HTTP Strict Transport Security (HSTS) provides secure transport of data, by removing the possibility of HTTPS stripping. HSTS is an HTTP header issued by the server. After receiving such header, the browser will perform internal redirects from http:// to https:// for given amount of seconds.
From unsalted SHA-1 to bcrypt, from generated passwords sent in e-mails to just links and other stories of securing user passwords at your regular e-commerce site from web developer's point of view.
Video of the talk available at http://www.michalspacek.cz/prednasky/the-problem-with-the-real-world-passwords
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
From unsalted SHA-1 to bcrypt, from generated passwords sent in e-mails to just links and other stories of securing user passwords at your regular e-commerce site from web developer's point of view.
Video of the talk available at http://www.michalspacek.cz/prednasky/the-problem-with-the-real-world-passwords
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
A talk about TCP, UDP, IP, DNS, ISP, GET, URI, URN, URL, SSL, TLS, TTFB, HTTP/2, HTML and DOM, or, in translation, a talk about the internet, how requests travel through the network and how browsers handle the response.
This has been originally presented during BrightonSEO - Summer 2021.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
JS Applications need to exchange data with Backend APIs running on domains other than your own – understanding the same origin policy CSP, CORS and postMessage.
Talk held on Grill.js conference in Wroclaw, Poland on 2018-08-18.
.htaccess for SEOs - A presentation by Roxana StinguRoxana Stingu
The .htaccess file is famous for helping us set redirects but it can also help improve our website’s loading times as well as help with some crawling and indexing issues that I will cover in a bit. Learn where the file can be found, how it compares to https.conf, how it can be used for redirects, deal with duplicate content, what performance issues it can encounter, how it can help you create custom 404 pages, how it helps you leverage browser caching, gzip, disable image hotlinking, add canonical tags and robots directives in the HTTP headers and what tools and resources can help you learn even more.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
In this session, we will review the basic Web authentication and point out security risks of these methods.
To address security issues of user authentication, we will introduce the concept of OTP authentication and how to integrate OTP authentication into your applications.
We also introduce WebAuthn which is a good way to strengthen application's security.
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
How to optimise TTFB - BrightonSEO 2020Roxana Stingu
Learn what TTFB is, how to measure it and how to improve it.
Measure using: Chrome developer tools, webpagetest.org, Google Analytics, Sucuri or KeyCDN.
Network timings that go into TTFB measurement:
- Queuing
- Stalled/Blocking
- DNS Lookup
- Initial Connection
- SSL
- Request Sent
- Waiting (TTFB)
- Content Download
A talk about TCP, UDP, IP, DNS, ISP, GET, URI, URN, URL, SSL, TLS, TTFB, HTTP/2, HTML and DOM, or, in translation, a talk about the internet, how requests travel through the network and how browsers handle the response.
This has been originally presented during BrightonSEO - Summer 2021.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
JS Applications need to exchange data with Backend APIs running on domains other than your own – understanding the same origin policy CSP, CORS and postMessage.
Talk held on Grill.js conference in Wroclaw, Poland on 2018-08-18.
.htaccess for SEOs - A presentation by Roxana StinguRoxana Stingu
The .htaccess file is famous for helping us set redirects but it can also help improve our website’s loading times as well as help with some crawling and indexing issues that I will cover in a bit. Learn where the file can be found, how it compares to https.conf, how it can be used for redirects, deal with duplicate content, what performance issues it can encounter, how it can help you create custom 404 pages, how it helps you leverage browser caching, gzip, disable image hotlinking, add canonical tags and robots directives in the HTTP headers and what tools and resources can help you learn even more.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
In this session, we will review the basic Web authentication and point out security risks of these methods.
To address security issues of user authentication, we will introduce the concept of OTP authentication and how to integrate OTP authentication into your applications.
We also introduce WebAuthn which is a good way to strengthen application's security.
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
How to optimise TTFB - BrightonSEO 2020Roxana Stingu
Learn what TTFB is, how to measure it and how to improve it.
Measure using: Chrome developer tools, webpagetest.org, Google Analytics, Sucuri or KeyCDN.
