Posts Tagged ‘Web Security’

Tuesday, December 5th, 2017

Web Authentication Working Draft rev 7 (WD-07) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20171205/

NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-07)

Please also note that this spec is a _Working DRAFT_ and will change, possibly in “breaking” ways.

WebAuthn WD-07 features many changes from the prior version, here’s a selected list (for details, see the diffs linked-to below):

Updated terminology to match and leverage the Credential Management spec.
Matching recent changes to Credential Management, the WebAuthn API may be utilized from non-top-level documents if and only if it is same-origin with its ancestors.
Updated [[Create]] and [[DiscoverFromExternalSource]] internal methods to match arguments with those supplied by Credential Management. Note: Credman PR w3c/webappsec-credential-management#100 is related and not completed at this time.
Updated [[Create]] and [[DiscoverFromExternalSource]] underlying algorithms in various ways:
- Explicitly facilitate roaming/external authenticator “hot-plugging” during registration and authentication operations.
- Further refined RP ID handling.
- added a type field to CollectedClientData to avoid potential signature confusion issues.
- added abort signal processing.
- refined `requireResidentKey` handling.
- added notion of “effective user verification requirement for assertion“
- added notion of RP-asserted “Attestation Conveyance Preference“.
- added “user handle” notion. The “user handle” is “plumbed-through” from the RP, to the authenticator, and back to the RP. This is useful for some RP use cases.
- Facilitate discovery of “Availability of User-Verifying Platform Authenticators“. This is useful for some RP use cases.

authenticator operations clarifications/polishing:
- added or refined various features to match those listed above, e.g., requiring resident private key, user presence test, and user verification requirement.
- added detailed signature counter considerations.
Clarified attestation object generation.
Refined relying party operations.
Refined signing procedures for Packed Attestation Statement Format and FIDO U2F Attestation Statement Format.

Diffs of WebAuthn WD-07 from WD-06:

WD-07 Release Page at github

Average Rating: 5 out of 5 based on 266 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:Authentication, W3C, Web Security
Posted in Security, W3C, Web Security | No Comments »

Wednesday, November 21st, 2012

RFC6797 “HTTP Strict Transport Security (HSTS)” is now available.

It’s been a long haul to get to this point, and I thank all the folks who have contributed along the way, i.e. Collin Jackson and Adam Barth who had the original idea [ForceHTTPS] and co-authored the spec, and all the other folks who contributed to its gestation (from the Acknowledgements appendix):

The authors thank Devdatta Akhawe, Michael Barrett, Ben Campbell,
Tobias Gondrom, Paul Hoffman, Murray Kucherawy, Barry Leiba, James
Manger, Alexey Melnikov, Haevard Molland, Yoav Nir, Yngve N.
Pettersen, Laksh Raghavan, Marsh Ray, Julian Reschke, Eric Rescorla,
Tom Ritter, Peter Saint-Andre, Brian Smith, Robert Sparks, Maciej
Stachowiak, Sid Stamm, Andy Steingrubl, Brandon Sterne, Martin
Thomson, Daniel Veditz, and Jan Wrobel, as well as all the websec
working group participants and others for their various reviews and
helpful contributions.

Thanks to Julian Reschke for his elegant rewriting of the effective
request URI text, which he did when incorporating the ERU notion into
the updates to HTTP/1.1 [HTTP1_1-UPD]. Subsequently, the ERU text in
this spec was lifted from Julian’s work in the updated HTTP/1.1
(part 1) specification and adapted to the [RFC2616] ABNF.

See also the Wikipedia HSTS article for various other information about HSTS and deploying it.

=JeffH sez check it out 🙂

Average Rating: 4.8 out of 5 based on 230 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:HSTS, HTTPS, Security Policy, SSL, TLS, TLS/SSL, Web Security
Posted in IETF, Protocols, Security, Web Security | No Comments »

Tuesday, October 2nd, 2012

As I’d noted back in July, the draft HSTS spec was in IETF-wide last call, from which we exited in August with various helpful comments. We applied summore elbow grease to the ol’spec and shipped it to the IESG (Internet Engineering Steering Group) for further inspection, received more good comments, subsequently applied more tweaks and polish, and voila(!), this morning we have this little missive in our email…

[websec] Protocol Action: ‘HTTP Strict Transport Security (HSTS)’ to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)

At this point, the draft HSTS spec will be placed on the RFC Editor’s queue (which is fairly large & diverse) and will emerge in several weeks as an RFC with a proper RFC number and all.

Many thanks to all who’ve contributed, especially to Collin Jackson & Adam Barth for originally inventing this approach (which they dubbed “ForceHTTPS“).

=JeffH

PS: The Wikipedia HSTS entry has a consolidated specification history as well as information regarding implementation and deployment.

