340 likes | 567 Views
HTML5: Risky Business or Hidden Security Tool Chest. Johannes B. Ullrich, Ph.D. jullrich@sans.edu. About Me. Dean of Research, SANS Technology Institute Living in Jacksonville FL (aka Southern GA) SANS Internet Storm Center https://isc.sans.edu Created DShield.org Instructor for SANS
E N D
HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. jullrich@sans.edu
About Me • Dean of Research, SANS Technology Institute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Centerhttps://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer Hosted by OWASP & the NYC Chapter
What is HTML5 • Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work. • Features to enable modern desktop like applications and support mobile devices • 5th Revision of the HTML Standard
What is this talk about? • Ideas to improve security by using HTML5 responsibly • What are some of the security challenges that HTML5 addresses well (or doesn’t) • What are some of the limitations we have to consider
Authentication • Exclusive vs. Inclusive Authentication Methods: • Inclusive: Proof the identity of the user • Exclusive: Disproof the identity of the user
What the Factor? Segway: Multi Factor Authentication • Single Factor: Password • Two Factor: Password AND (Token|Biometric) • 1 ½ Factor: Password and Cookie • ½ Factor: Password OR (Token|Biometric)
HTML5 Components • Local Storage / Session Storage • Canvas • Geolocation • Media Capture • Notifications • Accelerometer • Encryption
Local and Session Storage • New JavaScript API to store data on client • Protected by “same origin” • Local Storage: • No defined expiration • Accessible by all browser windows • Session Storage: • Expired when window is closed • Scope limited to current window
Local Storage: Persistent Cookie • Alternative to Flash cookie for “1 ½ Factor” login • Part of an “Evercookie” • Can be used for good (additional authentication) or evil (more user tracking) • Exposed to XSS attacks • Similar to cookies in scope and security
Session Storage: Identifying users • Can be used to store session token • Breaks CSRF (good!) • User is logged out when they close the browser window (not entire browser) • Multiple users can use the same browser (is this a good thing?) • Easier log out, more secure session tracking, can be used alongside cookies.
Risks • Risks: Storing too much data on the client! Can’t enforce “secure” transmission over SSL Can’t protect from JavaScript/XSS (no httponly) Examples: • storing confidential data on mobile devices • Pushing data to the client the client is not authorized to see.
Can I use it? http://caniuse.com/#feat=namevalue-storage
Canvas • Allows drawing in the browser • Interactive image applications • Can be used for graphical login schemes • CAPTCHAs • Pattern based login
Image Login • Display image, user identifies features • Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
“Connect the Dots” • Implemented in Android • Good user acceptance for mobile login • No good studies yet as to how users select patterns Image: Extremetech.com
Demo • Demo: “Connect the Dots” for the web • http://authonthemove.com • See Github for code repository
Can I use it? http://caniuse.com/#feat=canvas
Geolocation • JavaScript API provides access to devices built in sensors like GPS • Can be very accurate • Can also be spoofed easily Image: Mozilla.org
Geolocation for Authentication • Only useful on mobile devices • Can be used to exclude users, but not to replace traditional authentication • Observe sudden changes in location • Combine with careful browser fingerprinting techniques
Media Capture • aka getUserMedia/Stream API • Limited support (Chrome, Firefox, Blackberry) • Some potential for biometrics: • Face recognition • Hand signals / gestures • Fingerprint?
Implementations • Face recognition libraries: • http://neave.github.io/face-detection/
Difficulties • Hard to acquire sufficient detail • So far, in particular on mobile devices, more of a gimmick then a serious authentication feature • Possibility to use “finger print”, but current cameras not sufficient to acquire image
Can I use it? http://caniuse.com/#feat=stream
Accelerometer • Only useful for mobile devices • Move the phone in a pattern to authenticate • Detect step/walking pattern • Detect if user/phone is at rest or on the move • Can be spoofed (but not readily) • Not easy to reproduce • Adding sensors like compass may help.
Can I use it? http://caniuse.com/#feat=deviceorientation
Notifications • Popup Notifications sent by the server to notify the user • Initiated by server • Local Notifications: Require browser to be open, widely supported • Push Notifications: Safari Only
Bad stuff happened! • Notify the user of security relevant events: • “Someone is trying to log in as you” • User needs to accept notifications • Notifications no 100% reliable • Not “out of band” (can be faked, intercepted) • Safari Notifications may be useful for one time passwords (OTP)
Can I use it? http://caniuse.com/#feat=notifications
Encryption • Client side encryption • Allows encryption of specific sensitive fields (e.g. payment data, passwords) • Intermediate services (proxies, web services) don’t need to know the information • Upcoming: CryptoAPI (June 2013)http://www.w3.org/TR/WebCryptoAPI/ • Until then: https://www.pidder.de/pidcrypt/
Client side password hashing • Server sends random “nonce” as part of login form. • Client calculates hash from password/nonce • Passes hash to server • Server verifies hash • Advantage: Server never gets to know the “real” password.
Signup • Use enters password • Client hashes password • Password hash transmitted to server • Salt: Username? Provided by server? • Changing password: Same procedure, salt may change.
Summary • Lots of cool and useful tools in HTML5 • Use them as appropriate • “HTML5” itself isn’t the risk. Bad coding is the risk • Understand privacy issues • Understand user behavior • Share your code an experiences (OWASP!!)
Thanks! ! Thanks ! Questions? jullrich@sans.edu http://authonthemove.com http://isc.sans.edu Daily Updates * Daily Podcast * Live Data Feeds