Network timings that go into TTFB measurement:
- Queuing
- Stalled/Blocking
- DNS Lookup
- Initial Connection
- SSL
- Request Sent
- Waiting (TTFB)
- Content Download
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
Útoků na webové aplikace existují desítky. Představíme si tři základní, ukážeme si, jak takový útok provést a jak webovou aplikaci proti danému útoku zabezpečit. Na závěr si ukážeme, jak bezpečně ukládat uživatelská hesla a pár špeků, kterým byste se měli obloukem vyhnout.
Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.
This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.
HTTP Strict Transport Security (HSTS), zajistí zabezpečený „převoz“ informací bez možnosti odstranění HTTPS (SSL Strip). HSTS je HTTP hlavička, kterou posílá server. Browser poté bude po X sekund interně přesměrovávat http:// na https://.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
How to secure your web applications with NGINXWallarm
Your website is probably vulnerable and gonna be hacked one day. Here're 15 ready-to-use tips on how you can make your web applications more secure. How to protect web application from hacker attacks and mitigate DDoS with NGINX web server.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
Slides from a workshop I held on cryptography for web developers.
Part 1 is about cryptography in web applications and why you should not mix HTTP and HTTPS.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
How to Redirect HTTP to HTTPS in htaccess.pdfHost It Smart
Are you planning to secure your website with an SSL certificate and migrate it to HTTPS? Then take this blog by your side to understand the minor details.
Many websites use HTTPS in place of HTTP, which has led to questions about the HTTP vs HTTPS difference. Research shows that HTTPS is faster than HTTP for retrieving webpages and in terms of HTTP vs HTTPS performance, requires less time to load webpages. Here's a blog on HTTP vs HTTPS Difference Read Now.
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Paul Thompson
Discover step by step how to migrate your WordPress site to HTTPS successfully. Covers all the changes necessary ensure all functionality and SEO value is maintained during migration.
Internet Technology Lectures
HTTP & HTTPS
Lecturer: Saman M. Almufti / Kurdistan Region, Nawroz University
facebook: https://www.facebook.com/saman.malmufti
YouTube link: https://youtu.be/I8QOWD_GH5g
QA Fest 2016. Per Thorsheim. Website security 101QAFest
I use a lot of online services for personal and business purposes. However I usually never sign up for anything without checking their security first.
Using a small number of free & online tools, I will show you how I check the security & privacy of websites before signing up. This will be quick introduction to basic website security which every organisation, website & service should have in place.
Víceúrovňová obrana vysvětlená na Cross-Site ScriptinguMichal Špaček
Jak se pomocí více úrovní obrany bránit proti notoricky známému útoku Cross-Site Scripting (XSS). Jaké vrstvy zabezpečení existují a kdy se používají. O vlastnostech prohlížečů a Content Security Policy (CSP).
Fantom Opery, "VPN" a Secure Proxy v OpeřeMichal Špaček
Jak jsem pomocí prohlížeče přišel na to, že Opera VPN není VPN aneb co všechno na sebe Chrome prozradí v chrome://net-internals/ a jak to můžete použít pro ladění nebo zkoumání různých udělátek a extenzí.
Jak zlepšit zabezpečení čtvrtiny celého webuMichal Špaček
WordPress prý používá 27 % webu. Na následujících slajdech bych chtěl naznačit, co bychom ve WordPressu mohli zlepšit z pohledu bezpečnosti,protože když to uděláme, tak se zvýší zabezpečení poměrně hodně webů. Já vím, ne všichni aktualizují, ale o tom někdy jindy.
Would you voluntarily share how your web app stores passwords? Some companies indeed do share, for example Facebook and LastPass to name just a few. Some share involuntarily. Some don't share at all because they feel that it will make them more vulnerable. Here's why you should do that and how.
Pár praktických ukázek, ve kterých ukážu, proč se věnovat zabezpečení e-shopů a co se stane, když se na to vykašlete. A že když to budete řešit, až se když se něco bude dít, tak už může být pozdě.
Securitas, res publica.