Average Rating: 5 out of 5 based on 296 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:Browser Security, IETF, Security, Security Policy, Web Security
Posted in Draft Specs, IETF, Protocols, Security, Web Security | No Comments »

Friday, October 29th, 2010

Firesheep, released earlier this week, is a Firefox add-on that enables one to easily capture HTTP application session cookies from other users communications with specific popular sites. The problem it exploits is that many sites protect the initial reusable shared password-based authentication with TLS/SSL, but then revert further communication to unsecured HTTP. This exposes any application session cookies employed by the site, and returned by users’ browsers to the site on every request, to capture and replay by an attacker. This enables one to hang out on a local network, your favorite coffee shop for instance, and hijack others’ interactions with various social networking sites and retailers, for example.

This particular class of typical website vulnerability has been known for ages, as well as techniques for addressing it. For example, websites can simply offer their entire site over TLS/SSL (i.e. via “HTTPS“), as PayPal does. Some sites do so, but for whatever reason still revert users communications to unsecured HTTP by default, or some portion of their communications remain unsecured. However, if one can configure one’s browser to only securely interact with some given site (i.e. domain), and if the site supports this, then Problem Largely Solved. See, for example, Collin Jackson and Adam Barth‘s paper, ForceHTTPS: Protecting High-Security Web Sites from Network Attacks, for a description of this class of vulnerabilities, attacks, and remediation approaches.

I’ve been working with Collin and Adam on standardizing ForceHTTPS — their paper was the inspiration for the HTTP Strict Transport Security (HSTS) work and the present Internet-Draft specification thereof, and thus the HSTS implementations presently available in Firefox 3.x (via the Force-TLS and NoScript plugins), natively in Firefox 4 beta 6 and later, and natively in Chrome 4 and later. There’s also the HTTPS-Everywhere extension from the EFF that comes pre-loaded with a list of sites to use only via HTTPS, and is configurable such that one can add more (unfortunately it doesn’t support HSTS apparently)..

Now, HSTS is a website security policy that in typical cases, sites will explicitly signal to browsers (via an HTTP request header field), as PayPal presently does. However, this week, Sid Stamm, who authored the Firefox v3 HSTS add-on (Force-TLS) and native implementation, conzed-up a new Firefox v4 add-on, STS UI (Strict Transport Security User Interface), that allows one to configure one’s browser to regard given sites as HSTS sites, even if they don’t signal it. This also addresses the Bootstrap MITM Vulnerability noted in the HSTS draft spec.

Note that Chrome features “Preloaded HSTS sites”, and that NoScript (FF v3 & v4), HTTPS-Everywhere (FFv3), and Force-TLS (FFv3) all facilitate user configuration of HTTPS-only sites.

We’ll be working in the new IETF WebSec working group to finish the HSTS draft spec and get it published as an RFC, hopefully before too much of 2011 is gone. I’ll try to keep you all updated on that.

In the meantime, =JeffH sez be careful with your web logins 🙂

updated 31-Oct-2010: Added NoScript and HTTPS-Everywhere. Apologies to Giorgio and the EFF for not including them straight away.

Average Rating: 4.9 out of 5 based on 287 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:Browser Security, firesheep, Security, Web Security
Posted in Security, Tools, Web Security | 1 Comment »

Monday, December 14th, 2009

The Browser Security Handbook, brought to us by Michal Zalewski (of Google) is a quite useful document (droll understatement). It documents various security facets of the leading web browsers and provides succinct tabular comparisons of behaviors. It is available here..

Browser Security Handbook (BSH)
http://code.google.com/p/browsersec/wiki/Main

Michal has also created various test scripts and their source code is available from this page:

http ://code.google.com/p/browsersec/

The BSH is created and maintained on the Google Code wiki, and thus isn’t available if you’re offline (like on a plane). The wiki doesn’t provide for a clean download with link fixups and all, so I turned to wget and use the below command to cache a local copy (I’m on Ubuntu GNU/Linux)..

wget -E -H -p --convert-links -nH -nd -N -P/PATH/TO/WHERE/YOU/WANT/IT/TO/LOCALLY/LIVE http://code.google.com/p/browsersec/wiki/Main http://code.google.com/p/browsersec/wiki/Part1 http://code.google.com/p/browsersec/wiki/Part2 http://code.google.com/p/browsersec/wiki/Part3

I alias the above gnarly command line to the simple “getbrowsersec” command name (via my .cshrc file), and so whenever I’m online and want to ensure I’ve got the latest revision, I just type “getbrowsersec” and I’m all set. If you live in the Windows world, I’m not sure how you’d do the above natively. I’d install Cygwin, and then one has wget, and can just use the above command.

Average Rating: 4.9 out of 5 based on 257 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:browsers, Security, Web Security
Posted in Tools, Web Security | No Comments »

Posts Tagged ‘Web Security’

Pages

Archives

Categories