html5: risky business or hidden security tool chest
DESCRIPTION
HTML5: Risky Business or Hidden Security Tool Chest. Johannes B. Ullrich, Ph.D. [email protected]. About Me. Dean of Research, SANS Technology Institute Living in Jacksonville FL (aka Southern GA) SANS Internet Storm Center https://isc.sans.edu Created DShield.org Instructor for SANS - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/2.jpg)
About Me
Hosted by OWASP & the NYC Chapter
• Dean of Research, SANS Technology Institute
• Living in Jacksonville FL (aka Southern GA)
• SANS Internet Storm Centerhttps://isc.sans.edu
• Created DShield.org• Instructor for SANS• Past: Physicist, Web Developer
![Page 3: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/3.jpg)
What is HTML5
• Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work.
• Features to enable modern desktop like applications and support mobile devices
• 5th Revision of the HTML Standard
![Page 4: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/4.jpg)
What is this talk about?
• Ideas to improve security by using HTML5 responsibly
• What are some of the security challenges that HTML5 addresses well (or doesn’t)
• What are some of the limitations we have to consider
![Page 5: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/5.jpg)
Authentication
• Exclusive vs. Inclusive Authentication Methods:– Inclusive:
Proof the identity of the user
– Exclusive: Disproof the identity of the user
![Page 6: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/6.jpg)
What the Factor?
Segway: Multi Factor Authentication• Single Factor: Password• Two Factor: Password AND (Token|Biometric)• 1 ½ Factor: Password and Cookie• ½ Factor: Password
OR (Token|Biometric)
![Page 7: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/7.jpg)
HTML5 Components
• Local Storage / Session Storage• Canvas• Geolocation• Media Capture• Notifications• Accelerometer• Encryption
![Page 8: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/8.jpg)
Local and Session Storage
• New JavaScript API to store data on client• Protected by “same origin”• Local Storage:
– No defined expiration– Accessible by all browser windows
• Session Storage:– Expired when window is closed– Scope limited to current window
![Page 9: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/9.jpg)
Local Storage: Persistent Cookie
• Alternative to Flash cookie for “1 ½ Factor” login
• Part of an “Evercookie”• Can be used for good (additional
authentication) or evil (more user tracking)• Exposed to XSS attacks• Similar to cookies in scope and security
![Page 10: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/10.jpg)
Session Storage: Identifying users
• Can be used to store session token• Breaks CSRF (good!)• User is logged out when they close the
browser window (not entire browser)• Multiple users can use the same browser (is
this a good thing?)• Easier log out, more secure session tracking,
can be used alongside cookies.
![Page 11: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/11.jpg)
Risks
• Risks:Storing too much data on the client!Can’t enforce “secure” transmission over SSLCan’t protect from JavaScript/XSS (no httponly)
Examples:– storing confidential data on mobile devices– Pushing data to the client the client is not
authorized to see.
![Page 12: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/12.jpg)
Can I use it?
http://caniuse.com/#feat=namevalue-storage
![Page 13: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/13.jpg)
Canvas
• Allows drawing in the browser• Interactive image applications• Can be used for graphical login schemes
– CAPTCHAs– Pattern based login
![Page 14: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/14.jpg)
Image Login
• Display image, user identifies features• Done in Windows 8/RT for mobile login
(“Pattern Login”, “Picture Password”)
Image:Microsoft
![Page 15: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/15.jpg)
“Connect the Dots”
• Implemented in Android• Good user acceptance for mobile login• No good studies yet as to how users select
patterns
Image: Extremetech.com
![Page 16: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/16.jpg)
Demo
• Demo: “Connect the Dots” for the web• http://authonthemove.com• See Github for code repository
![Page 17: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/17.jpg)
Can I use it?
http://caniuse.com/#feat=canvas
![Page 18: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/18.jpg)
Geolocation
• JavaScript API provides access to devices built in sensors like GPS
• Can be very accurate• Can also be spoofed easily
Image: Mozilla.org
![Page 19: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/19.jpg)
Geolocation for Authentication
• Only useful on mobile devices• Can be used to exclude users, but not to
replace traditional authentication• Observe sudden changes in location• Combine with careful browser fingerprinting
techniques
![Page 20: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/20.jpg)
Can I use it?
![Page 21: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/21.jpg)
Media Capture
• aka getUserMedia/Stream API• Limited support (Chrome, Firefox, Blackberry)• Some potential for biometrics:
– Face recognition– Hand signals / gestures– Fingerprint?
![Page 22: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/22.jpg)
Implementations
• Face recognition libraries:– http://neave.github.io/face-detection/
![Page 23: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/23.jpg)
Difficulties
• Hard to acquire sufficient detail• So far, in particular on mobile devices, more of
a gimmick then a serious authentication feature
• Possibility to use “finger print”, but current cameras not sufficient to acquire image
![Page 24: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/24.jpg)
Can I use it?
http://caniuse.com/#feat=stream
![Page 25: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/25.jpg)
Accelerometer
• Only useful for mobile devices• Move the phone in a pattern to authenticate• Detect step/walking pattern• Detect if user/phone is at rest or on the move• Can be spoofed (but not readily)• Not easy to reproduce• Adding sensors like compass may help.
![Page 26: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/26.jpg)
Can I use it?
http://caniuse.com/#feat=deviceorientation
![Page 27: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/27.jpg)
Notifications
• Popup Notifications sent by the server to notify the user
• Initiated by server– Local Notifications: Require browser to be open,
widely supported– Push Notifications: Safari Only
![Page 28: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/28.jpg)
Bad stuff happened!
• Notify the user of security relevant events:– “Someone is trying to log in as you”
• User needs to accept notifications• Notifications no 100% reliable• Not “out of band” (can be faked, intercepted)• Safari Notifications may be useful for one time
passwords (OTP)
![Page 29: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/29.jpg)
Can I use it?
http://caniuse.com/#feat=notifications
![Page 30: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/30.jpg)
Encryption
• Client side encryption• Allows encryption of specific sensitive fields
(e.g. payment data, passwords)• Intermediate services (proxies, web services)
don’t need to know the information• Upcoming: CryptoAPI (June 2013)
http://www.w3.org/TR/WebCryptoAPI/• Until then: https://www.pidder.de/pidcrypt/
![Page 31: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/31.jpg)
Client side password hashing
• Server sends random “nonce” as part of login form.
• Client calculates hash from password/nonce• Passes hash to server• Server verifies hash• Advantage: Server never gets to know the
“real” password.
![Page 32: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/32.jpg)
Signup
• Use enters password• Client hashes password• Password hash transmitted to server• Salt: Username? Provided by server?• Changing password: Same procedure, salt may
change.
![Page 33: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/33.jpg)
Summary
• Lots of cool and useful tools in HTML5• Use them as appropriate• “HTML5” itself isn’t the risk. Bad coding is the
risk• Understand privacy issues• Understand user behavior• Share your code an experiences (OWASP!!)
![Page 34: HTML5: Risky Business or Hidden Security Tool Chest](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816625550346895dd97f6c/html5/thumbnails/34.jpg)
Thanks!
! Thanks [email protected]
http://authonthemove.comhttp://isc.sans.edu
Daily Updates * Daily Podcast * Live Data Feeds