The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionSachintha Gunasena
This series in about the Entrepreneurial and E-Commerce opportunities and how to harness the power of Information Technology to improve or revolutionize business.
This session discusses about:
the types of threats that could occur to an e-commerce business, and what are the prevention methods and technologies available for such threats.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionSachintha Gunasena
This series in about the Entrepreneurial and E-Commerce opportunities and how to harness the power of Information Technology to improve or revolutionize business.
This session discusses about:
the types of threats that could occur to an e-commerce business, and what are the prevention methods and technologies available for such threats.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
Privacy Risks with Using Client Certificates for Authentication
Know the risks to user privacy when client certificate authentication is used, and be aware of how attackers can spoof web sites to expose the identity of connecting clients.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
Privacy Risks with Using Client Certificates for Authentication
Know the risks to user privacy when client certificate authentication is used, and be aware of how attackers can spoof web sites to expose the identity of connecting clients.
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
If you own a website, specifically a WordPress site, it's time to move from HTTP to HTTPS. Google is implementing a Carrot-and-Stick plan to get you there. This WordCamp talk touched on the basics of HTTPS/SSL/TLS and Google's plan to make the web more secure. These slides cite links with supporting information.
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityGlobalSign
Our Chief Product Officer, Lila Kee spoke at Cloud Computing Expo in New York.
The talk is about how cloud-based service providers must build security and trust into their offerings. It is imperative that as these cloud-based service providers make identity, security, and privacy easy for their customers as customers become more reliant on these offerings. The slides include the best practices for cloud-based service providers and how a superior user experience that is backed by security features will enable business growth and reduce customer churn.
You can find out more in our webinar: https://www.globalsign.com/en/lp/webinar-the-business-advantages-of-ssl-as-a-service/
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
I would appreciate help with these 4 questions. Thank You.
1) Explain what the following are: root certificates, self-signed certificates. Describe how they
are used. Provide some examples of each explaining how they are used. You should be able to
find examples of each on your system by looking through various options available on your
browser.
2) Provide a listing of the fields associated with a certificate of your choosing. Use the X509
definition to match the general fields of a certificate with the certificate you choose to look at.
Describe each field.
3) Your manager is considering implementing a PKI infrastructure. They are considering using
RSA encryption technology for the central part of their infrastructure. You manager would like
to know some products or services that utilize RSA encryption technology. Provide three
examples and explain how they make use of the RSA encryption technology. Provide a few
original sentences describing each of your examples.
4) Compare the functionality offered by the RSA and Diffie-Hellman algorithms.
Solution
A Root SSL certificate could be a certificate issued by a trusty certificate authority (CA).In the
SSL system, anyone will generate a language key and sign a replacement certificate therewith
signature. However, that certificate isn\'t thought-about valid unless it\'s been directly or
indirectly signed by a trusty CA.A trusty certificate authority is Associate in Nursing entity that
has been entitled to verify that somebody is effectively World Health Organization it declares to
be. so as for this model to figure, all the participants on the sport should agree on a group of CA
that they trust. All operational systems and most of net browsers ship with a group of trusty
CAs.The SSL system is predicated on a model of trust relationship, conjointly known as “chain
of trust”. once a tool validates a certificate, it compares the certificate establishment with the list
of trusty CAs. If a match isn\'t found, the shopper can then check to check if the certificate of the
supplying CA was issued by a trusty CA, so on till the tip of the certificate chain. the highest of
the chain, the basis certificate, should be issued by a trusty Certificate Authority.
Self-signed certificates or certificates issued by a non-public CAs aren\'t appropriate to be used
with the overall public.A certificate serves two essential purpose distribute the public key and
verifying the individuality of the server so guests know they aren’t sending their information to
the wrong person. It can only properly verify the identity of the server when it is signed by a
trusted third party because any attacker can create a self-signed certificate and launch a man-in-
the-middle attack. If a user just accept a self-signed certificate, an attacker could drop on all the
traffic or try to set up an imitation server to phish additional information out of the user. Because
of this, you will approximately on no account want to use a self signe.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
4. Authenticating Users
• Authenticating user is a process to check genuineness of the user
• User Authentication can be done in following ways
1. Cookie Based Authentication
2. Token Based Authentication
5. Cookie Based Authentication
• Cookie based authentication is considered as stateful authentication
method (Server based authentication).
