RTC-Web Security Considerations



Similar documents
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

RTCWEB Generic Identity Service

Relax Everybody: HTML5 Is Securer Than You Think

IETF Security Architecture Update

RTCWeb Security Considerations

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Web Application Firewall

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Chapter 17. Transport-Level Security

Web Same-Origin-Policy Exploration Lab

CS5008: Internet Computing


Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hack Proof Your Webapps

Web Application Security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

WebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

A Scalable Multi-Server Cluster VoIP System

Next Generation Clickjacking

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Password Managers: Attacks and Defenses

OAuth Web Authorization Protocol Barry Leiba

Best Practices for Controlling Skype within the Enterprise. Whitepaper

Web application security

What is Web Security? Motivation

WebRTC: Why You Should Care and How Avaya Can Help You. Joel Ezell Lead Architect, Collaboration Environment R&D

An Evaluation of the Google Chrome Extension Security Architecture

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Quick Start Guide. Installation and Setup

Configuring the Avaya B179 SIP Conference Phone with Avaya Aura Communication Manager and Avaya Aura Session Manager Issue 1.0

A Comparative Study of Signalling Protocols Used In VoIP

App Isolation: Get the Security of Multiple Browsers with Just One

Web Tracking for You. Gregory Fleischer

ECE458 Winter Web Security. Slides from John Mitchell and Vitaly Shmatikov (Modified by Vijay Ganesh)

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Ethical Hacking as a Professional Penetration Testing Technique

Project 2: Web Security Pitfalls

Chapter 3 Restricting Access From Your Network

Web Application Firewall on SonicWALL SSL VPN

Chrome Extensions: Threat Analysis and Countermeasures

Introduction to Computer Security Benoit Donnet Academic Year

DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

HTML5. Eoin Keary CTO BCC Risk Advisory.

Infor Xtreme Browser References

Proxies. Chapter 4. Network & Security Gildas Avoine

INSTANT MESSAGING SECURITY

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Principles of Network Applications. Dr. Philip Cannata

SIP and VoIP 1 / 44. SIP and VoIP

Phishing by data URI

The Dark Side of Ajax. Jacob West Fortify Software

Cryptography for Software and Web Developers

NEFSIS DEDICATED SERVER

Guidance Regarding Skype and Other P2P VoIP Solutions

Gateway Apps - Security Summary SECURITY SUMMARY

Note Google and YouTube may change the appearance of their sites from time to time, so the buttons or links may not always appear in the same place.

A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

CONTENT of this CHAPTER

ing from The E2 Shop System address Server Name Server Port, Encryption Protocol, Encryption Type, SMTP User ID SMTP Password

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

LifeSize Transit Deployment Guide June 2011

Peer-to-Peer Systems and Security

Breaking the Myths of Extended Validation SSL Certificates

Building WebRTC Solutions with the Avaya WebRTC Collaboration Environment Snap-in. Joel Ezell Lead Architect, Collaboration Environment R&D

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

Network Security Essentials Chapter 5

Analysis of Browser Defenses against XSS Attack Vectors

Examining Proxies to Mitigate Pervasive Surveillance

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

TECHNICAL CHALLENGES OF VoIP BYPASS

Web Application Firewall on SonicWALL SRA

Transport Layer Security Protocols

Firewalls, IDS and IPS

Where every interaction matters.

Survey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser

Firewalls P+S Linux Router & Firewall 2013

DoS/DDoS Attacks and Protection on VoIP/UC

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Cross-Site Scripting

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

SonicOS 5.9 One Touch Configuration Guide

The Web s Security Model. Who am I?

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

ExtraHop and AppDynamics Deployment Guide

Client Side Filter Enhancement using Web Proxy

elearning for Secure Application Development

Chapter 4 Restricting Access From Your Network

The Benefits of SSL Content Inspection ABSTRACT

Web Browser Security

Streaming Media System Requirements and Troubleshooting Assistance

Transcription:

RTC-Web Security Considerations IETF 80 Eric Rescorla ekr@rtfm.com IETF 80 RTC-Web Security Issues 1

