Security+ All-In-One Edition Chapter 15 – Web Components Brian E. Brzezicki Web Components (443) Believe it or not the web did not exist till about 1993. A few years later (about 1995) the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol, which transfers HTML documents as well as other file formats. HTTP HTTP (TCP port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP. • No Encryption • No Authentication of remote server There are many useful web applications for example online banking. Can anyone see why the top 2 issues are VERY problematic? Enter SSL/TLS (445) SSL and TLS are a form of securing network communications. They provide 2 important concepts. • Server Authentication • Encryption SSL/TLS protected traffic is called HTTPS and runs at TCP port 443 How does SSL work (447) 1. Client sends SSL version and cipher settings 2. Server responds, including it’s digital certificate 3. Client verifies the server is who it says it is (NOTE DISCUSS HOW) 4. Client encrypts a seed value with the servers public key 5. Server decrypts seed value and uses it to generate a master key 6. Client and server use seed value to generate a master key, which will be used to encrypt the sessions traffic SSL Once this handshake is completed we have verified that the server is who he says he is AND we have exchanged keys for symmetric encryption. This “handshake” is the CPU intensive part of SSL communications NOT the actually encryption. Digital Certificates Let’s take a quick look around a HTTPS connection. Go to https://www.redhat.com using Firefox Click on the yellow lock, view certificate What are some of the fields you see here? Click on “Details” and Look at the Certificate Hierarchy What is this all about? (more) Digital Certificates Go to a site with a bad digital certificate… What happens? Have you ever seen errors like this before? Do you usually ignore them? What could be happening if you get an error that a servers certificate is invalid? SSL thoughts What is mutual authentication? Should you provide authentication via a certificate to a web server? Why or why not? What uses could this serve? SSL closing thoughts SSL provides encryption and authentication SSL uses RC4 and 3DES for symmetric encryption but can use other protocols SSL uses MD5 or SHA for digital signature hashing SSL was original, and embraced by the IETF in 1996, TLS v1 was equivalent to SSL v3 SSL protects against Man in the Middle Attacks (however that was just defeated) [...]... JavaScript security holes • Vulnerabilities – Monitoring Web browsing – Bugs in browsers • JavaScript Garbage Collector – Reading browser preferences – yes JavaScript can do this – Reading cookies • Safeguards – Patches for browsers – Disable JavaScript in the browser ActiveX (459) • Developed by Microsoft • Links desktop apps with Web content • Components triggered by HTML scripts • Can do anything... Vulnerabilities – Potential for harmful code – Attacker might gain access to passwords or confidential information – Attacker may do bad things on your computer • Safeguards – Patches – Disable ActiveX scripting – Configure how ActiveX responds • Enable • Disable • Prompt Java Java applets (457) What is Java, what is the purpose and history of Java? • Work on most clients • Typically stored on Web server... Microsoft version of software signing is called “Authenticode” (more) Signed and Unsigned Applets (465) • Unsigned applet – No way to confirm code source – No way to know if it was changed – Sandbox model (Java) • Signed applet – Digital signature – Proves applet was unaltered from source – Avoids sandbox restrictions (java) Signed applets (465) Should you ever run an unsigned active X control? Are you safe... loads a keystroke logger on my desktop Will an SSL connection protect my communications with a web site? Other Network Services FTP (454) FTP – File Transfer Protocol heavily before HTTP to transfer files around Still used today though much less Problems • No encryption • Anonymous Accounts SFTP (454) SFTP – a replacement to FTP Encrypted Communications Recommended if you need to use an FTP like upload/download... the web would be a boring place There are two types of cookies (explain) • First Party cookies • Third party cookie (more) Cookies (462) • Cookies do NOT spread viruses, malware etc • Cookies can be used to hold preference • Cookies can be used to provide a “session” for a web application • Cookies can show some type of browsing history if stolen • You can turn off cookies in your browsers, but most websites... on web browser to help create interactive features • Code goes between and tags • Transmit information to the Web server • Can perform tasks outside user’s control Simple JavaScript code Example JavaScript document.writeln("Example"); JavaScript security holes • Vulnerabilities –. .. your website Client side software Cookies Cookies (462) What is a cookie? What is it used for? Can cookies give you viruses? Let’s look at a cookie Cookie (462) Open Firefox Hit Tools->Options->Privacy->remove individual Cookies Let’s look at what you see • Name • Content • Host • Expires (more) Cookies (462) The point of cookies is to imply state to a stateless protocol Cookies can inform the web. .. Disable • Prompt Java Java applets (457) What is Java, what is the purpose and history of Java? • Work on most clients • Typically stored on Web server and downloaded to client • Can be standalone or web based (applet) • JAVA and JAVASCRIPT are COMPLETELY different and NOT related (the book on 457 is completely wrong on this) Signed and unsigned applets (465) • Downloading code from the Internet to . Security+ All-In-One Edition Chapter 15 – Web Components Brian E. Brzezicki Web Components (443) Believe it or not the web did not exist till about 1993. A few years later. the commercialization of the Internet began. Web browsers allow us to access information in a quick, easy and universal method. The protocol of the web is called “HTTP” Hypertext Transfer Protocol,. port 80) is the protocol for web communications Unfortunately there are 2 problems with HTTP. • No Encryption • No Authentication of remote server There are many useful web applications for example