• In here, it is needed to store authentication records in client side and
server side both.
• Server basically keeps and maintains active session details in the data
storage and front end cookie will be created to hold session identifier.
• The main disadvantage of using this authentication method is, server
has to store all the session data for each and every user and increases
the overhead in the server.
6. Flow of Cookie Based Authentication
1. Enter login credentials
2. Server verifies given credentials, creates a session and stores in
database.
3. Cookie + Session ID will be kept in client side(User browser)
4. For consequent requests, session ID will be verified against
database.
5. Session will be destroyed from client and server side once the use
logs out.
7. Token Based Authentication
• This is the mostly used authentication methods which is suitable for
single page applications, web APIs and for IOT development
• Token based authentication is defined as stateless and server does not
keep records about the user logged in. But the token will be generated
using credentials provided.
• The main advantage of token based authentication is client side and
server side is decoupled for the authentication mechanism which can
provide an uninterrupted workflow.
• No session information stored means simply your application can
scale and add more machines as necessary without worrying about
where the user logged in
8. Flow of Token Based Authentication
1. User provides credentials
2. Server verifies credentials and returns a signed token.
3. Token is stored in client side
4. Subsequent requests to the server will be sent with the token as
authentication header (HTTP header).
5. Server verifies the token (JSON web token) and return required data.
6. Token is destroyed in client, once the user logs out.
10. What is SSL?
• SSL (Secure Sockets Layer) is a standard security protocol for
establishing encrypted links between a web server and a browser in an
online communication.
• The usage of SSL technology ensures that all data transmitted between
the web server and browser remains encrypted.
11. What is SSL Certificate?
• SSL or TLS (Transport Layer Security) certificates are data files that
bind a cryptographic key to the details of an organization.
• When SSL/TLS certificate is installed on a web server, it enables a
secure connection between the web server and the browser that
connects to it.
• The website's URL is prefixed with "https" instead of "http" and a
padlock is shown on the address bar. If the website uses an extended
validation (EV) certificate, then the browser may also show a green
address bar.
12. What is SSL used for?
• The SSL protocol is used by millions of online business to protect
their customers, ensuring their online transactions remain confidential.
• A web page should use encryption when it expects users to submit
confidential data, including personal information, passwords, or credit
card details.
• All web browsers have the ability to interact with secured sites so long
as the site's certificate is issued by a trusted CA.
13. How SSL Works?
1. An end-user asks their browser to make a secure connection to a
website
2. The browser obtains the IP address of the site from a DNS server
then requests a secure connection to the website.
3. To initiate this secure connection, the browser requests that the
server identifies itself by sending a copy of its SSL certificate to the
browser.
14. How SSL Works?
4. The browser checks the certificate to ensure:
1. That it is signed by a trusted CA
2. That it is valid - that it has not expired or been revoked
3. That it confirms to required security standards on key lengths and other
items.
4. That the domain listed on the certificate matches the domain that was
requested by the user.
5. When the browser confirms that the website can be trusted, it creates
a symmetric session key which it encrypts with the public key in the
website's certificate. The session key is then sent to the web server.
15. How SSL Works?
6. The web server uses its private key to decrypt the symmetric session
key.
7. The server sends back an acknowledgement that is encrypted with
the session key.
8. From now on, all data transmitted between the server and the
browser is encrypted and secure.
17. Padlock Icon in browsers
• As part of its security features, web browsers uses a special set of
symbols that alerts users to a website's validity.
• Shown in the left corner of the address bar, these icons provide vital
information about a site's certificates and connections.
18. Decoding the Padlock Icons on Google
Chrome
• The different padlocks and icons shown next to the URL bar on
Google Chrome let you know whether a site uses TLS or SSL
certificates.
• These certificates allow you to distinguish between a valid site and an
invalid one.