V posledních pár letech se s bezpečnostními incidenty roztrhl pytel. Tady unikl seznam uživatelů, tady i jejich hesla, tady jen jejich objednávky. V této přednášce spojíme moje dvě oblíbená rčení a to, že každý web je dostatečně dobrý na hacknutí a že opakování je matkou moudrosti. Zopakujeme si, koho už u nás hacknuli a poněvadž by to byla nekonečně dlouhá přednáška, tak se raději zaměříme jen na zveřejněné případy.
Bezpečnost, věc veřejná.
… a chtělo svoje útoky zpět. Útok Cross-Site Scripting (XSS) byl poprvé popsán v roce 1999 a od té doby je tu stále s námi. Proč je tak nebezpečný a jak se mu bránit, když to vývojáři evidentně nezvládají?
Jako odborníci v IT už asi víte, že máte používat nějaký password manager, že? Ale jaký a jaké jsou rozdíly mezi nimi? A v čem se liší 1Password od LastPassu, tedy kromě ceny?
Operations security (OPSEC) is a term originating in U.S. military jargon. In IT, it says what to do to protect your servers, developers, information, and other resources. Targeting developers, new trend in computer security, is becoming increasingly common because they usually have access to production servers and other critical infrastructure.
Lehce osvětová přednáška o tom, proč by HTTPS mělo být úplně všude, nejen na přihlašovacím formuláři. A že šifrování není jenom o HTTPS. Jako obvykle si něco i ukážeme.
Základy webové bezpečnosti pro PR a marketingMichal Špaček
Na dotazy ohledně ukládání hesel raději odpovídejte až zhlédnutí této přednášky. Proč je důležité správné ukládání hesel a co se pod tím vlastně skrývá? Nebojte se, do zbytečných technických detailů zabíhat nebudeme. Podíváme se také na šifrovaný přenos přihlašovacích údajů, bezpečnostní otázky a na příkladech si ukážeme špatné odpovědi na různé zapeklité otázky ohledně zabezpečení některých webů. Po této přednášce byste měli vědět, jak na sociálních sítích správně odpovídat nejen na moje dotazy.
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
Users often forget their passwords, so applications often must have a password reset mechanism. There are several options for how to do it; some of them are good, most of them not so good. Generate a password and send it in an email? No. Security questions? No way. Reset passwords via a phone call? Rather not. This talk presents some really creative examples of botched password reset implementations, as well as a proven method for resetting passwords securely.
Jak vytvářet hesla, co je to password manager a proč ho nutně potřebujete.
Zapomínáte hesla? Já taky ne. Používáte heslo pro přístup k vašemu emailu i pro přístup k jiným službám? Pokud ano, tak to není moc dobrý nápad. Prozradím vám, jak to dělat lépe.
Víte, že nevíte, že já vím, že nevíte? (WebTop100 2014)Michal Špaček
Víte, že nevíte, že já vím, že nevíte?
Po přednášce už budete vědět. Ukážu vám pár chyb, které možná již znáte, jen netušíte, že kvůli nim zrovna váš web opouští data vaše nebo vašich uživatelů. A že budete bezpečnost webu řešit až se něco stane a že se ještě nic nestalo? Jasně, tak hlavně přijďte :-)
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
HTTP Strict Transport Security (HSTS), English version
1. HTTP Strict Transport Security
Michal Špaček
www.michalspacek.cz @spazef0rze
https://commons.wikimedia.org/wiki/File:Kozovazy,_Muzeum_socialistick%C3%BDch_voz%C5%AF_(13).jpg
HTTP Strict Transport Security (HSTS) provides secure transport of data, by
removing the possibility of HTTPS stripping. (These slides include added
speaker notes. Pictured above is a Czech police car from the communist era.)
2. When writing this talk, I've stumbled on this Czech website. It has
a lot of info about a data inbox which is used by citizens for official
communication with various Czech government departments. The
note on the top was a bit of a surprise for me. It's repeated on the
next slide.
3. It says "to access your data inbox, manually enter the following
HTTPS address into the address bar of your browser". I think this
is how HTML version Zero looked like, that's HTML sans HT.
HTML version ZERO
6. I guess I was not redirected. Now what? Oh, wait, let's see what does it say.
7. "Because of security, the data inbox portal is accessible only by using an
encrypted connection." – Cool! – "You should create a bookmark leading
directly to the secure login page at https://www.mojedatovaschranka."
