Scribd Logo
Upload

Welcome to Scribd!

  • Module 5.5: Security User Interface

    Uploaded by

    Harpreet Singh
    9 views11 pages
    This document discusses security issues related to user interfaces and mixed content loading. It notes that passwords should only be typed on pages loaded over HTTPS, and that loading non-HTTPS content on HTTPS pages allows network attackers to hijack sessions. Finally, it discusses limitations of security indicators like lock icons and the status bar which can be spoofed.

    Original Description:

    Original Title

    Module5.5.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses security issues related to user interfaces and mixed content loading. It notes that passwords should only be typed on pages loaded over HTTPS, and that loading non-HTTPS content on HTTPS pages allows network attackers to hijack sessions. Finally, it discusses limitations of security indicators like lock icons and the status bar which can be spoofed.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views11 pages

    Module 5.5: Security User Interface

    Uploaded by

    Harpreet Singh
    This document discusses security issues related to user interfaces and mixed content loading. It notes that passwords should only be typed on pages loaded over HTTPS, and that loading non-HTTPS content on HTTPS pages allows network attackers to hijack sessions. Finally, it discusses limitations of security indicators like lock icons and the status bar which can be spoofed.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Module 5.

    5: Security User
    Interface
    When is it safe to type my password?

    SECURITY USER
    INTERFACE
    Safe to type your password?

    3
    Safe to type your password?

    4
    Safe to type your password?

    5
    Safe to type your password?
    ???

    ??? 6
    Safe to type your password?

    7
    Mixed Content: HTTP and
    HTTPS
    Problem
    Page loads over HTTPS, but has HTTP content
    Network attacker can control page
    IE: displays mixed-content dialog to user
    Flash files over HTTP loaded with no warning (!)
    Note: Flash can script the embedding page
    Firefox: red slash over lock icon (no dialog)
    Flash files over HTTP do not trigger the slash
    Safari: does not detect mixed content
    Mixed content and network attacks
    banks: after login all content over HTTPS
    Developer error: Somewhere on bank site
    write<script src=http://www.site.com/script.js>
    </script>
    Active network attacker can now hijack any session
    Better way to include content:
    <script src=//www.site.com/script.js> </script>
    served over the same protocol as embedding page
    Lock Icon 2.0
    Extended validation (EV) certs

    Prominent security indicator for EV certificates

    note: EV site loading content from non-EV site does


    Finally: the status Bar

    Trivially spoofable
    <a href=http://www.paypal.com/
    onclick=this.href = http://www.evil.com/;>
    PayPal</a>

    You might also like