This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "User talk:Mohammed ALDOUB"
Line 71: | Line 71: | ||
2- [https://www.owasp.org/images/4/4b/OWASP_defending-MITMA_APAC2012.pdf Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs, by Tobias Gondrom] | 2- [https://www.owasp.org/images/4/4b/OWASP_defending-MITMA_APAC2012.pdf Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs, by Tobias Gondrom] | ||
+ | |||
+ | |||
+ | == Panic Modes == | ||
+ | |||
+ | A panic mode is a mode that threatened users can refer to when they fall under direct threat to disclose account credentials. Many times such threats around the world are accompanied by violence, blackmail or even imprisonment. | ||
+ | |||
+ | Giving users the ability to create a panic mode can help them survive these threats, especially in tumultuous regions around the world. Unfortunately many users around the world are subject to types of threats that most web developers do not know of or take into account. | ||
+ | |||
+ | Examples of panic modes are modes where distressed users can delete their data upon threat, log into fake inboxes/accounts/systems, or triggers to backup/upload/hide sensitive data. | ||
+ | |||
+ | The appropriate panic mode to implement differs depending on the application type. A disk encryption software such as TrueCrypt might implement a panic mode that starts up a fake system partition if the user entered his distressed password. | ||
+ | |||
+ | E-mail providers might implement a panic mode that hides predefined sensitive emails or contacts, and allow reading innocent e-mail messages only, usually as defined by the user, while preventing the panic mode from overtaking the actual account. | ||
+ | |||
+ | An important note about panic modes is that they must not be discoverable. An adversary inside a victim's panic mode must not have any way, or as little possibilities as possible, of finding out the truth. This means that once inside a panic mode, most non-sensitive normal operations must be allowed to continue (such as sending or receiving email), and that further panic modes must be possible to create from inside the original panic mode (If the adversary tried to create a panic mode on a victim's panic mode and failed, the adversary would know he/she was already inside a panic mode, and might attempt to hurt the victim). | ||
+ | |||
+ | Another solution would be to prevent panic modes from being generated from the user account, and instead making it a bit harder to spoof by adversaries. For example it could be only created Out Of Band, and adversaries must have no way to know a panic mode already exists for that particular account. | ||
+ | |||
+ | The implementation of a panic mode must always aim to confuse adversaries and prevent them from figuring out the truth about victim accounts and data, as well as the existence of panic modes for a particular account. | ||
+ | |||
+ | For more details regarding TrueCrypt's hidden operating system mode, please refer to: | ||
+ | |||
+ | 1- [http://www.truecrypt.org/docs/?s=hidden-operating-system TrueCrypt Hidden Operating System] | ||
+ | |||
+ | == Remote Session Invalidation == | ||
+ | |||
+ | In case user equipment is lost, stolen or confiscated, or under suspicion of cookie theft; it might be very beneficial for users to able to see their current online sessions and disconnect/invalidate any suspicious lingering sessions, especially ones that belong to stolen or confiscated devices. Remote session invalidation can also help if a user suspects his session details were stolen in a Man-in-the-Middle attack. | ||
+ | |||
+ | For details regarding session management, please refer to: | ||
+ | 1- [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet OWASP Session Management Cheat Sheet] |
Revision as of 21:02, 12 August 2012
User Legal and Political Protection Cheat Sheet
Introduction
The political and legal impact of online activities has been rising significantly over the years, with users now able to take down entire governments and change legislation using online services and social networking. This fact puts into focus the grave danger users are getting introduced to by using these online services, especially in oppressive regions around the world.
This OWASP Cheat Sheet introduces risks and mitigations that web developers need to realize in order to protect their users from a vast array of potential aggressors, including oppressive governments and organized crime rings around the world.
Scope of Threats
An array of potential threats surrounds online users, and this cheat sheet focuses on political and legal threats that users might face by using these online services, especially social networking and communication platforms. The various reports of imprisonments and even execution for users in some parts of the world simply for using online services must be taken seriously by web developers.
Guidelines
1- Strong Cryptography:
Any online platform that handles user identities, private information or communications must be secured with the use of strong cryptography. User communications must be encrypted in transit and storage. User secrets such as passwords must also be protected using strong, collision-resistant hashing algorithms with increasing work factors, in order to greatly mitigate the risks of exposed credentials as well as proper integrity control.