– Huh, no link? – "You'll be redirected to secure login page in 10 seconds.
If you weren't click here." – Ok, finally, here's a link.
8. Do Not Perform Redirects from
Non-TLS Page to TLS Login Page
Seems this update your bookmarks thing comes from this obsolete
OWASP recommendation which says that you should not perform redirects
from HTTP to HTTPS login page.
9. This recommendation has been
removed.
Yeah, it was. Already on 2011-10-16. Now it's completely
gone from the Transport Layer Protection Cheat Sheet.
10. "You'll be redirected to secure login page in 10 seconds. If you weren't click
here." Before the recommendation was removed, it said that you should not
perform redirects. But the system will eventually redirect the user.
11. As an extra bonus, the message which says "You'll be redirected to secure login
page in 10 seconds" contains a grammatical mistake. I won't go into details,
free Czech lesson is not included in this slide deck, I'm sorry.
12. Browser
Badguy
Server
HTTP HTTPS
SSL STRIP
The reason for the bookmark recommendation is this. It's called the SSL Strip
attack and it's a Man-in-the-Middle type of an attack. The user wants to load a
website, so she types www.example.com without the https:// schema into the
address bar of her browser. The browser sends unencrypted request to the server,
which responds with a redirection to https://www.example.com. This initial HTTP
request can be intercepted by a bad guy who re-sends it to the server and so the
server will send the redirection response to the bad guy. He won't relay the response
but instead sends the HTTPS request himself. Server accepts the HTTPS request and
will now happily send the encrypted page back to the bad guy. He decrypts the page,
changes all the links and form actions from https:// to http:// and eventually
sends it back to the original user. She sees a page she wanted to see, the domain is
correct, too. She won't notice that the page was not loaded over an encrypted
connection, the chances are that she doesn't even know whether the page should be
loaded over HTTPS. So she puts in her username and password and submits the
form over HTTP. The bad guy will sniff the data and now has her credentials.
14. H TSH TS
The idea to create a bookmark to the secure site, or not to perform redirects is
foolish. There is a better way to do it now, just use HTTP Strict Transport Security
(HSTS). HSTS is supported in Firefox and Chrome, in both since version 4, in
Microsoft Superman/Spartan/Edge, and IE 11 on Win7 and higher since June
2015. It's also supported in some other browsers.
15. With HSTS, the browser won't ever send the request to the website over HTTP.
Instead, it will perform internal redirection, and then will send the request over
HTTPS. This is how it looks like in Chrome DevTools. The 307 status code comes
from the browser internally, not from the server. As a user, you won't see much
difference between an HSTS-enabled site and a regular HTTPS site, though the
loading might be a bit faster because the HTTP request is not sent to the server.
16. Strict-Transport-Security: max-age=31536000; includeSubDomains
HSTS is an HTTP header issued by the server. After receiving an HSTS header, the
browser will perform internal redirects (no requests to server) from http:// to
https:// for the next max-age seconds. The includeSubdomains directive tells the
browser to apply HSTS policy for all the subdomains, too. Don't forget to set the
header for example.com, not just for www.example.com. Also verify that all
subdomains work over HTTPS. A max-age=0 will make the browser (Firefox-only
feature) forget the HSTS policy for the host.
17. TOFU
Trust-On-First-Use
The HSTS header can be sent from the server only over trusted HTTPS, the
browser must ignore the header if received over HTTP or untrusted connection. We
have to trust the network with the first HTTP request and believe that nobody will
strip the HTTP-to-HTTPS redirection. Such model is called Trust-On-First-Use.
18. https://www.chromium.org/hsts
PRELOAD
The TOFU model leaves the user open to a bootstrap MITM vulnerability when
the user manually enters or follows an HTTP link to an unknown HSTS host. To
protect against such vulnerability, browsers offer a so-called preload list. Once a
site is preloaded into the browser, even the very first HTTP request will be
internally redirected to HTTPS because the browser knows the HSTS policy for
the host right since the installation.
