session juggler
play

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John - PowerPoint PPT Presentation

Jan 13, 2024 •632 likes •916 views

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google 1 About this presentation Date: 19 April 2012 Conference: WWW 2012 Feel free to contact me URL: http://ly.tl/p23 if you have any question

  1. Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google 1

  2. About this presentation Date: 19 April 2012 Conference: WWW 2012 Feel free to contact me URL: http://ly.tl/p23 if you have any question Elie Bursztein Slide deck 2010 http://ly.tl/t1

  3. Elie Bursztein Slide deck 2010 http://ly.tl/t1

  4. Elie Bursztein Slide deck 2010 http://ly.tl/t1

  5. Elie Bursztein Slide deck 2010 http://ly.tl/t1

  6. Elie Bursztein Slide deck 2010 http://ly.tl/t1

  7. \ Afraid of the Dark ? Elie Bursztein Slide deck 2010 http://ly.tl/t1

  8. \ Afraid of the Dark ? Elie Bursztein Slide deck 2010 http://ly.tl/t1

  9. Looking for something ? Elie Bursztein http://elie.im Session Juggler WWW 2012

  10. Looking for something ? Elie Bursztein http://elie.im Session Juggler WWW 2012

  11. HTTPS adoption % of sites using HTTPS to log users 90% 80% 70% % of site using HTTPS 60% 50% 40% 30% 20% 10% 0% 10 2 10 3 10 4 10 5 Number of sites (logarithmic) Elie Bursztein http://elie.im Session Juggler WWW 2012

  12. Ephemeral login • Can’t trust the client at all • Work for every browser every site • Use a secure device / secure channel (phone) Elie Bursztein http://elie.im Session Juggler WWW 2012

  13. Not that easy [5] [24] [29] [21] [12] [28] [31] year 1999 2004 2006 2007 2008 2008 2009 Trusted device Palm Pilot PDA Phone Phone Phone Phone Phone Requires server-side changes X X X X X Requires client-side changes X X X X X X X Connection type USB USB Net USB/BT USB Net NFC Hardware needed TPM TPM/NFC Elie Bursztein http://elie.im Session Juggler WWW 2012

  14. Ephemeral login vs OTP • Site specific password list proliferation • Logout issue how to be sure ? Elie Bursztein Slide deck 2010 http://ly.tl/t1

  15. Sometime bad guys make the best good guys Elie Bursztein http://elie.im Session Juggler WWW 2012

  16. Let’s steal a session (demo) Elie Bursztein Slide deck 2010 http://ly.tl/t1

  17. In case the demo failed :) Do you want to be logged to www.facebook.com Discard Log me in Elie Bursztein http://elie.im Session Juggler WWW 2012

  18. Flow view Phone Blackboard Unsecure terminal Target website 1. QR code exchange 2. Login 3. {Session data} k 4. {Session data} k 5. Resume session Out of band exchange HTTP(S) traffic Encrypted data Elie Bursztein http://elie.im Session Juggler WWW 2012

  19. Flow view Phone Blackboard Unsecure terminal Target website 1. QR code exchange 2. Login 3. {Session data} k 4. {Session data} k 5. Resume session Out of band exchange HTTP(S) traffic Encrypted data Elie Bursztein http://elie.im Session Juggler WWW 2012

  20. Flow view Phone Blackboard Unsecure terminal Target website 1. QR code exchange 2. Login 3. {Session data} k 4. {Session data} k 5. Resume session Out of band exchange HTTP(S) traffic Encrypted data Elie Bursztein http://elie.im Session Juggler WWW 2012

  21. Flow view Phone Blackboard Unsecure terminal Target website 1. QR code exchange 2. Login 3. {Session data} k 4. {Session data} k 5. Resume session Out of band exchange HTTP(S) traffic Encrypted data Elie Bursztein http://elie.im Session Juggler WWW 2012

  22. Flow view Phone Blackboard Unsecure terminal Target website 1. QR code exchange 2. Login 3. {Session data} k 4. {Session data} k 5. Resume session Out of band exchange HTTP(S) traffic Encrypted data Elie Bursztein http://elie.im Session Juggler WWW 2012

  23. Hijacking defense Defense % of Alexa100 Login over HTTPS 83% Using secure cookies 52% Seperating mobile and desktop sessions 6% Binding session to IP address 8% Checking local time 1% Binding session to user-agent header 0% Binding session to local language 0% Logout over HTTPS 1% Elie Bursztein http://elie.im Session Juggler WWW 2012

