Lecture 7: Web Security
Web Security
HTTPS is a protocol running on top of HTTP that encrypts traffic.
Key Exchange protocol:
- Key exchange
- encrypt
- HTTP - base layer
HTTPS messages are sent over TLS, but HTTP goes over TCP not TLS .. no encryption, sent over the clear.
Threat Models:
Man in the Middle:
Alice ============Eve===========Bob
Eve can see, interfere, modify, full control of messages sent between Alice and Bob.
Off-Path Attacker:
Attacker is not man in the middle, is remote server connected to the internet. Server cannot see messages or eves, only send them. If system is susceptible to this then system is very vulnerable
On-Path Attacker
The attacker can eavesdrop but not modify or drop Alice to Bob traffic. But because it’s connected to the internet, it can also send messages.
HTTPS Request: What happens when you visit a web page – information is leaked, can be used to fingerprint users. You could find out type of browser, OS, where user came from (referer).
Security Issue: Pixel Tracking: embed small images in page that no human can see, when page loaded browser has to also fetch image without user permissions.
Generally, servers don’t keep state. A server doesn’t know the user from one request to another. But to make things easier, cookies do keep state on the user’s machine. Because cookies contain sensitive information about the user they should not be sent over HTTP.