Transport Layer and Browser Security - GitHub Pages
嚜燜HE CHINESE UNIVERSITY OF HONG KONG
IERG4210 Web Programming and Security
Course Website:
Live FB Feedback Group:
Transport Layer and Browser Security
Lecture 10
Dr. Adonis Fung
phfung@ie.cuhk.edu.hk
Information Engineering, CUHK
Product Security Engineering, Yahoo!
CUHK - IERG4210 Web Programming and Security (2015 Spring)
Copyright. All Rights Reserved.
1
Agenda
? HTTPS and Browsers
每
每
每
每
Man-In-The-Middle attacks
Brief revision on public key cryptography
A high-level overview on SSL/TLS
Certificate Validity
? Threats and Mitigations
每
每
每
每
每
Common SSL Configuration Problems
A Side-channel Attack
SSL Stripping Attacks
Phishing
OWASP Top 10: A6-Sensitive Data Exposure, A5-Security
Misconfigurations, A9-Using Components with Known Vulnerabilities
CUHK - IERG4210 Web Programming and Security (2015 Spring)
Adonis P.H. FUNG
2
Revision on Public Key Cryptography
? A server generates 2 keys:
每 A public key 每 announced to the public
每 A private key 每 kept secret in the server
每 Using RSA algorithm (or ECC, etc), the two keys have the properties:
? Encryption: Encryptpublic-key(m) = c; Decryptprivate-key(c) = m
? Signature: Encryptprivate-key(m) = c; Decryptpublic-key(c) = m
Hence, message encrypted with recipient*s
public key (private) can ONLY be decrypted
with recipient*s private (public) key
In contrast, for Symmetric Key Crypto, only one
shared key is used. Algorithms: AES, 3DES, etc#
Reference:
CUHK - IERG4210 Web Programming and Security (2015 Spring)
Adonis P.H. FUNG
3
Overview of SSL/TLS
? SSL (or TLS) is a protocol to:
每
每
每
每
Mitigate MitM attacks
secure a data connection between server and client
using both public key and shared key cryptography
over an insecure network including the Internet
? Developed by Netscape in 1994
每 Latest version: v3 and later ※rebranded§ as TLS
每 Latest TLS version: v1.2
? Some Recent Attacks
每 HEARTBLEED
每 POODLE
Reference:
CUHK - IERG4210 Web Programming and Security (2015 Spring)
Adonis P.H. FUNG
4
Man-In-The-Middle (MitM) attack
? Instead of talking directly to the server,
? Note: this is an active attacker, as he tampers content
每 If no SSL is used, MitM can be launched steathily
每 SSL is designed to mitigate MitM. Certificate warnings should appear
to warn users
Diagram from
CUHK - IERG4210 Web Programming and Security (2015 Spring)
Adonis P.H. FUNG
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- what is a web browser
- computer networks lecture notes vssut
- using fuzzy multi criteria decision making approach for
- basic computer skills module 6 intro to internet and email
- successful web search strategies
- rreeaaddiinngg ecco ommpprreehhennssiionn 22 level 11
- transport layer and browser security github pages
- technology inclusion in prince william county
- html the complete reference second edition
- how to go incognito in all web browsers chrome firefox
Related searches
- crps and social security disability
- calculator pension and social security taxes
- federal taxes and social security income
- ministry of works and transport trinidad appointments
- neural network layer types
- deep learning layer types
- ministry of works and transport tt
- cell membrane and transport coloring
- edge browser and windows server
- magi and social security benefits
- medicare and social security tax rate 2020
- intelligence and national security jobs