Johannes B. Ullrich, Ph.D.
jullrich@sans.edu
• Dean of Research,
SANS Technology Institute
• Living in Jacksonville FL
(aka Southern GA)
• SANS Internet Storm Center https://isc.sans.edu
• Created DShield.org
• Instructor for SANS
• Past: Physicist, Web Developer
Hosted by OWASP & the NYC Chapter
About Me
What is HTML5
• Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work.
• Features to enable modern desktop like applications and support mobile devices
• 5 th Revision of the HTML Standard
What is this talk about?
• Ideas to improve security by using HTML5 responsibly
• What are some of the security challenges that
HTML5 addresses well (or doesn’t)
• What are some of the limitations we have to consider
Authentication
• Exclusive vs. Inclusive Authentication
Methods:
– Inclusive:
Proof the identity of the user
– Exclusive:
Disproof the identity of the user
What the Factor?
Segway: Multi Factor Authentication
• Single Factor: Password
• Two Factor: Password AND (Token|Biometric)
• 1 ½ Factor: Password and Cookie
• ½ Factor: Password
OR (Token|Biometric)
HTML5 Components
• Local Storage / Session Storage
• Canvas
• Geolocation
• Media Capture
• Notifications
• Accelerometer
• Encryption
Local and Session Storage
• New JavaScript API to store data on client
• Protected by “same origin”
• Local Storage:
– No defined expiration
– Accessible by all browser windows
• Session Storage:
– Expired when window is closed
– Scope limited to current window
Local Storage: Persistent
Cookie
• Alternative to Flash cookie for “1 ½ Factor” login
• Part of an “Evercookie”
• Can be used for good (additional authentication) or evil (more user tracking)
• Exposed to XSS attacks
• Similar to cookies in scope and security
Session Storage: Identifying users
• Can be used to store session token
• Breaks CSRF (good!)
• User is logged out when they close the browser window (not entire browser)
• Multiple users can use the same browser (is this a good thing?)
• Easier log out, more secure session tracking, can be used alongside cookies.
Risks
• Risks:
Storing too much data on the client!
Can’t enforce “secure” transmission over SSL
Can’t protect from JavaScript/XSS (no httponly)
Examples:
– storing confidential data on mobile devices
– Pushing data to the client the client is not authorized to see.
http://caniuse.com/#feat=namevalue-storage
Can I use it?
Canvas
• Allows drawing in the browser
• Interactive image applications
• Can be used for graphical login schemes
– CAPTCHAs
– Pattern based login
Image Login
• Display image, user identifies features
• Done in Windows 8/RT for mobile login
(“Pattern Login”, “Picture Password”)
Image:
Microsoft
“Connect the Dots”
• Implemented in Android
• Good user acceptance for mobile login
• No good studies yet as to how users select patterns
Image:
Extremetech.com
Demo
• Demo: “Connect the Dots” for the web
• http://authonthemove.com
• See Github for code repository
http://caniuse.com/#feat=canvas
Can I use it?
Geolocation
• JavaScript API provides access to devices built in sensors like GPS
• Can be very accurate
• Can also be spoofed easily
Image: Mozilla.org
Geolocation for Authentication
• Only useful on mobile devices
• Can be used to exclude users, but not to replace traditional authentication
• Observe sudden changes in location
• Combine with careful browser fingerprinting techniques
Can I use it?
Media Capture
• aka getUserMedia/Stream API
• Limited support (Chrome, Firefox, Blackberry)
• Some potential for biometrics:
– Face recognition
– Hand signals / gestures
– Fingerprint?
Implementations
• Face recognition libraries:
– http://neave.github.io/face-detection/
Difficulties
• Hard to acquire sufficient detail
• So far, in particular on mobile devices, more of a gimmick then a serious authentication feature
• Possibility to use “finger print”, but current cameras not sufficient to acquire image
http://caniuse.com/#feat=stream
Can I use it?
Accelerometer
• Only useful for mobile devices
• Move the phone in a pattern to authenticate
• Detect step/walking pattern
• Detect if user/phone is at rest or on the move
• Can be spoofed (but not readily)
• Not easy to reproduce
• Adding sensors like compass may help.
Can I use it?
http://caniuse.com/#feat=deviceorientation
Notifications
• Popup Notifications sent by the server to notify the user
• Initiated by server
– Local Notifications: Require browser to be open, widely supported
– Push Notifications: Safari Only
Bad stuff happened!
• Notify the user of security relevant events:
– “Someone is trying to log in as you”
• User needs to accept notifications
• Notifications no 100% reliable
• Not “out of band” (can be faked, intercepted)
• Safari Notifications may be useful for one time passwords (OTP)
http://caniuse.com/#feat=notifications
Can I use it?
Encryption
• Client side encryption
• Allows encryption of specific sensitive fields
(e.g. payment data, passwords)
• Intermediate services (proxies, web services) don’t need to know the information
• Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/
• Until then: https://www.pidder.de/pidcrypt/
Client side password hashing
• Server sends random “nonce” as part of login form.
• Client calculates hash from password/nonce
• Passes hash to server
• Server verifies hash
• Advantage: Server never gets to know the
“real” password.
Signup
• Use enters password
• Client hashes password
• Password hash transmitted to server
• Salt: Username? Provided by server?
• Changing password: Same procedure, salt may change.
Summary
• Lots of cool and useful tools in HTML5
• Use them as appropriate
• “HTML5” itself isn’t the risk. Bad coding is the risk
• Understand privacy issues
• Understand user behavior
• Share your code an experiences (OWASP!!)
Thanks!
http://isc.sans.edu
Daily Updates * Daily Podcast * Live Data Feeds