SECURITY#btsec@MrRio

DIRECTOR/FOUNDER AT

jsPDF JAVASCRIPT PDF GENERATION LIBRARY

SECURITY

#btsec@MrRio

IS EVERYONE’SRESPONSIBILITY

DEBOOKEEFOR MAC

#btsec@MrRio

#btsec

CRACKING A WIFIPASSWORD IS EASY

#btsec@MrRio

#btsec@MrRio

HOW DOWE FIX THIS?!

#btsec@MrRio

#btsec@MrRio

WEBSITE OWNERS –

USE SSL

#btsec@MrRio

WEBSITE USERS –

USE VPN

WHAT ISCRYPTOGRAPHY?

#btsec@MrRio

SENDING A#btsec

SECURE MESSAGE(OFFLINE DEMO EDITION)

A CIPHERIS A DIGITAL

LOCK#btsec

CAESAR CIPHERUSED IN WARSAROUND 50BC

#btsec

ABCDEFGHIJKLM

XYZABCDEFGHIJ

#btsec

SHIFT CIPHER

I LOVE BT

I LOVE BT

0SHIFT VALUE (KEY)

INPUT

OUTPUT

#btsec

SHIFT CIPHER

I LOVE BT

J MPWF CU

1SHIFT VALUE (KEY)

INPUT

OUTPUT

#btsec

SHIFT CIPHER

I LOVE BT

K NQXG DV

2SHIFT VALUE (KEY)

INPUT

OUTPUT

#btsec

ONE-TIME PAD

ILOVEBT

JUTVHKZ

1950396KEY

INPUT

OUTPUT

#btsec

STREAM CIPHER

ILOVEBT

JUTVHKZ

7894KEY (SEED)

KEY STREAM (PRNG)

OUTPUT#btsec

1950396INPUT

HOW TO GET ASHAREDSECRET

WITH THIS ONE WEIRD TRICK#btsec

MARCSTEFAN

EVE#btsec

STEFAN MARC

EVE#btsec

EVE

STEFAN MARC

#btsec

EVE

STEFAN MARC

#btsec

EVE

STEFAN MARC

#btsec

EVE

STEFAN MARC

#btsec

EVE

STEFAN MARC

#btsec

INSTEAD OF COLOURS

#btsec

WE USE PRIME NUMBERS

(3^29) % 17 = 12

(3^??) % 17 = 12

EASY

HARD

32,416,190,071

USE SSL#btsec

(TLS)

TO FIX MITM

WITH SVG FILTERS

#btsec

HACKING SITES

#btsec

var lastTime = 0;!function loop(time) {! var delay = time – lastTime;! var fps = 1000/delay;! console.log(delay + ‘ ms’ + ‘ fps: ‘ + fps);! updateAnimation();! requestAnimationFrame(loop);! lastTime = time;!}!requestAnimationFrame(loop);

TIMING ATTACK

#btsec

<filter id="threshold" color-interpolation-filters="sRGB">! <feColorMatrix type="matrix" ! values="0.333 0.333 0.333 0 -.16! 0.333 0.333 0.333 0 -.16! 0.333 0.333 0.333 0 -.16! 0 0 0 0 1" />! <feComponentTransfer>! <feFuncR type="discrete" tableValues="1 0" />! <feFuncG type="discrete" tableValues="1 0" />! <feFuncB type="discrete" tableValues="1 0" />! </feCompnentTransfer>!</filter>!

TIMING ATTACK

#btsec

#btsec

<iframe src=”view-source:http://example.com#line77”></iframe>!

Source: http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf

X-FRAME-OPTIONS: SAMEORIGIN

DEMO 2

#btsec

The non-WiFi version

#btsec

#btsec

YOU CAN STRIP SSL EASILY

#btsec

I BUILT A SCARY APPsslstrip arpspoof

css3 3d transforms

node.js

websocketslasers(spelt the british way)

#btsec

#btsec

#btsec

Strict-Transport-Security: max-age=63072000

response.headers[‘Strict-Transport-Security’] = ‘max-age=63072000'

header(“Strict-Transport-Security: max-age=63072000”);

#btsec

HTTP Strict Transport Security (HSTS)

RECAPPROBLEM: HTTP Sucks

#btsec

SOLUTION: Use SSL or a VPN! (TLS)

PROBLEM: SSL Sucks!SOLUTION: Use HSTS headers

PROBLEM: IFRAMES suckSOLUTION: Use X-FRAME-OPTIONS: SAMEORIGIN

THANK YOU!#btsec@MrRio @parallax

ME MY COMPANY