Web Security Basics
Web Authentication API
WebAuthn uses public key cryptography (asymmetric) instead of passwords or SMS texts for registration, authentication and 2FA.
- Protection against phishing: webauthn signatures changes with the origin, so it won’t work on “similar” webpages (with different domain name).
- Reduced impact of data breaches: it does not really matter if the public key is stolen.
- Invulnerable to password attacks: much harder to crack it by “brute force” than passwords.
Matrix
- 2019, https://matrix.org/
- not the movie, but the “matrixed communication”
- open standard: spec
- non-profit Matrix.org Foundation
- decentralized
- end-to-end encryption
- olm, megolm
- based on Signal’s double ratchet
- extended to support encrypted rooms
- messaging (IM, rooms, bots, even IoT devices)
- signaling (for WebRTC, VoiP, video calls)
- bridging to other IM networks (XMPP, Slack, IRC, Discord, Facebook, …)
- HTTPS+JSON based by default, but a much lighter UDP based demo was already created for ~100bps (!) networks
Rate limiting
Why?
- DoS - Denial of Service attacks
- Brute Force attacks
- collect customer email addresses (signup)
- reveal username/password pairs (login)
- send emails (contact us, gift card)
Cross-Site Request Forgery
CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Cross Site Scripting (XSS)
Data (from untrusted source) gets into the application, then this data is later displayed in the website without being properly validated/sanitized/escaped.
Cross-Origin Resource Sharing
Modern browsers apply the same-origin policy to some resources, meaning they refuse to load or restrict access to resources coming from other origins than the loaded website. Servers can implement CORS to describe which origins are permitted to load their resources.
For some HTTP requests, browsers issue a “preflight” request (HTTP OPTIONS) to check whether the resource is available for the given origin.