It’s surprising to many developers how easy it is to interfere with the experience they’re providing to their users, particularly in an increasingly mobile environment, where phones connect to dubious free WiFi networks. Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike’s about to take some things you love and depend on and smash them to bits.
Mike begins with DNS. Most devices are set up to use and trust a public WiFi’s DNS responses. The incentive to set your phone up this way is because, in many cases, free public WiFi relies on spoofing DNS to get you to agree to terms of use. Using his own WiFi network (which you may voluntarily join), Mike shows how it’s very easy to manipulate traffic with a DNS server by redirecting all plain HTTP traffic to the Fluent Conference website to a different domain.
Mike then takes an SSL certificate he bought for a lookalike domain. Your browser will throw up a big scary warning screen, but studies have shown that up to 40% of users will click through these warnings and proceed anyway. Mike demonstrates how we can easily have domain validated for this lookalike domain, which appears and behaves exactly like another website (except we can insert some malicious code along the way).
Mike then picks on a common CDN, even one that provides built-in SSL like CloudFront, showing how we can interfere with DNS and send our own identically named payloads over the wire. Because CloudFront uses a wildcard certificate, we can set up our own subdomain, and the app is none the wiser. To defend against this attack, Mike introduces the concept of subresource integrity, where remotely hosted static assets can be hashed at build time and verified before the browser uses them.
Mike concludes by employing HSTS headers to inform browsers that they are prohibited from connecting to the domain at all over plain HTTP. Now, when there’s a certificate error, there’s no easy way for the user to proceed and ignore the problem. Mike also discusses how HSTS handles subdomains and ultimately tightens your security even further by ensuring that everything required for your app is brought in over HSTS-protected domains.
Mike North is a staff software engineer at LinkedIn. Mike is a product and modern web tech leader with a broad range of experience working with startups and Fortune 500 companies alike. Previously, he was the CTO of Levanto Financial and UI architect for Yahoo’s Ads & Data division. Mike has a passion for teaching and has produced several popular JavaScript video courses for Front End Masters, with Pluralsight courses on the way. He is an avid open source contributor and has landed thousands of commits into the JavaScript and Erlang ecosystems. As a “product guy who codes,” Mike believes in putting prototypes in the hands of users as quickly as possible.
Comments on this page are now closed.
For exhibition and sponsorship opportunities, email fluent@oreilly.com
For information on trade opportunities with O'Reilly conferences, email partners@oreilly.com
View a complete list of Fluent contacts
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • confreg@oreilly.com
Comments
Didn’t attend this meeting, but I’m very curios about what’s damage should wildcard certificate course, could I got a slides or some more information about this?