security.html

<!doctype html>
<html lang="en">

    <head>
        <meta charset="utf-8">

        <title>Web Archive Security</title>

        <meta name="description" content="Web Archives Security">
        <meta name="author" content="Jack Cushman, Ilya Kreymer">

        <meta name="apple-mobile-web-app-capable" content="yes">
        <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">

        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">

        <link rel="stylesheet" href="css/reveal.css">
        <link rel="stylesheet" href="css/theme/white_styled.css" id="theme">
        <link href="https://fonts.googleapis.com/css?family=Roboto:300,400,500" rel="stylesheet">

        <!-- Code syntax highlighting -->
        <link rel="stylesheet" href="lib/css/zenburn.css">

                <!-- CUSTOM STYLE -->
                <link rel="stylesheet" href="css/theme/white_styled.css" id="theme">
                <link href="https://fonts.googleapis.com/css?family=Roboto:300,400,500" rel="stylesheet">
        <!-- Printing and PDF exports -->
        <script>
            var link = document.createElement( 'link' );
            link.rel = 'stylesheet';
            link.type = 'text/css';
            link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
            document.getElementsByTagName( 'head' )[0].appendChild( link );
        </script>

        <style>
            ul {
                text-align: left !important;
                display: block !important;
            }
            .clear-both {
                clear: both;
            }
            .footer-links {
                display: inline-block;
                margin-left: 20px;
                vertical-align: middle;
                line-height: 1.5em;
                font-family: sans-serif;
                font-weight: bold;
            }
            .scale-diag {
                width: 45%;
                height: 45%
            }

            .tbl td {
                text-align: center !important;
                font-size: 80%;
            }
            .reveal pre {
                line-height: 0.9em;
                box-shadow: none;
            }
            .threat {
                /*text-transform: uppercase;*/
                text-align: left;
                color: crimson !important;
            }
            .concern {
                /*text-transform: uppercase;*/
                text-align: left;
                color: orange;
            }
            .miti {
                /*text-transform: uppercase;*/
                text-align: left;
                color: green;
            }
            .caps-label{
              text-transform:uppercase!important;
              font-size: 50%!important;
              font-weight: 500!important;
              display: block;
              margin-bottom: -0.4em!important;
            }
            .url {
              font-family: courier, monospace !important;
              font-size: 90%;
              color: darkBlue;
            }
            .extra-pad {
                margin-bottom: 30px !important;
            }
            .extra-extra-pad {
                margin-bottom: 60px !important;
            }
             .footer-text {
                font-size: 28px;
                margin-left: 50px;
                font-family: sans-serif;
                display: inline;
            }
        </style>

        <!--[if lt IE 9]>
<script src="lib/js/html5shiv.js"></script>
<![endif]-->
    </head>

    <body>

        <div class="reveal">

            <!-- Any section element inside of this container is displayed as a slide -->
            <div class="slides">
                <section>
                    <h4 style="padding-top: 12%; margin-bottom: 0.01rem">Thinking like a hacker<span style="margin-left:4px">:</span></h4>
                    <h3>Security Considerations for<br/>High-Fidelity Web Archives</h3>
                    <p>Jack Cushman, Perma.cc</p>
                    <p>Ilya Kreymer, Webrecorder</p>
                </section>

                <section>
                    <h3>Why is security a concern in a web archive?</h3>
                    <ul>
                        <li class="fragment strike">Web Archives just collection of old pages</li>
                        <li class="fragment extra-extra-pad"><b>High-Fidelity web archives run untrusted web software</b></li>
                        <li class="fragment strike">Live site is "safe", so nothing to worry about</li>
                        <li class="fragment extra-extra-pad"><b>Web archive replay can pose new security risks</b></li>
                        <li class="fragment strike">Pages in web archives are always reliable</li>
                        <li class="fragment"><b>Replay issues side, page loaded from an archive could intentionally deceive</b></li>
                    </ul>
                </section>

                <section>
                    <h3>So our challenge:</h3>
					<p><img src="img/dinosaur.jpg" style="width: 50%"></p>
                </section>

                <section>
                    <h3>Possible security threats</h3>
                    <ol class="fragment">
						<li>Archiving local server files</li>
						<li>Hacking the headless browser</li>
						<li>Stealing user secrets during capture</li>
						<li>Cross site scripting to steal archive logins</li>
						<li>Live web leakage on playback</li>
						<li>Show different page contents when archived</li>
						<li>Banner spoofing</li>
                    </ol>
                </section>

				<!-- UNAUTHORIZED CAPTURE -->

                <section>
                    <p class="threat"><span class="caps-label">Threat:</span> Archiving local content</p>
                    <ul>
                        <li class="fragment">Capture system could have privileged access:</li>
                            <ul>
                            <li class="fragment">Local ports: <i class="url">http://localhost:8080/</i></li>
                            <li class="fragment">Network server: <i class="url">http://private-server/</i></li>
                            <li class="fragment">Local files: <i class="url">file:///etc/passwd</i></li>
                            </ul>
                         <li class="fragment">Could capture private resources, into a public archive</li>
                   </ul>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span>Network Filtering + Sandboxing</p>
                    <ul>
                        <li class="fragment">Don't allow capture of local ip ranges</li>
                        <li class="fragment">Restrict to http(s) protocol</li>
                        <li class="fragment">Run capture in isolated container/VM</li>
                    </ul>
                </section>
                <section>
                    <p class="threat"><span class="caps-label">Threat:</span>Hacking the headless browser</p>
                    <ul>
                        <li class="fragment">Modern captures may use PhantomJS or other browsers on the server</li>
                        <li class="fragment">Most browsers have known exploits</li>
					</ul>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span> Sandboxing</p>
                    <ul>
                        <li class="fragment">Run capture system in isolated virtual machine</li>
                        <li class="fragment">Keep VM up to date</li>
                    </ul>
                </section>