The Browser Threat Model Core Web Security Guarantee: users can safely visit arbitrary web sites and execute scripts provided by those sites. [HCB + 10] This includes sites which are hosting malicious scripts! Basic Web security technique is isolation/sandboxing Protect your computer from malicious scripts Protect content from site A from content hosted at site B Protect site A from content hosted at site B In this case we re primarily concerned with JavaScript running in the browser The browser acts as a trusted computing base for the site IETF 80 RTC-Web Security Issues 2

List of Issues to Consider Consent to communications Access to local devices Communications security IETF 80 RTC-Web Security Issues 3

In an alternate universe: Cross-Site Requests Victim Gmail Attacker Login w/ Password Cookie=XXX... GET /malicious.js <script>xmlhttprequest("https://gmail.com/")... GET w/ XXX Mail data Mail data Obviously this is bad... and it s a problem even w/o cookies IETF 80 RTC-Web Security Issues 4

The Same Origin Policy (SOP) A page s security properties are determined by its origin This includes: protocol (HTTP or HTTPS), host, and port All these must match for two pages to be from the same origin Each origin is associated with its own security contet Scripts in origin A have only very limited access to resources in origin B Important: the origin is associated with the page, not where the script came from Scripts loaded via <script src=""> tags are associated with the origin of the page, not the URL for the script! IETF 80 RTC-Web Security Issues 5

The Same Origin Policy for Page Data Scripts can only access page data from their own origin Contents of the DOM JavaScript variables Cookies Important exception: JavaScript pointer leakage [BWS09] Scripts can access any other page data from their origin Includes other windows and IFRAMEs Frame can navigate their own children This is used for cross-site communication (e.g., FaceBook Connect) IETF 80 RTC-Web Security Issues 6

The Same Origin Policy for HTTP Requests JavaScript can be used to make fairly controllable HTTP requests with XMLHttpRequest() API But only to the same origin Origin A can make partly controllable requests to origin B via HTML forms But cannot read the response Cross-Site Request Forgery (CSRF) defenses depend on this Origin A can read scripts from origin B But they run in A s context This is done all the time (e.g., Google analytics) IETF 80 RTC-Web Security Issues 7

What does all this mean for RTC? IETF 80 RTC-Web Security Issues 8

Consent for real-time peer-to-peer communication Need to able to send data between two browsers Unless you want to relay everything But this is unsafe (and violates SOP) Not OK to let browsers send TCP and UDP to arbitrary locations General principle: verify consent Before sending traffic from a script to recipient, verify recipient wants to receive it from the sender Familiar paradigm from CORS [vk10] and WebSockets[Fet11] IETF 80 RTC-Web Security Issues 9

How to verify consent for RTC-Web Can t trust the server (see above) Needs to be enforced by the browser Browser does a handshake with target peer to verify connectivity Alice Server Bob Connect to Bob Connect to Alice Handshake Media traffic This should look familiar from ICE [Ros10] Restricts communication with that endpoint until handshake complete (new) IETF 80 RTC-Web Security Issues 10

Access to Local Devices Making phone (and video) calls requires that your voice be transmitted to other side But the other side is controlled by some site you visit What if you visit http://bugmyphone.example.com? Somehow we need to get the user s consent But to what? And when? Users routinely click through warning dialogs when presenting in-flow What is the scope of consent? By origin? What about mash-ups? IETF 80 RTC-Web Security Issues 11

What about communications security? We ve already addressed this in the context of SIP Things aren t that different here all the usual protocols work Open question: where is the keying material stored? On the server? In localstorage? In the browser but isolated from the JavaScript? (probably best) IETF 80 RTC-Web Security Issues 12

References [BWS09] [Fet11] Adam Barth, Joel Weinberger, and Dawn Song. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. In Fabian Montrose, editor, In Proc. of the 18th USENIX Security Symposium (USENIX Security 2009), August 2009. Ian Fette. The WebSocket protocol. draft-ietf-hybi-thewebsocketprotocol-06.txt, February 2011. [HCB + 10] Lin-Shung Huang, Eric Y. Chen, Adam Barth, Eric Rescorla, and Collin Jackson. Transparent Proxies: Threat or Menace, 2010. In submission. [Ros10] [vk10] J. Rosenberg. Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols. RFC 5245, 2010. Anne van Kesteren. Cross-Origin Resource Sharing. http://www.w3.org/tr/access-control/, 2010. IETF 80 RTC-Web Security Issues 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information