• Padlock types include Green Lock Icon, Yellow exclamation Point,
Blank Page Icon, Lock icon with Yellow Triangle and Red Padlock
Icon
19. Padlock Icons
Green Padlock Icon
• The green padlock indicates that a webpage connection is
secure. This means that a website's identity has been
verified by a trusted third-party authority and that it has a
valid certificate for the URL that you're trying to reach.
• Site certificates are produced by any website that requires
some sort of authentication (such as a username and
password) to access a page's full services. An easy way to
tell if a site is secure is to check its URL — encrypted sites
(those that use SSL) will usually begin with https, while
non-encrypted sites use an http URL.
20. Padlock Icons
Yellow Exclamation Point
• A yellow exclamation mark indicates that the website has not
provided the browser with a certificate. This is normal for regular
HTTP sites, as certificates are only usually provided if the site uses
SSL.
Blank Page Icon
• Any "normal" http websites, will be shown with a blank page icon
displayed before it. These pages can be accessed without prior
authentication.
21. Padlock Icons
Lock Icon with Yellow Triangle
• A lock icon with a yellow triangle indicates that Chrome can see a site's
certificate but that the site has weak security. In this case, we recommended
that you proceed with caution, as your connection may not be private.
Red Padlock Icon
• If you see a red padlock with an x next to a URL, this is an indication of
problems with a site's certificate. Exercise extreme caution when
proceeding onto the site — refrain from entering any personal data or
sensitive information. It is likely that somebody is trying to impersonate the
requested website in order to capture your information.
22. Certificate of a Web Page
• If a web site has a valid certificate, it means that a
certificate authority has taken steps to verify that
the web address actually belongs to that
organization. When you type a URL or follow a
link to a secure web site, your browser will check
the certificate for the following characteristics:
1. the web site address matches the address on the
certificate
2. the certificate is signed by a certificate authority
that the browser recognizes as a "trusted"
authority
23. How to check a Certificate
• A secure way to find information about the certificate is to look for the certificate
feature in the menu options. This information may be under the file properties or
the security option within the page information.
1. who issued the certificate - You should make sure that the issuer is a legitimate,
trusted certificate authority (you may see names like VeriSign, thawte, or
Entrust).
2. who the certificate is issued to - The certificate should be issued to the
organization who owns the web site. Do not trust the certificate if the name on
the certificate does not match the name of the organization or person you
expect.
3. expiration date - Most certificates are issued for one or two years. One
exception is the certificate for the certificate authority itself, which, because of
the amount of involvement necessary to distribute the information to all of the
organizations who hold its certificates, may be ten years.
25. User Interface Attacks
• In systems where multiple applications or websites share the same
display, the user can be tricked to interact with false UI elements.
• For example, a malicious website may be able to draw an overlay over
a button that causes the user click the button unintentionally.
• Such attacks are called clickjacking or UI redressing.
26. How Clickjacking Works
• Clickjacking is possible because seemingly harmless features of
HTML web pages can be employed to perform unexpected actions.
• A clickjacked page tricks a user into performing undesired actions by
clicking on a concealed link.
• On a clickjacked page, the attackers load another page over it in a
transparent layer.
27. How Clickjacking Works
• The users think that they are clicking visible buttons, while they are
actually performing actions on the invisible page.
• The hidden page may be an authentic page.
• Therefore, the attackers can trick users into performing actions which
the users never intended.
28. Cursorjacking
• Cursorjacking is a variant of Clickjacking Attack.
• Cursorjacking is a UI redressing technique to change the cursor from the location the user
perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr
• Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario
Heiderich by hiding the cursor.
• Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a cursorjacking
vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox (fixed in Firefox
30.0) which can lead to arbitrary code execution and webcam spying.
• A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla
Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and
JavaScript code which can lead also to the spying of the webcam and the execution of a
malicious addon allowing the execution of a malware on the computer of the trapped user.
29. Password Manager Attack
• A 2014 paper from researcher at the Carnegie Mellon University discooovered this attack.
• He found that while browsers refuse to autofill if the protocol on the current login page is
different from the protocol at the time the password was saved, some password managers
would insecurely fill in passwords for the http version of https-saved passwords.
• Most managers did not protect against iFrame- and redirection-based attacks and exposed
additional passwords where password synchronization had been used between multiple
devices.
