As developers, we learn far too little about security. What’s worse, what we do learn is usually focused on the what and how, rather than the why of things. This leads to a number of security issues caused by developers acting with the best of intentions, but either not completely hitting the mark or sometimes doing more harm than good. In this talk I seek to address this issue, fill in some gaps, and give some examples on where misunderstandings can lead to problems. Expect answers to questions like “can salts be sequential,” “how do I safely accept encrypted inputs from my users” and “how do I properly do password resets?”
15. 15
Limiting access
● Running everything as the same user
● Not having a separate web server user
● The docker group
● Mounting the docker socket in containers
Examples of unexpected angles:
- SPECTRE/Meltdown
- Heartbleed
- Cryptographic side channel attacks
Secrets in environment variables / dev secrets in .env file (or plaintext in config, nobody cares)
Examples of public secrets: accessible config files, accessible SSH keys, leaks
Everybody’s favorite kind of secret!
NIST recommendations: minimum of 8 characters, maximum of at least 64, allow all characters, no other requirements on complexity
Library recommendation: zxcvbn
Secure algos: SHA-512, bcrypt, PBKDF2
Hashing security does not mean secure for passwords
Rehashing: hash the old hashes
Salts: can be sequential, need to be unpredictable – leaking one salt can leak other sequential salts, so just do random salts
Paypal does security questions
Token generation: CSPRNG – UUID is meant to be unique, not random
Timing attacks on naive string comparisons
Short lifetime on tokens
Who am I vs What am I allowed to do
Better: voters, Symfony firewall
Check access on every request
DO NOT TRUST USER INPUT
IP: X-Forwarded-For
Referer is also just a header
Better: stay authenticated as original user, but make impersonation part of authorization
Example: document authoring – permission check uses impersonated user, ownership is still original user
All of these can give valuable information
It’s not security through obscurity to hide potentially sensitive details
Let’s write arbitrary user input to disk! In the web root! Yay!
Drop validation altogether, prevent code execution in uploads directory entirely
Better yet, separate server/container with files and only static content serving
User sharing on shared hosting is problematic
Regular users need access and possibilities web servers do not
Docker group and docker socket are root-equivalent
Easy to do, hard to do right
NEVER ROLL YOUR OWN – it’s hard as balls, and easy to mess up
Weak algorithms: like RC4 (WEP)
Easily broken keys or IVs: 0 is a common IV
Keys are not unlimited use
Signing: integrity vs protection
Padding oracles allow arbitrary decrypts/encrypts without knowing the key at any point
Other attacks take many shapes – minimal information leakage can compromise entire systems
What it is: relying on obscurity
What it is not: hiding information to enhance security