  24. Experimental results • Works on 98% of the Alexa top 100 • Can be extended to work against arbitrary defense Elie Bursztein http://elie.im Session Juggler WWW 2012

  25. Conclusion • Steal http session to provide a temporary login • No server side or client modification Elie Bursztein http://elie.im Session Juggler WWW 2012

  26. Thank you Thank you ! Questions ? Follow-me ! Google+ / Twitter: @elie More research: http://elie.im/ Elie Bursztein http://elie.im Session Juggler WWW 2012

  27. Alternative architecture 6) {Session data} 7) {Session data} 2) {Request} 3) {Request} 1) key 4) Get password 5) Login Resume session Elie Bursztein http://elie.im Session Juggler WWW 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Oral Presentation Program Thursday Oct 3, 11:00-12:35 Session 1 Session 2 Session 3 Session 4

Oral Presentation Program Thursday Oct 3, 11:00-12:35 Session 1 Session 2 Session 3 Session 4

Oral Presentation Program Thursday Oct 3, 11:00-12:35 Session 1 Session 2 Session 3 Session 4 Session 5 Session 6 Session 7 Workshop Novel methods in mental Recovery - different Issues in psychiatric Competence and Theme Recovery

74 views • 5 slides
Bobby & moi Juggling, Magic and Music Bobby and the juggling poet a lovely musicality

Bobby & moi Juggling, Magic and Music Bobby and the juggling poet a lovely musicality

Bobby & moi Juggling, Magic and Music Bobby and the juggling poet a lovely musicality and rythm. Charente Libre 2013 30 minutes with the virtuoso of the vocal art Bobby McFerrin and a magic juggler He juggles with notes, melon

292 views • 6 slides
Session 2 : Numerical Python and plotting Session 2 In this session: Session 1 exercise

Session 2 : Numerical Python and plotting Session 2 In this session: Session 1 exercise

An introduction to scientific programming with Session 2 : Numerical Python and plotting Session 2 In this session: Session 1 exercise solutions Proper numerical arrays Plotting with matplotlib Other plotting options

706 views • 33 slides
SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

CYFDs Mandated Foster Parent Training: Promoting Successful Placements and Child-Well Being SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This session builds on earlier content, emphasizing that many

1.05k views • 51 slides
SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This

CYFDs Mandated Foster Parent Training: Promoting Successful Placements and Child-Well Being SESSION TWO LOGISTICS Session Two: Understanding Behavior Duration: 2 hours Session Goals: This session builds on earlier content, emphasizing that many

935 views • 50 slides
Python CPD (1) Session 1, 9:30-11:00 (Background and Sequence). Session 2, 11:30-13:00

Python CPD (1) Session 1, 9:30-11:00 (Background and Sequence). Session 2, 11:30-13:00

17/06/2013 Content Python CPD (1) Session 1, 9:30-11:00 (Background and Sequence). Session 2, 11:30-13:00 (Selection, Lists, Frans Coenen Dictionaries and File Handling). Department of Computer Science Session 3, 13:40-15:00

886 views • 10 slides
ENGR/CS 101 CS Session Lecture 1 CS session webpage

ENGR/CS 101 CS Session Lecture 1 CS session webpage

ENGR/CS 101 CS Session Lecture 1 CS session webpage http://csserver.evansville.edu/~hwang/f13-courses/cs101.html Introduction sheet, turn in at the end of class The CS session constitutes 1/3 of the final course grade for ENGR/CS

357 views • 11 slides
SESSION SIX LOGISTICS Session Six: Endings and Beginnings Duration: 1.5 hours Session Goals: The

SESSION SIX LOGISTICS Session Six: Endings and Beginnings Duration: 1.5 hours Session Goals: The

CYFDs Mandated Foster Parent Training: Promoting Successful Placements and Child-Well Being SESSION SIX LOGISTICS Session Six: Endings and Beginnings Duration: 1.5 hours Session Goals: The final meeting addresses a key challenge: managing a

652 views • 39 slides
End-to-End SIP Session-ID at IETF88 dra%-ie)-insipid-session-id-02

