Sanitization of Special Elements used in an OS

Command ('OS Command Injection')10 CWE-311 Missing Encryption of Sensitive Data11 CWE-798 Use of Hard-coded Credentials12 CWE-805 Buffer Access with Incorrect Length Value13 CWE-98 Improper Control of Filename for Include/Require

Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183]© Copyright 2003-2012

CWE Top 25 faults (2)CWE Top 25 faults (2)Rank ID Name

14 CWE-129 Improper Validation of Array Index15 CWE-754 Improper Check for Unusual or Exceptional

Conditions16 CWE-209 Information Exposure Through an Error Message17 CWE-190 Integer Overflow or Wraparound18 CWE-131 Incorrect Calculation of Buffer Size19 CWE-306 Missing Authentication for Critical Function20 CWE-494 Download of Code Without Integrity Check21 CWE-732 Incorrect Permission Assignment for Critical

Resource22 CWE-770 Allocation of Resources Without Limits or Throttling23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm25 CWE-362 Race Condition

[TSI/2012/183]© Copyright 2003-2012

Thanks for ListeningThanks for Listening