Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.

Published byAlexandrina Horton Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko."— Presentation transcript:

1 © 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko

2 © 2010 Cisco and/or its affiliates. All rights reserved. 2

3 3 Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down

4 © 2010 Cisco and/or its affiliates. All rights reserved. 4 Defense in depth matters Compliance Passwords – users vs system parts Web server and files

5 © 2010 Cisco and/or its affiliates. All rights reserved. 5 Security the way Sir Tim intended Server says: WWW-Authenticate: Basic realm="insert realm” User prompted for their password Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= User agent remembers and sends for that domain/realm

6 © 2010 Cisco and/or its affiliates. All rights reserved. 6 Everyone does their own authentication No Single Sign On Password proliferation Password unprotected Encoding is not encrypting Who’s asking you for your password?

7 © 2010 Cisco and/or its affiliates. All rights reserved. 7 Who vouches for the information on this web page? Trust, Trustworthy, and Trust for What? There’s encryption; it’s Secure! What have you been told about detecting or avoiding phishing?

8 © 2010 Cisco and/or its affiliates. All rights reserved. 8 Citigroup.com Citibank.com Cititigroup.com Citigroup.de Citibank.co.uk Citigroup.org Thisiscitigroup.org Citibank.info Citicards.com Citicreditcards.com Citibank-cards.us Citimoney.com Citigold.net Citībank.org Citibānk.org Citigrøup.org

9 © 2010 Cisco and/or its affiliates. All rights reserved. 9

10 10 Early on, there was S-HTTP Encryption of the HTML document Headers defined to specify type of encryption, type of key management, nonces Supports pre arranged keys, public/private keys, PGP, etc. Server and client negotiate which enhancements they’ll use Flexible End to end (resists Man in the Middle)

11 © 2010 Cisco and/or its affiliates. All rights reserved. 11 Encryption! Authentication! Security! Network protocol that wraps HTTP Encryption of the tunnel for confidentiality and tamper detection Authentication of the server using public key certificate My browser has 182 “System Roots” Authentication of the client using public key certificate is an option Phishing for passwords and identities

12 © 2010 Cisco and/or its affiliates. All rights reserved. 12 Who put the D in DHTML? Data and Code should not mix Code is dangerous. Data is not. Speech vs action

13 © 2010 Cisco and/or its affiliates. All rights reserved. 13 Major technical university’s web site Cross Site Scripting (XSS) Every link modified to redirect through proxy Links to other web sites (e.g. LinkedIn, Facebook) Insecure Direct Object Reference Walk the OS file system

14 © 2010 Cisco and/or its affiliates. All rights reserved. 14 Who vouches for the code on this web site? Javascript Sandbox + same origin policy Java Permissions “Should this code access your file system, the network?” Web mail Cross site scripting (XSS) HTML escaping of any data Where are my bold text and dancing pigs? Whitelist vs Blacklist Mobile apps – every game creator is a web browser implementer

15 Thank you. Mary Ellen Zurko mzurko@cisco.com Questions? Comments? Brickbats?

Download ppt "© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University.

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Multiple Tiers in Action

Multiple Tiers in Action
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Similar presentations

Ads by Google