HTML5: Risky Business or Hidden Security Tool Chest?

advertisement

HTML5: Risky Business or Hidden

Security Tool Chest

Johannes B. Ullrich, Ph.D.

jullrich@sans.edu

• Dean of Research,

SANS Technology Institute

• Living in Jacksonville FL

(aka Southern GA)

• SANS Internet Storm Center https://isc.sans.edu

• Created DShield.org

• Instructor for SANS

• Past: Physicist, Web Developer

Hosted by OWASP & the NYC Chapter

About Me

What is HTML5

• Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work.

• Features to enable modern desktop like applications and support mobile devices

• 5 th Revision of the HTML Standard

What is this talk about?

• Ideas to improve security by using HTML5 responsibly

• What are some of the security challenges that

HTML5 addresses well (or doesn’t)

• What are some of the limitations we have to consider

Authentication

• Exclusive vs. Inclusive Authentication

Methods:

– Inclusive:

Proof the identity of the user

– Exclusive:

Disproof the identity of the user

What the Factor?

Segway: Multi Factor Authentication

• Single Factor: Password

• Two Factor: Password AND (Token|Biometric)

• 1 ½ Factor: Password and Cookie

• ½ Factor: Password

OR (Token|Biometric)

HTML5 Components

• Local Storage / Session Storage

• Canvas

• Geolocation

• Media Capture

• Notifications

• Accelerometer

• Encryption

Local and Session Storage

• New JavaScript API to store data on client

• Protected by “same origin”

• Local Storage:

– No defined expiration

– Accessible by all browser windows

• Session Storage:

– Expired when window is closed

– Scope limited to current window

Local Storage: Persistent

Cookie

• Alternative to Flash cookie for “1 ½ Factor” login

• Part of an “Evercookie”

• Can be used for good (additional authentication) or evil (more user tracking)

• Exposed to XSS attacks

• Similar to cookies in scope and security

Session Storage: Identifying users

• Can be used to store session token

• Breaks CSRF (good!)

• User is logged out when they close the browser window (not entire browser)

• Multiple users can use the same browser (is this a good thing?)

• Easier log out, more secure session tracking, can be used alongside cookies.

Risks

• Risks:

Storing too much data on the client!

Can’t enforce “secure” transmission over SSL

Can’t protect from JavaScript/XSS (no httponly)

Examples:

– storing confidential data on mobile devices

– Pushing data to the client the client is not authorized to see.

http://caniuse.com/#feat=namevalue-storage

Can I use it?

Canvas

• Allows drawing in the browser

• Interactive image applications

• Can be used for graphical login schemes

– CAPTCHAs

– Pattern based login

Image Login

• Display image, user identifies features

• Done in Windows 8/RT for mobile login

(“Pattern Login”, “Picture Password”)

Image:

Microsoft

“Connect the Dots”

• Implemented in Android

• Good user acceptance for mobile login

• No good studies yet as to how users select patterns

Image:

Extremetech.com

Demo

• Demo: “Connect the Dots” for the web

• http://authonthemove.com

• See Github for code repository

http://caniuse.com/#feat=canvas

Can I use it?

Geolocation

• JavaScript API provides access to devices built in sensors like GPS

• Can be very accurate

• Can also be spoofed easily

Image: Mozilla.org

Geolocation for Authentication

• Only useful on mobile devices

• Can be used to exclude users, but not to replace traditional authentication

• Observe sudden changes in location

• Combine with careful browser fingerprinting techniques

Can I use it?

Media Capture

• aka getUserMedia/Stream API

• Limited support (Chrome, Firefox, Blackberry)

• Some potential for biometrics:

– Face recognition

– Hand signals / gestures

– Fingerprint?

Implementations

• Face recognition libraries:

– http://neave.github.io/face-detection/

Difficulties

• Hard to acquire sufficient detail

• So far, in particular on mobile devices, more of a gimmick then a serious authentication feature

• Possibility to use “finger print”, but current cameras not sufficient to acquire image

http://caniuse.com/#feat=stream

Can I use it?

Accelerometer

• Only useful for mobile devices

• Move the phone in a pattern to authenticate

• Detect step/walking pattern

• Detect if user/phone is at rest or on the move

• Can be spoofed (but not readily)

• Not easy to reproduce

• Adding sensors like compass may help.

Can I use it?

http://caniuse.com/#feat=deviceorientation

Notifications

• Popup Notifications sent by the server to notify the user

• Initiated by server

– Local Notifications: Require browser to be open, widely supported

– Push Notifications: Safari Only

Bad stuff happened!

• Notify the user of security relevant events:

– “Someone is trying to log in as you”

• User needs to accept notifications

• Notifications no 100% reliable

• Not “out of band” (can be faked, intercepted)

• Safari Notifications may be useful for one time passwords (OTP)

http://caniuse.com/#feat=notifications

Can I use it?

Encryption

• Client side encryption

• Allows encryption of specific sensitive fields

(e.g. payment data, passwords)

• Intermediate services (proxies, web services) don’t need to know the information

• Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/

• Until then: https://www.pidder.de/pidcrypt/

Client side password hashing

• Server sends random “nonce” as part of login form.

• Client calculates hash from password/nonce

• Passes hash to server

• Server verifies hash

• Advantage: Server never gets to know the

“real” password.

Signup

• Use enters password

• Client hashes password

• Password hash transmitted to server

• Salt: Username? Provided by server?

• Changing password: Same procedure, salt may change.

Summary

• Lots of cool and useful tools in HTML5

• Use them as appropriate

• “HTML5” itself isn’t the risk. Bad coding is the risk

• Understand privacy issues

• Understand user behavior

• Share your code an experiences (OWASP!!)

Thanks!

! Thanks !

Questions?

jullrich@sans.edu

http://authonthemove.com

http://isc.sans.edu

Daily Updates * Daily Podcast * Live Data Feeds

Download