31. Pretty Good Privacy (PGP)
• PGP is an open source, freely available software package for E-mail
security
• PGP has grown very quickly and now is widely used. Reasons for it’s
growth are:
1. It is freely available worldwide in versions that run on variety of
platforms. In addition commercial versions provides vendor support.
2. The package includes RSA, DSS, and Diffie-Hellman for public-
key encryption, CAST-128, IDEA, and 3DES for symmetric
encryption, and SHA-1 for hash coding.
33. Authentication
• This is achieved through Digital Signature Service provided by PGP
1. The sender creates a message
2. SHA-1 is used to generate 160 bit hash code of the message
3. The hash code is encrypted with RSA using the sender’s private key, and
the result is prepended to the message.
4. The receiver uses RSA with the sender’s public key to decrypt and
recover the hash code.
5. The receiver generates a new hash code for the message and compares it
with the decrypted hash code. If the two match, the message is accepted
as authentic.
34. Confidentiality
• PGP another service is confidentiality, which is encrypting messages
for transmitting or to store files locally.
• In both cases, the symmetric encryption algorithm CAST-128 may be
used. Alternatively, IDEA or 3DES may be used. And the 64-bit cipher
feedback (CFB) mode is used.
• In PGP, each symmetric key is used only once. The session key is
bound to the message. To protect the key, it is encrypted with the
receiver’s public key.
35. Confidentiality
1. The sender generates a message and a random 128-bit number to be
used as a session key for this message only.
2. The message is encrypted using CAST-128 (or IDEA or 3DES) with
the session key.
3. The session key is encrypted with RSA using the recipient’s public
key and is prepended to the message.
4. The receiver uses RSA with its private key to decrypt and recover
the session key.
5. The session key is used to decrypt the message.
36. Compression
• PGP compresses the message after applying the signature but before
encryption. This has the benefit of saving space both for e-mail
transmission and for file storage.
• The signature is generated before compression for two reasons:
1. It is preferable to sign an uncompressed message so that one can
store only the uncompressed message together with the signature for
future verification.
2. If you generate signature after compression then there is a need
recompression for message verification, PGP’s compression
algorithm presents a difficulty.
37. Compression
• Message encryption is applied after compression to strengthen
cryptographic security. Therefore cryptanalysis is more difficult.
• The compression algorithm used here is ZIP Algorithm
38. E-Mail Compatibility
• The resulting message block consists of a stream of arbitrary 8-bit
octets.
• However, many electronic mail systems only permit the use of blocks
consisting of ASCII text.
• To accommodate this restriction, PGP provides the service of
converting the raw 8-bit binary stream to a stream of printable ASCII
characters
• The scheme used for this purpose is radix-64 conversion. Each group
of three octets of binary data is mapped into four ASCII characters.
This format also appends a CRC to detect transmission errors.
39. E-Mail Compatibility
• The use of radix 64 expands a message by 33%. Fortunately, the
session key and signature portions of the message are relatively
compact, and the plaintext message has been compressed.
• In fact, the compression should be more than enough to compensate
for the radix-64 expansion
40. Segmentation and Reassembly
• E-mail facilities often are restricted to a maximum length. To
accommodate this, PGP automatically subdivides a messsage that is
too large into segments that are small enough to send via e-mail.
• The segmentation is done after all of the other processing, including
the radix-64 conversion.
41. Summary of PGP Services
Function Algorithm Used Description
Digital Signature
DSS/SHA or
RSA/SHA
A hash code of message is created using SHA-1. this message digest is
encrypted using DSS or SHA using the senders private key and is
included with the message
Message
Encryption
CAST or IDEA or
Three Key Triple
DES with Diffie
Hellman or RSA
A message is encrypted using CAST-128 or IDEA or 3DES with a one
time session key generated by the sender. The session Key is encrypted
using Diffie-Hellman or RSA with the recipient's public key and
included with the message.
Compression ZIP A message may be compressed for storage or transmission using ZIP
E-Mail
Compatibility
Radix-64
Conversion
To provide transparency for e-mail applications, an encrypted message
may be converted to an asci string using radix-64 conversion