html5 security features at app sec usa

Main menu:

Topics

Recent Posts

Feeds

RSS Feed RSS - Posts

November 2013
M T W T F S S
« Oct   Dec »
 123
45678910
11121314151617
18192021222324
252627282930  

Past Posts

Java/Java EE

JDBC

Other

html5 security features at app sec usa

November 20th, 2013 by Jeanne Boyarsky

speaker: Johannes Ullrich

HTML 5 risky business or security toolchest at app sec usa

HTML 5 is

  • Collection of JavaScript APIs
  • Features to enable modern desktop like applications or support mobile devices
  • Your browser supports HTML 5 even if you don’t use it [well, pieces of it]

Authentication

  • Inclusive authentication – proof of identiy of user
  • Exclusive authentication – disprove the identify of the user – for example, IP address isn’t for authentication bu can be second level such as making sure in network after log in. Similarly can use GPS
  • Half factor – password or token – attack whichever is weaker

[I missed the part about local storage because I was focused on trying to connect to the internet – remember humans can’t really multi-task]

Login with touch

  • Circle fpart of image. Don’t circle faces. Everyone does that.
  • Android has connect the dots where you pick the pattern. Most people pick a common pattern ike the leter C

Biometrics

  • Can do videoconferncing with just HTML5
  • Could use faes, hand signals/gestures or fingerprint
  • Not there yet. Hard to use when insufficient light
  • Can only reognize about 100 different patterns right now for faces
  • Apple not giving access t fingerprint reader yet
  • Ok as second factor, but not ready for primary use. More of a gimmick than an authentication feature right now

Accelerometer

  • Can detect camera moving
  • Too much noise for authentication. Too hard to make same pattern repeatedly
  • Better for detecting whether walking or if on phone

Notifications

  • Only Safari has push notifications with browser closed
  • Local notifications widely supported. Good for finding out if have mail
  • Could use like SMS messages for security. “Someone else logged in as you”. Proactively notify users of security events.
  • Often have to accept acount sharing. Let user decide what to do

URLs:
caniuse.com – what browser support which features
authonthemove.com – has demo

My take
The client side hash is really interesting. It would be nice if browsers would help with/encourage that.

Write a comment