19. Strict-Transport-Security: max-age=…; includeSubDomains; preload
https://hstspreload.appspot.com/
To make it to the preload list you need to add a preload directive to the HSTS
header issued by your server and then submit your site manually for inclusion in
the preload list. Various versions of the list are used by Chrome, Firefox, IE/Edge,
and Tor Browser. Once preloaded there's no easy way out. You can email the list
maintainer and ask for removal but it takes a while.
20. max-age=60
no preload
So for testing, set your max-age low, just few minutes, and don't use preload.
Really, I mean it, otherwise somebody will submit the site for your. Verify that the
site is accessible and increase max-age to a day, then a week, then a month etc.
21. ~3400 domains
68 .cz domains
Right now, on 2015-10-14, there's 68 Czech domains, including some major e-
commerce sites, out of roughly 3400 domains in total in the preload list. I have no
idea what happens once the list grows but right now it's tiny and will still be tiny for
few more years. The list had roughly 2000 domains 6 months ago. Once your site is
included in the preload list, it will be preloaded in the browser in one of the
upcoming versions.
22. No CzechNo Czech
bankbank
There's no Czech bank in the preload list as of 2015-10-14. In the Czech Republic,
there are 60 banks, savings banks, and credit unions, 13 use HSTS in the online
banking web app, 7 on corporate website. None of them in the preload list.
23. BANK-GRADE ENCRYPTIONBANK-GRADE ENCRYPTION
TELL ME MORE ABOUT ITTELL ME MORE ABOUT IT
A lot of companies will tell you they provide, or use bank-grade encryption, while
their HTTPS is actually set up better than what most banks have. Forget about
bank-grade and just do HTTPS properly. That is, better than the majority of banks.
24. NTP Man-in-the-Middle tool
https://github.com/PentesterES/Delorean
There's actually a way to circumvent the HSTS policy. The browser uses system time
to decide whether it should perform internal redirect or not. An attacker can attack
the NTP time synchronisation and adjust the system time forward one year. All
HSTS policies with max-age less than a year will then expire and it will be possible to
strip the HTTP-to-HTTPS redirection again. Regular Windows allows maximum 15
hours drift and synces once per week so it'd take some time. More in Jose Selvi's
DEF CON 23 talk Breaking SSL using time synchronisation attacks (slides, video).
25. Nope, just 10 weeks!
In Chrome, the preloaded entries are valid only for 10 weeks since the build time,
not forever. Google says it's to effectively actually remove entries when needed.
26. HSTS serves one more important feature. If there's an issue with a certificate when
connecting to an known HSTS-enabled host, the user cannot just click through the
warning. The two sites above have spoofed self-signed certificates. The site on the
right uses HSTS, so user is not allowed to visit it as there's no Proceed button.
27. Michal ŠpačekMichal Špaček
www.michalspacek.czwww.michalspacek.cz @spazef0rze@spazef0rze
BTW, you can use this browser extension to enforce local HSTS. It has it's own,
more extensive list of sites with HTTPS support and you can even manually add
your own favorite sites, for example your bank. Follow me on Twitter for all things
HTTPS and HSTS.
Editor's Notes
Řeknu vám něco o HSTS, zajistí zabezpečený transport informací, pro ty, co jste byli na mé přednášce o HTTP/2, tak dobrá zpráva, až bude celý web už jen šifrovaný, tak tohle nebude potřeba.
Když jsem si připravoval přednášku, tak jsem narazil na tenhle web. Je to web datových schránek a až včera jsem si všiml té věty nahoře. Já vám to zvětším takhle
Přečíst Tomuhle se říká HTML verze nula. To je HTML bez HT.
Zkusil jsem tedy do prohlížeče zadat adresu, která tam byla uvedená a jako každý normální člověk jsem prostě to https:// na začátku neuvedl.
Browser to doplnil za mě. Doplnil sice jenom http, ne https, ale to nevadí, určitě se dostanu tam, kam chci.
Ejhle, WTF?
Klientský portál informačního systému datových schránek je z důvodů zabezpečení přístupný výhradně prostřednictvím šifrovaného spojení. Doporučujeme Vám, abyste si v prohlížeči vytvořili záložku směřující přímo na zabezpečenou přihlašovací stránku na adrese https://www.mojedatovaschranka.cz.
