HOW TO Tell if your   designing an insecure websiteAkash Mahajan at Meta Refresh 2013
Hasgeek Doesn’t Allow How-tos As           Does thisTalks But I Got In !!      bother you?         :P HOW TO Tell if      ...
Joke
DISCLAIMER  Insecure  Websites   Design and   UI/UX This is not a how to, this ismore like a series of thoughts
Effective   Design, UI     or UXTalking About Effective Design
Can we say effective      design isSomething that compels a user to do what the   designer wanted?
Gmail ; A Great Example of Effective Design
Close Look at our example Phishing Attack or Effective Design
Even closer look at our example             1. Favicon FTW       2. Bookmark link
Phishing with a ph!
Salient features of effective designAssumptions – maybe based ondata like heat maps etc.Call to action – green button = go...
Salient features of phishingMost people don’tNotice what is in theaddress barPeople love to fill loginforms
Address bar/URL can look like   scheme://[login[:password]@]   (host_name|host_address)[:po   rt][/hierarchical/path/to/re...
Design Thinking?
Maybe Don’t Think == Impulsiveim·pul·sive /imˈp lsiv/                əAdjectiveActing or done without forethought:"young i...
phish·ingmade up wordis the act of attempting to acquireinformation such as usernames,passwords, and credit card details b...
Effective Design/UI/UX is about generatingTRUST
People trust big shiny locks
Best piece of advice from a    show about aliens
Two examples where this trust collides with effective design and makes the UI/UX bad for the user1. Password Reset/Change ...
How password reset should work   akashmahajan@gmail.com      Enter email to reset password  YourSuperSecretPassword
What went down behind the scenes• Code loaded in the browser sent that email to  server.
What went down behind the scenes• Server did bunch of things like check if email  was in database, generated password etc.
The difficult part & UI nightmare How does the server know that it is you who filled theemail and you are the owner   of t...
So how is it supposed to work?• Using out of band communication.• Code loaded in the browser sent that email to  server.
And…..?• Web server will email you a unique link.  Hoping that the email address is in your hands• You click on the link a...
Just FYI, that the email address you sent to theserver and the password  you got back were in       CLEARTEXT
People/stuff between you & the                server• Wireless Network• Helpful IT admin monitoring for “bad traffic”• ISP...
Just to recap!•   Effective Design/UI/UX inspires trust.•   People trust based on strong visual cues•   These cues can be ...
So how do we create secure websites?Finally a problem worthy of philosoraptor
HTTP + SSL/TLS = HTTPS
SSL/TLSEncrypted Communication – Nobodycan see your message hence can’tchange itSecure Identification of a Network –Are yo...
http://www.trailofbits.com/resources/creating_a_rogue_ca_cert_slides.pdf
Bad Things can HappenComodo an affiliate of a root CA was hacked.DigiNotar another affiliate was hacked.Hundreds of certif...
Rougue SSL Certificate
Secure By DesignWill cover this next year!
I don’t have any answers for                you• I am not a designer. I understand security in  systems.• I understand tha...
@makash     Akash MahajanThat Web Application Security Guy
How to tell if your designing an insecure website
How to tell if your designing an insecure website
How to tell if your designing an insecure website
Upcoming SlideShare
Loading in...5
×

How to tell if your designing an insecure website

856

Published on

A rambling talk about how the same things that comprise of effective design are misused to create effective phishing pages. Additionally the browser UI and security controls focus on things that most people completely ignore.

The idea of the presentation was to plant a seed of an idea that designers might be able to shape and take the lead in designing secure solutions meant for ordinary non-technical users if they start thinking about security as part of their deliverable.

This can even be done by ensuring that security team and designers collaborate on more projects together.

The presentation makes a lot more sense with the accompanying video

http://hasgeek.tv/metarefresh/2013/497-how-to-tell-if-youre-designing-an-insecure-site

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
856
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Talk about KSRTC person using the computer to go to googleTyped google in the address barClicked on Google.co.in when the results were displayed.Typed KSRTC in the google.co.in search boxClicked on KSRTC link, which was the 1st search result.
  • Google for TabNabber
  • http://www.trailofbits.com/resources/creating_a_rogue_ca_cert_paper.pdf
  • How to tell if your designing an insecure website

