Presentation on theme: "HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D."— Presentation transcript:
HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. email@example.com
About Me Hosted by OWASP & the NYC Chapter Dean of Research, SANS Technology Institute Living in Jacksonville FL (aka Southern GA) SANS Internet Storm Center https://isc.sans.edu Created DShield.org Instructor for SANS Past: Physicist, Web Developer
What is this talk about? Ideas to improve security by using HTML5 responsibly What are some of the security challenges that HTML5 addresses well (or doesn’t) What are some of the limitations we have to consider
Authentication Exclusive vs. Inclusive Authentication Methods: – Inclusive: Proof the identity of the user – Exclusive: Disproof the identity of the user
What the Factor? Segway: Multi Factor Authentication Single Factor: Password Two Factor: Password AND (Token|Biometric) 1 ½ Factor: Password and Cookie ½ Factor: Password OR (Token|Biometric)
HTML5 Components Local Storage / Session Storage Canvas Geolocation Media Capture Notifications Accelerometer Encryption
Local Storage: Persistent Cookie Alternative to Flash cookie for “1 ½ Factor” login Part of an “Evercookie” Can be used for good (additional authentication) or evil (more user tracking) Exposed to XSS attacks Similar to cookies in scope and security
Session Storage: Identifying users Can be used to store session token Breaks CSRF (good!) User is logged out when they close the browser window (not entire browser) Multiple users can use the same browser (is this a good thing?) Easier log out, more secure session tracking, can be used alongside cookies.
Can I use it? http://caniuse.com/#feat=namevalue-storage
Canvas Allows drawing in the browser Interactive image applications Can be used for graphical login schemes – CAPTCHAs – Pattern based login
Image Login Display image, user identifies features Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
“Connect the Dots” Implemented in Android Good user acceptance for mobile login No good studies yet as to how users select patterns Image: Extremetech.com
Demo Demo: “Connect the Dots” for the web http://authonthemove.com See Github for code repository
Can I use it? http://caniuse.com/#feat=canvas
Geolocation for Authentication Only useful on mobile devices Can be used to exclude users, but not to replace traditional authentication Observe sudden changes in location Combine with careful browser fingerprinting techniques
Can I use it?
Media Capture aka getUserMedia/Stream API Limited support (Chrome, Firefox, Blackberry) Some potential for biometrics: – Face recognition – Hand signals / gestures – Fingerprint?
Implementations Face recognition libraries: – http://neave.github.io/face-detection/ http://neave.github.io/face-detection/
Difficulties Hard to acquire sufficient detail So far, in particular on mobile devices, more of a gimmick then a serious authentication feature Possibility to use “finger print”, but current cameras not sufficient to acquire image
Can I use it? http://caniuse.com/#feat=stream
Accelerometer Only useful for mobile devices Move the phone in a pattern to authenticate Detect step/walking pattern Detect if user/phone is at rest or on the move Can be spoofed (but not readily) Not easy to reproduce Adding sensors like compass may help.
Can I use it? http://caniuse.com/#feat=deviceorientation
Notifications Popup Notifications sent by the server to notify the user Initiated by server – Local Notifications: Require browser to be open, widely supported – Push Notifications: Safari Only
Bad stuff happened! Notify the user of security relevant events: – “Someone is trying to log in as you” User needs to accept notifications Notifications no 100% reliable Not “out of band” (can be faked, intercepted) Safari Notifications may be useful for one time passwords (OTP)
Can I use it? http://caniuse.com/#feat=notifications
Encryption Client side encryption Allows encryption of specific sensitive fields (e.g. payment data, passwords) Intermediate services (proxies, web services) don’t need to know the information Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/ Until then: https://www.pidder.de/pidcrypt/
Client side password hashing Server sends random “nonce” as part of login form. Client calculates hash from password/nonce Passes hash to server Server verifies hash Advantage: Server never gets to know the “real” password.
Signup Use enters password Client hashes password Password hash transmitted to server Salt: Username? Provided by server? Changing password: Same procedure, salt may change.
Summary Lots of cool and useful tools in HTML5 Use them as appropriate “HTML5” itself isn’t the risk. Bad coding is the risk Understand privacy issues Understand user behavior Share your code an experiences (OWASP!!)
Thanks! ! Thanks ! Questions? firstname.lastname@example.org http://authonthemove.com http://isc.sans.edu Daily Updates * Daily Podcast * Live Data Feeds