OK
Během 10-ti vteřin budete přesměrováni na zabezpečenou přihlašovací stránku. Pokud se tak nestalo, klikněte zde.
AHA
Tenhle vynález asi pochází z doporučení OWASPu, kde se říká, že nepřesměrovávejte z HTTP na přihlašovací stránku na HTTPS.
No jo, jenže tohle doporučení už je stejně odstraněný 16. října 2011.
Ale i kdyby tam zůstalo, tak se tam píše o tom, že se nemá přesměrovávat. Takže to mají stejně blbě, protože návštěvníka přesměrují.
No a kromě toho, tahle gramatická chyba je taková symbolická třešnička na tom zkaženým dortu.
Co se tou radou k vytvoření záložky snaží řešit je tenhle problém. Říká se tomu útok SSL strip. Ten funguje takto. Váš prohlížeč chce poslat požadavek na server, napíšete do browseru www bez https:// browser pošle požadavek na server, ten odpoví přesměrování na https. Ten úvodní požadavek je nešifrovaný, takže ho může zachytit mizera, přepošle ho na server, server odpoví jemu a do prohlížeče vrátí nešifrovanou stránku s přepsanými odkazy na http. Uživatel napíše jméno a heslo a browser ho nešifrovaně odešle na server, tedy vlastně mizerovi a ten ho zašifruje a pošle na server. MITM.
Řešit to záložkou nebo nepřesměrováváním je pitomost. Správně je to udělat pomocí HSTS. HSTS umí Firefox i Chrome od verze 4, IE od další verze
HSTS zajistí, že browser vůbec nebude posílat požadavek na HTTP, ale místo toho vygeneruje interní přesměrování a rovnou půjde na HTTPS Takto to vypadá v Chrome.
HSTS je HTTP hlavička, kterou pošle server a browser pak bude interně přesměrovávat http na https po X sekund, to je to max-age. Includesubdomains pak říká, že to platí i pro všechny subdomény. Nezapomeňte tu hlavičku nastavit i pro example.com, nejenom pro www.example.com
HSTS hlavička může přijít jen po HTTPS. Takže musíme věřit prvnímu požadavku. Tomu se říká TOFU.
Abychom nemuseli věřit ani prvnímu požadavku, tak můžeme využít tzv. preload list. Ten se dodává rovnou s prohlížečem při instalaci a zajistí, že prohlížeč už bude od začátku vědět, že váš web je na https a rovnou bude posílat požadavky na https.
Abyste se dostali do preload listu, tak musíte k HSTS hlavičce přidat preload a přidat svůj web ručně do formuláře na hstspreload. Tenhle preload list používá chrome, firefox a bude ho používat i IE. Ale jakmile tam jednou web dostanete, tak není cesty zpět, pozor na to.
Proto pro testování nastave počet vteřin hodně malý, třeba pár minut a nepoužívejte preload. Fakt, nedělejte to.
V aktuálním preload listu je asi 3300 domén, z toho 67 českých, slevomat, mall, alza, zdrojak. Těžko říct, jak se to bude řešit, až ten seznam trochu nabobtná, ale zatím je to v pohodě a pár let to ještě vydrží. Browsery mají trochu starší preload list.
Žádná banka není v preload listu. U nás je 60 bank, 10 jich má HSTS v bankovnictví a 3 na normálním webu. Ale v preload listu není žádná.
Proto jsou docela vtipná tvrzení jako třeba tohle od fakturoidu. Žádná banka nemá HTTPS udělané tak dobře, jako fakturoid. Přestaňte tyhle kraviny tvrdit a prostě to udělejte dobře. Ne tak jako většina bank.
HSTS má ještě jeden důležitý úkol. Když dojde k nějaké chybě při připojování k zabezpečenému webu, tak uživateli nedovolí pokračovat. Tady je ukázka připojení, kdy útočník podvrhnul certifikát vydaný neznámou certifikační autoritou. Web vpravo podporuje HSTS.
Mimochodem, nainstalujte si do browseru tohle rozšíření, díky němu se vám po HTTPS budou načítat i weby, které ho defaultně nenabízí, nebo si ho tam můžete přidat sami. Je to takové lokální HSTS.