To protect data in transit, developers must use and adhere to TSL/SSL best practices such as verified certificates, adequately protected private keys, usage of strong ciphers only, informative and clear warnings to users, as well as sufficient key lengths.
Private data must be encrypted in storage as well, using keys with sufficient lengths and under strict access conditions, both technical and procedural. User credentials must be hashed regardless of whether or not they are encrypted in storage.
For detailed guides about strong cryptography and best practices, read the following OWASP references:
1- Cryptographic Storage Cheat Sheet
3- Transport Layer Protection Cheat Sheet
Support HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is an HTTP header set by the server indicating to the user agent that only secure (HTTPS) connections are accepted, prompting the user agent to change all insecure HTTP links to secure HTTPS ones, and also forcing the compliant user agent to fail-safe by refusing any TLS/SSL connection that is not trusted by the user.
HSTS has average support on popular user agent, such as Mozilla Firefox and Google Chrome. Nevertheless, it remains very useful for users who are in consistent fear of spying and Man in the Middle Attacks.
If it is impractical to force HSTS on all users, web developers should at least give users the choice to enable it if they wish to make use of it.
For more details regarding HSTS, please visit:
1- HTTP Strict Transport Security in Wikipedia
Digital Certificate Pinning
Certificate Pinning is the practice of hardcoding or storing a pre-defined set of hashes for digital certificates/public keys in the user agent (be it web browser, mobile app or browser plugin) such that only the predefined certificates are used for secured communication, and any other certificate will fail, even if the user trusted (implicitly or explicitly) the other certificates.
Some advantages for certificate pinning are:
- In the event of CA compromise, in which a compromised CA trusted by a user can issue certificates for any domain, allowing evil perpetrators to eavesdrop on users.
- In environments where users are forced to accept a potentially-malicious root CA, such as corporate environments or national PKI schemes.
- In applications where the target demographic may not understand certificate warnings, and is likely to just allow any invalid certificate.
For details regarding certificate pinning, please refer to the following:
1- Public Key Pinning Extension for HTTP draft-ietf-websec-key-pinning-02
Panic Modes
A panic mode is a mode that threatened users can refer to when they fall under direct threat to disclose account credentials. Many times such threats around the world are accompanied by violence, blackmail or even imprisonment.
Giving users the ability to create a panic mode can help them survive these threats, especially in tumultuous regions around the world. Unfortunately many users around the world are subject to types of threats that most web developers do not know of or take into account.
Examples of panic modes are modes where distressed users can delete their data upon threat, log into fake inboxes/accounts/systems, or triggers to backup/upload/hide sensitive data.
The appropriate panic mode to implement differs depending on the application type. A disk encryption software such as TrueCrypt might implement a panic mode that starts up a fake system partition if the user entered his distressed password.
E-mail providers might implement a panic mode that hides predefined sensitive emails or contacts, and allow reading innocent e-mail messages only, usually as defined by the user, while preventing the panic mode from overtaking the actual account.
An important note about panic modes is that they must not be discoverable. An adversary inside a victim's panic mode must not have any way, or as little possibilities as possible, of finding out the truth. This means that once inside a panic mode, most non-sensitive normal operations must be allowed to continue (such as sending or receiving email), and that further panic modes must be possible to create from inside the original panic mode (If the adversary tried to create a panic mode on a victim's panic mode and failed, the adversary would know he/she was already inside a panic mode, and might attempt to hurt the victim).
Another solution would be to prevent panic modes from being generated from the user account, and instead making it a bit harder to spoof by adversaries. For example it could be only created Out Of Band, and adversaries must have no way to know a panic mode already exists for that particular account.
The implementation of a panic mode must always aim to confuse adversaries and prevent them from figuring out the truth about victim accounts and data, as well as the existence of panic modes for a particular account.
For more details regarding TrueCrypt's hidden operating system mode, please refer to:
1- TrueCrypt Hidden Operating System
Remote Session Invalidation
In case user equipment is lost, stolen or confiscated, or under suspicion of cookie theft; it might be very beneficial for users to able to see their current online sessions and disconnect/invalidate any suspicious lingering sessions, especially ones that belong to stolen or confiscated devices. Remote session invalidation can also help if a user suspects his session details were stolen in a Man-in-the-Middle attack.
For details regarding session management, please refer to: 1- OWASP Session Management Cheat Sheet