End-to-End SIP Session-ID at IETF88 dra%-ie)-insipid-session-id-02

End-to-End SIP Session-ID at IETF88 dra%-ie)-insipid-session-id-02 4 November, 2013 James Polk, Paul Jones Gonzalo Salgueiro, Chris Pearce Why an

670 views • 13 slides
SESSION FOUR LOGISTICS Session Four: Regulation Duration: 2 hours Session Goals: Managing emotions

SESSION FOUR LOGISTICS Session Four: Regulation Duration: 2 hours Session Goals: Managing emotions

CYFDs Mandated Foster Parent Training: Promoting Successful Placements and Child-Well Being SESSION FOUR LOGISTICS Session Four: Regulation Duration: 2 hours Session Goals: Managing emotions and behavior can be difficult for children and teens

705 views • 69 slides
1. A Knowledge Sharing ePoster Session (or ePoster Session) is a session where the Author/Speaker

1. A Knowledge Sharing ePoster Session (or ePoster Session) is a session where the Author/Speaker

SPE/IATMI Asia Pacific Oil & Gas Conference and Exhibition (APOGCE) 11- 13 August 2015 Nusa Dua Convention Center, Bali, Indonesia KNOWLEDGE SHARING ePOSTER SESSION PRESENTATION GUIDELINES PART A: Session Format and Presentation Style 1.

424 views • 5 slides
DAY 1 Monday-(March 05, 2018-Afternoon Session) Track 1: Advanced Computing Evening Session

DAY 1 Monday-(March 05, 2018-Afternoon Session) Track 1: Advanced Computing Evening Session

DAY 1 Monday-(March 05, 2018-Afternoon Session) Track 1: Advanced Computing Evening Session (03:00 PM-04:00 PM) Student Committee Members: Session: Parallel Technical Session-I Ms. Vishalika Venue: Committee Room Mr. Atul Kumar Session

129 views • 10 slides
14/12 Thursday 14.00 - 15.45 Parallel Sessions Session 1 Session 2 Session 3 Economy

14/12 Thursday 14.00 - 15.45 Parallel Sessions Session 1 Session 2 Session 3 Economy

14/12 Thursday 14.00 - 15.45 Parallel Sessions Session 1 Session 2 Session 3 Economy Informality Spatial Models (AIT_G01) (AIT_G02) (AIT_G03) Moderator/Respondent: Moderator/Respondent: Moderator/Respondent: Nuno Soares / Tran Anh

249 views • 4 slides
CSc 337 LECTURE 28: SESSIONS AND WRAPPING UP What is a session? session : an abstract concept

CSc 337 LECTURE 28: SESSIONS AND WRAPPING UP What is a session? session : an abstract concept

CSc 337 LECTURE 28: SESSIONS AND WRAPPING UP What is a session? session : an abstract concept to represent a series of HTTP requests and responses between a specific Web browser and server HTTP doesn't support the notion of a session, but

707 views • 29 slides
Capital Improvement Plan (CIP) Work Session #2 (new work session added on May 26 to CIP

Capital Improvement Plan (CIP) Work Session #2 (new work session added on May 26 to CIP

Capital Improvement Plan (CIP) Work Session #2 (new work session added on May 26 to CIP schedule) School Board Work Session May 28, 2020 Community Information for the CIP Process APS Engage Website The 2019 AFSAP report, appendices,

540 views • 27 slides
BUSINESS ESSENTIALS Session 01- Introduction Session Outline What is business essentials

BUSINESS ESSENTIALS Session 01- Introduction Session Outline What is business essentials

BUSINESS ESSENTIALS Session 01- Introduction Session Outline What is business essentials (BE)? Importance of learning BE Key areas of BE Overview of the session plan Assessment strategy Important dates Mock Question

149 views • 12 slides
uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson, Arvind Krishnamurthy University of Washington Seattle, WA, USA with help from our friends at Google Ideas 1/19 Takeaways Users need more

563 views • 24 slides
Who Am I?

Who Am I?

2/23/2012 HTML5 Top 10 Threats Stealth Attacks and Silent Exploits Shreeraj Shah

681 views • 46 slides
Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15

749 views • 36 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell:

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell:

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell: Offensive Security @ MDSec Responsible for *BEST, STAR and TIBER services Twitter : @domchell Projects: SharpShooter LyncSniper

802 views • 46 slides
Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. History 13th General Elections HTTP was

612 views • 34 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides

More recommend