TLS Training London – day 1

Written on 6 September 2018, 08:55pm

Tagged with: , , ,

Some notes after the first day of the TLS training session with Scott Helme

——

  • the core protocols powering the Internet were not designed with security in mind
  • you pwn the cookie, you pwn the user
  • the server should not encrypt the cookie contents because there is nothing to hide to the browser
  • the submarine cable map is amazing, but the landing sites are possible points of failure when it comes to your privacy
  • we’ve reached the HTTPS tipping point – meaning that more than 50% of the Internet traffic is encrypted, but 90% of the sites are still on plain, old HTTP
  • the goal of encryption: to encrypt the data for just as long as it’s needed
  • when checking into a hotel, we would rather not have running  water than not having wi-fi 🙂
  • SSL was initially the Netscape’s baby, but it was renamed to TLS under the pressure of Microsoft
  • TLS 1.3 was officially adopted as a standard, and it comes with major performance improvements as well as mandatory forward secrecy. But it will take a couple of years until it will be implemented at large scale by the hardware manufacturers 
  • TLS 1.3 should have been really named TLS 2.0 if it was not for some poorly coded, but widely used hardware
  • it becomes more and more clear the significant impact of the Snowden revelations on how people look at their privacy and web security (example: Lavabit and forward secrecy)
  • the recommended lifespan of a certificate is about 12 months
  • common domain validation methods: email challenge, DNS text record or a random HTTP path
  • client clock skew: you can change your device time to cheat on Candy Crush, but this can lead to invalid HTTPS certificates for your device only
  • if you are a big organisation, you better have a backup CA (or at least one that is ready to issue a new certificate in a matter of minutes, not days)
  • cipher suite format: TLS_KX_AUTH_CIPHER_HASH. 
    • Key Exchange (KX): just use ECDHE, or if not supported, DHE. But never use RSA because of the lack of forward secrecy
    • Authentication: RSA is still good enough
    • Symmetric key encryption (used because it’s faster than asymmetric): AES 128 is good enough; AES 256 better but slower
  • sometimes, good security practices are followed not because of the security advantages, but because of the performance improvements: ChaCha20
  • don’t create a system that relies on the human factor for security (ex. don’t ask the regular user to type https:// in his browser) 
  • good: HTTPS, better: HTTPS + HSTS, best: HTTPS + HSTS + preload. But having all the browsers load a static list of websites is not a scalable solution
  • BTW – seeing my own domain in the source code of all the modern browsers used by billions of people is cool: transport_security_state_static.json (warning – 6Mb file!) 
  • HSTS is a one-way street: you can’t easily go back from HTTPS to HTTP
  • people are terrified about changing the cookies standards / specifications
  • it looks like the attackers can overwrite your cookies even when using secure cookies over HTTPS. Cookie prefixes are a dirty, but effective solution: you just need to add __Secure- to your cookie name:
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com


“The __Secure- prefix makes a cookie accessible from HTTPS sites only. A HTTP site can not read or update a cookie if the name starts with  __Secure-. “

10 things that I liked in 2017

Written on 24 December 2017, 12:01am

Tagged with: , , , , , ,

Time to look back at 2017 and put together a few things that I enjoyed.
You can read the rest of this post while playing the song below, one of the things that will remind of 2017:

1. A book: Sapiens: A brief history of humankind, by Yuval Harari.
If you want to explain to an alien who we are and what’s our story on Earth, this is probably your handbook. A lot of insightful ideas and explanations, but one that stuck in my mind was how evolution doesn’t care about the individual:

The Agricultural Revolution left farmers with lives generally more difficult and less satisfying than those of foragers. Hunter-gatherers spent their time in more stimulating and varied ways, and were less in danger of starvation and disease. The Agricultural Revolution certainly enlarged the sum total of food at the disposal of humankind, but the extra food did not translate into a better diet or more leisure. The average farmer worked harder than the average forager, and got a worse diet in return. The Agricultural Revolution was history’s biggest fraud.
The evolutionary success of a species is measured by the number of copies of its DNA. If a species boasts many DNA copies, it is a success, and the species flourishes. From such a perspective, 1000 copies are always better than a hundred copies. This is the essence of the Agricultural Revolution: the ability to keep more people alive under worse conditions.
Quote from the book on goodreads.com

2. A photo editing tool: Photolemur. It promises to edit all your photos in one click, with the help of artificial intelligence. I like taking pictures, but I was never really into photo editing. So I am happy to leave this part to AI 🙂
And the results are not bad:

Photolemur
Click the image for the entire Flickr album

3. A place: Tuscany. One of the most amazing places in Italy, which is in turn one of the most amazing places in Europe. I spent there a full week last summer and I enjoyed every day of it!

