Building a Better Web
June 19–20, 2017: Training
June 20–22, 2017: Tutorials & Conference
San Jose, CA

Locking it down: A security primer for web developers

Mike North (LinkedIn)
9:00am–9:40am Wednesday, June 21, 2017
Modern Web Essentials
Location: 210 BF Level: Beginner
Secondary topics:  Privacy, Progressive web apps, Security
Average rating: ****.
(4.20, 10 ratings)

Who is this presentation for?

  • Managers, aspiring architects, and web developers whose experience is limited to big tech companies

Prerequisite knowledge

  • A basic understanding of how requests work and how modern web applications are typically set up in a production-grade environment

What you'll learn

  • Understand why security cannot be an afterthought and how easy it is to get between an app and its users.

Description

It’s surprising to many developers how easy it is to interfere with the experience they’re providing to their users, particularly in an increasingly mobile environment, where phones connect to dubious free WiFi networks. Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike’s about to take some things you love and depend on and smash them to bits.

Mike begins with DNS. Most devices are set up to use and trust a public WiFi’s DNS responses. The incentive to set your phone up this way is because, in many cases, free public WiFi relies on spoofing DNS to get you to agree to terms of use. Using his own WiFi network (which you may voluntarily join), Mike shows how it’s very easy to manipulate traffic with a DNS server by redirecting all plain HTTP traffic to the Fluent Conference website to a different domain.

Mike then takes an SSL certificate he bought for a lookalike domain. Your browser will throw up a big scary warning screen, but studies have shown that up to 40% of users will click through these warnings and proceed anyway. Mike demonstrates how we can easily have domain validated for this lookalike domain, which appears and behaves exactly like another website (except we can insert some malicious code along the way).

Mike then picks on a common CDN, even one that provides built-in SSL like CloudFront, showing how we can interfere with DNS and send our own identically named payloads over the wire. Because CloudFront uses a wildcard certificate, we can set up our own subdomain, and the app is none the wiser. To defend against this attack, Mike introduces the concept of subresource integrity, where remotely hosted static assets can be hashed at build time and verified before the browser uses them.

Mike concludes by employing HSTS headers to inform browsers that they are prohibited from connecting to the domain at all over plain HTTP. Now, when there’s a certificate error, there’s no easy way for the user to proceed and ignore the problem. Mike also discusses how HSTS handles subdomains and ultimately tightens your security even further by ensuring that everything required for your app is brought in over HSTS-protected domains.

Photo of Mike North

Mike North

LinkedIn

Mike North is a staff software engineer at LinkedIn. Mike is a product and modern web tech leader with a broad range of experience working with startups and Fortune 500 companies alike. Previously, he was the CTO of Levanto Financial and UI architect for Yahoo’s Ads & Data division. Mike has a passion for teaching and has produced several popular JavaScript video courses for Front End Masters, with Pluralsight courses on the way. He is an avid open source contributor and has landed thousands of commits into the JavaScript and Erlang ecosystems. As a “product guy who codes,” Mike believes in putting prototypes in the hands of users as quickly as possible.

Comments on this page are now closed.

Comments

何方石 | WEB DEVELOPER
06/21/2017 10:14am PDT

Didn’t attend this meeting, but I’m very curios about what’s damage should wildcard certificate course, could I got a slides or some more information about this?