DUE DATE EXTENDED TO MONDAY AT 11 PM.
Most users access the Internet through a web browser. But we have learned that even if we are using the HTTPS protocol it cannot protect us from lots of bad, bad browser based stuff.For this week's blog we will wrap up our unit on web application security by looking at browser based vulnerabilities.
My article is about the BEAST (Browser Exploit Against SSL/TLS) and how it exploits a weakness in the SSL 3.0/TLS 1.0 protocols to break the encryption on your session. The scientists who proved the vulnerability have published the info AND they have shown that TLS 1.1 or 1.2 would be effective encryption. However, most web browsers and web servers have not shifted to the safer protocols because the expense and trouble are significant. There is a graph in the article that shows exactly how little TLS 1.1 / 1.2 are being used. I tried implementing TLS1.1 on my computer for IE9, Chrome and Firefox - only IE9 even lets you make that change, but when I tried to access https sites with TLS1.1 set, the sites gave me an error message. The article advises to practice safe surfing, but I'm not sure that helps when you are talking about ecommerce.
http://www.pcworld.com/businesscenter/article/240933/hackers_crack_internet_encryption_should_you_be_worried.html
You need to find a news article about a web browser vulnerability. Write several sentences to explain the vulnerability, how it was used or can be used to attack and if there is any solution. Make sure you understand the article and summarize it in simple terms.
Sunday, March 18, 2012
Thursday, March 1, 2012
What a Tangled Web!
We have just started a unit on hardening Web applications. You will need to learn how to identify what the vulnerabilities are and how to remember the difference between them. So to get a start on this topic, the assignment this week is to find a website that gives a good explanation on one of these topics:
My post for this week is on Buffer Overflows. The Wired website has a cool cartoon animation of how good code should accept limited input and then discard any extra. It then shows what happens when bad code allows for a buffer overflow that corrupts operating code. http://www.wired.com/threatlevel/2009/03/conficker-how-a/
Enjoy!
- Buffer Overflow
- CGI Script
- Java applets
- Java Script
- Active X
- Cross-site Scripting
My post for this week is on Buffer Overflows. The Wired website has a cool cartoon animation of how good code should accept limited input and then discard any extra. It then shows what happens when bad code allows for a buffer overflow that corrupts operating code. http://www.wired.com/threatlevel/2009/03/conficker-how-a/
Enjoy!
Subscribe to:
Posts (Atom)