Tuscany
Click the image for the entire Flickr album

4. A game: Really Bad Chess One of the very few games I play; really smart and so addictive that I’m playing it daily. The classic rules of chess apply, but you play with random pieces (ex. you can start with 3 queens and 4 towers).

5. A movie. I did not watch too many movies in 2017. But I watched again (after 8 years) Inglorious Basterds, and I believe that the way Christoph Waltz is playing the German detective is a masterpiece. I could watch it over and over again:

6. A learning tool. I am trying to constantly learn new things. Learning how to learn is one of them. Brainscape helps me create flash cards on my laptop and study them on my phone, whenever I have a few minutes free. Highly motivating.

7. A blog: waitbutwhy.com. Even if I know it for a couple of years, it’s in 2017 when I spent lots of time reading it. The series of posts about Elon Musk are really entertaining, but you have to see them as small novels instead of blog posts. Tim Urban (the author) has a funny way of zooming out and showing you things from a higher perspective.

8. An event: In 2017 I was lucky to attend a number of interesting sports events. I went for the first time on Anfield to watch Liverpool play in Champions League, I saw Ronnie O’Sullivan winning the Snooker Masters in London, and was present to the amazing comeback of Simona Halep in the quarter finals of Roland Garros.
But the live event that I enjoyed the most was no doubt the summer Coldplay concert in Brussels. The sport events have their own way of making you feel the moment, but once it’s over there’s not too much left. But a music concert is different. The way the songs make their way into your mind turns the entire experience into something close to magic and create long-lasting memories.

9. Writing In line with one of the resolutions for 2017, I tried to write a bit more. I had a few guest posts about snooker, football and analytics on anglofil.ro and doubled the number of posts on this blog. Turns out, writing is one of the experiences that I enjoy 🙂

10. A picture: Romanian protests in Bucharest, February 2017. To be continued in 2018…

Security concepts #2

Written on 29 January 2017, 09:40pm

Tagged with: ,

Functional requirements – what a system must do.
Non functional requirements – how the system must behave. On top of performance, usability, maintanability -> security.
CIA – Confidentiality (Privacy), Integrity, Availability + non-repudiation

Attacker levels

kid-level: unskilled, opportunistic, bragging rights
malware/ransomware: automated, opportunistic, financial gain
professional attacker: highly skilled, resources, persistent, adapt to their targets
nation state level: best skills available, big resources, goals – aligned with the country military/geo-strategic objectives

Vulnerability / exposure / security incident

Vulnerability types: bugs and flaws. Bugs – defects in the development process; could be detected by automated tools. Flaws – defects in the design process; could not be detected by automated tools.
A vulnerability does not necessarily cause an impact. It needs 2 more steps:
Exposure: if the vulnerability becomes known to an attacker
Security incident: if the attacker takes advantage of the exposure to perform an attack

Vulnerability assessment: black box vs white box testing
Black box – no access to the source code, hosting environment, etc
White box – full access to the source code, hosting, etc

Some principles:

– minimize the attack area
– secure defaults (coding and configuration)
– fail securely (defensive coding)
– give least privilege (need to know)
– multiple layers (ex. encrypted USB key, in a locked safe)
– no security by obscurity
– keep the design simple

Identification, Authentication, Authorization

Identification – who are you?
Authentication – how can you prove who you are?
Authorization – what can you do once authenticated?

Some specifics

– don’t say why the authentication failed (‘wrong username’ -> enumeration, ‘wrong password’ -> brute force attack)
– do not change data on the server via a HTTP GET request
– allow pasting passwords
– do not make the “Log out” option difficult to find
– just use HTTPS