    1. 1. HOW TO Tell if your designing an insecure websiteAkash Mahajan at Meta Refresh 2013
    2. 2. Hasgeek Doesn’t Allow How-tos As Does thisTalks But I Got In !! bother you? :P HOW TO Tell if your designing an insecure website
    3. 3. Joke
    4. 4. DISCLAIMER Insecure Websites Design and UI/UX This is not a how to, this ismore like a series of thoughts
    5. 5. Effective Design, UI or UXTalking About Effective Design
    6. 6. Can we say effective design isSomething that compels a user to do what the designer wanted?
    7. 7. Gmail ; A Great Example of Effective Design
    8. 8. Close Look at our example Phishing Attack or Effective Design
    9. 9. Even closer look at our example 1. Favicon FTW 2. Bookmark link
    10. 10. Phishing with a ph!
    11. 11. Salient features of effective designAssumptions – maybe based ondata like heat maps etc.Call to action – green button = goVisual cues andlogos to inspiretrust
    12. 12. Salient features of phishingMost people don’tNotice what is in theaddress barPeople love to fill loginforms
    13. 13. Address bar/URL can look like scheme://[login[:password]@] (host_name|host_address)[:po rt][/hierarchical/path/to/re source[?search_string][#frag ment_id]]From Browser Security Handbook http://code.google.com/p/browsersec/wiki/Part1
    14. 14. Design Thinking?
    15. 15. Maybe Don’t Think == Impulsiveim·pul·sive /imˈp lsiv/ əAdjectiveActing or done without forethought:"young impulsive teenagers shoppers".
    16. 16. phish·ingmade up wordis the act of attempting to acquireinformation such as usernames,passwords, and credit card details bymasquerading as a trustworthy entityin an electronic communication.
    17. 17. Effective Design/UI/UX is about generatingTRUST
    18. 18. People trust big shiny locks
    19. 19. Best piece of advice from a show about aliens
    20. 20. Two examples where this trust collides with effective design and makes the UI/UX bad for the user1. Password Reset/Change feature2. An SSL enabled website
    21. 21. How password reset should work akashmahajan@gmail.com Enter email to reset password YourSuperSecretPassword
    22. 22. What went down behind the scenes• Code loaded in the browser sent that email to server.
    23. 23. What went down behind the scenes• Server did bunch of things like check if email was in database, generated password etc.
    24. 24. The difficult part & UI nightmare How does the server know that it is you who filled theemail and you are the owner of this email address?
    25. 25. So how is it supposed to work?• Using out of band communication.• Code loaded in the browser sent that email to server.
    26. 26. And…..?• Web server will email you a unique link. Hoping that the email address is in your hands• You click on the link and go back to the server.• Server confirms the link is proper it allows you to reset the password
    27. 27. Just FYI, that the email address you sent to theserver and the password you got back were in CLEARTEXT
    28. 28. People/stuff between you & the server• Wireless Network• Helpful IT admin monitoring for “bad traffic”• ISP gateway with helpful IT admin “monitoring”• Country level gateway with helpful govt. IT admin “monitoring” – Think Tunisia, Egypt, Iran• Helpful Server admin “monitoring”• And who knows what else is out there.
    29. 29. Just to recap!• Effective Design/UI/UX inspires trust.• People trust based on strong visual cues• These cues can be faked.• So ideally trust no one• If we use common sense approach to generating a new password we will need to trust multiple intermediaries.
    30. 30. So how do we create secure websites?Finally a problem worthy of philosoraptor
    31. 31. HTTP + SSL/TLS = HTTPS
    32. 32. SSL/TLSEncrypted Communication – Nobodycan see your message hence can’tchange itSecure Identification of a Network –Are you talking to the right server?
    33. 33. http://www.trailofbits.com/resources/creating_a_rogue_ca_cert_slides.pdf
    34. 34. Bad Things can HappenComodo an affiliate of a root CA was hacked.DigiNotar another affiliate was hacked.Hundreds of certificates for google, yahoo,mozilla, MS windows update were released.
    35. 35. Rougue SSL Certificate
    36. 36. Secure By DesignWill cover this next year!
    37. 37. I don’t have any answers for you• I am not a designer. I understand security in systems.• I understand that people want to use systems to do things, not get stopped due to security or insecurity.• The idea was to get your attention and see if these problems can be solved using design.
    38. 38. @makash Akash MahajanThat Web Application Security Guy
    1. Gostou de algum slide específico?

      Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

    ×