|
Ø Definition:
“Applications frequently fail to authenticate,
encrypt, and protect the confidentiality and integrity of sensitive network
traffic. When they do, they sometimes support weak algorithms, use expired or
invalid certificates, or do not use them correctly.”
|
Ø HTTPS, SSL
and TLS are essential staples of website security.
Ø SSL is Secure
Sockets Layer which is the term we used to use to describe the
cryptographic protocol used for communicating over the web. SSL provides an
asymmetric encryption scheme which both client and server can use to encrypt
and then decrypt messages sent in either direction.
Ø TLS is Transport
Layer Security and the successor to SSL. You’ll frequently see TLS version
numbers alongside SSL equivalent; TLS 1.0 is SSL 3.1, TLS 1.1 is SSL 3.2, etc.
These days, you’ll usually see secure connections expressed as TLS versions:
Ø HTTPS is Hypertext Transport Protocol Secure and
is the implementation of TLS over HTTP. HTTPS is also the URI scheme
of website addresses implementing SSL, that is it’s the prefix of an address
such as https://www.americanexpress.com and
implies the site will be loaded over an encrypted connection with a certificate
that can usually be inspected in the browser.
Ø Example:
·
The iPad is an innocent user of the ASafaWeb
website and logged in as an administrator and as such I have the highlighted
menu items below:
·
The laptop is the attacker and it has no more
rights than any public, non-authenticated user would. Consequently, it’s
missing the administrative menu items the iPad had.
·
I’ve taken a ride down to the local
McDonald’s which offers free wifi. Both the laptop and the iPad are taking
advantage of the service, as are many other customers scattered throughout the
restaurant.
·
I had a browse around the ASafaWeb website on
the iPad.After letting the process run for a few minutes, I’ve opened up the
capture file in “Wireshark” which is a packet capture and analysis tool
frequently used for monitoring and inspecting network traffic.
·
Let’s filter those packets further so that
only those originating from my iPad are shown:
·
By right clicking on the first packet and
following the TCP stream, we can see the entire request:
·
Each request any browser makes to a website
includes any cookies the website has set. The request above contains a number
of cookies, including one called “.ASPXAUTH”
·
But that’s easily rectified simply by adding
a new cookie with the same name and value as we’ve just observed from the iPad.
·
Refresh the page:
·
Finally, insufficient transport layer
protection has just allowed us to hijack the session and become an
administrator.
Ø Don’t mix TLS and non-TLS
content
·
Loading a page over TLS then including
non-TLS content actually causes some fairly major issues.
·
By striking out the padlock icon and the
HTTPS scheme in the URL, the browser is sending a very clear warning to the
user.
Ø Prevention:
·
Providing proper transport layer protection
can affect the site design. It's easiest to require SSL for the entire site.
For performance reasons, some sites use SSL only on private pages. Others use
SSL only on 'critical' pages, but this can expose session IDs and other
sensitive data. At a minimum, do all of the following:
·
Require SSL for all sensitive pages. Non-SSL
requests to these pages should be redirected to the SSL page.
·
Set the 'secure' flag on all sensitive
cookies.
·
Configure your SSL provider to only support
strong algorithms.
·
Ensure your certificate is valid, not
expired, not revoked, and matches all domains used by the site.
·
Backend and other connections should also use
SSL or other encryption technologies.
Thanks for the valuable document by K S Sivanath Contact mail:Sivanathks@hotmail.com
No comments :
Post a Comment