				<!-- PASSWORD-PROTECTED CAPTURE -->

                <section>
                    <p class="threat"><span class="caps-label">Threat:</span>Stealing user secrets during capture</p>
                    <ul>
                        <li class="fragment">Normal web flow:</li>
                            <ul>
                            <li class="fragment"><i class="url">https://twitter.com/login</i></li>
                            <li class="fragment"><i class="url">https://doubleclick.com/evil-ad</i></li>
                            </ul>
                        </li>
                        <li class="fragment extra-pad">During Webrecorder interactive capture:
                            <ul>
                            <li class="fragment"><i class="url">https://webrecorder.io/record/<b>https://twitter.com/login</b></i></li>
                            <li class="fragment"><i class="url">https://webrecorder.io/record/<b>https://doubleclick.com/evil-ad</b></i></li>
                            </ul>
                        </li>
                        <li class="fragment">Standard cross-domain protections do not apply!</li>
                    </ul>
                </section>
                <section data-transition="none">
                    <p class="threat"><span class="caps-label">Threat:</span>Stealing user secrets during capture</p>
                    <p class="concern fragment"><span class="caps-label">Partial Mitigation:</span> Rewriting</p>
                    <ul>
                        <li class="fragment">Rewrite cookies to exact path only</li>
                        <li class="fragment">Rewrite JS to intercept cookie access</li>
                    </ul>
                    <p class="concern fragment"><span class="caps-label">Mitigation:</span> Separate Recording Sessions</p>
                    <ul>
                        <li class="fragment">For Webrecorder, use separate recording sessions when recording credentialed content</li>
                    </ul>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span> Remote browser</p>
                    <ul>
                        <li class="fragment">Record in containerized/proxy mode browser</li>
                    </ul>
                </section>

				<!-- HOSTING REPLAYS AND LOGINS ON SAME SITE -->

                <section>
                    <p class="threat"><span class="caps-label">Threat:</span>Cross site scripting to steal archive logins</p>
                    <ul>
                        <li class="fragment"><i class="url">http://myarchive.com/<b>login</b></i> is the main institution login page</li>
                        <li class="fragment"><i class="url">http://myarchive.com/<b>web/http://evil.com</b></i> is a web archive</li>
                        <li class="fragment">safe?</li>
                    </ul>
                    <p class="fragment threat">No!</p>
                    <ul>
                        <li class="fragment">Cross-site scripting (XSS): an admin who visits <i class="url">http://myarchive.com/web/http://evil.com</i> has their account taken over</li>
                    </ul>
                </section>
                <section>
                    <p class="threat"><span class="caps-label">Threat:</span>Cross site scripting to steal archive logins<br>...across subdomains</p>
                    <ul>
                        <li class="fragment"><i class="url">http://myarchive.com/<b>login</b></i> is the main institution login page</li>
                        <li class="fragment"><i class="url">http://<b>web</b>.myarchive.com/http://evil.com</i> is a web archive</li>
                        <li class="fragment">safe?</li>
                    </ul>
                    <p class="fragment concern">Still no ...</p>
                    <ul>
						<li class="fragment">In <a href="https://stackoverflow.com/a/17371607/307769">IE10</a>, evil.com might steal login cookie</li>
						<li class="fragment">In <b>all</b> browsers, evil.com can wipe and replace cookies</li>
                    </ul>
                </section>
                <section>
                    <p class="miti"><span class="caps-label">Mitigation:</span> Run web archive on separate domain</p>
                    <ul>
                        <li class="fragment">Use iframes to isolate web archive content</li>
                        <li class="fragment">Load web archive app from <i>app domain</i></li>
                        <li class="fragment">Load iframe content from <i>content domain</i></li>
                        <li class="fragment extra-pad">Webrecorder example:
                            <ul>
                            <li><i class="url">https://webrecorder.io/</i> -- app domain</li>
                            <li><i class="url">https://wbrc.io/</i> -- content domain</li>
                            </ul>
                        </li>
                        <li class="fragment extra-pad">Perma.cc example:
                            <ul>
                            <li><i class="url">https://perma.cc/</i> -- app domain</li>
                            <li><i class="url">https://perma-archives.org/</i> -- content domain</li>
                            </ul>
                        </li>
                    </ul>
                </section>

				<!-- CONTENT-BASED SHENANIGANS -->

				<section>
                    <p class="threat"><span class="caps-label">Threat:</span>Live web leakage on playback</p>
                    <ul>
                        <li class="fragment">Javascript can send messages to evil.com and fetch new content</li>
                        <li class="fragment">... to mislead, track users, or rewrite history</li>
						<li class="fragment">(<b>Bonus</b> for private archives -- any of your captures could export any of your other captures)</li>
                    </ul>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span>Content-Security-Policy header can limit access to web archive domain</p>
                </section>
				<section>
                    <p class="threat"><span class="caps-label">Threat:</span>Show different page contents when archived</p>
                    <ul>
                        <li class="fragment">Pages can tell they're in an archive and act differently</li>
                    </ul>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span> Run archive in containerized/proxy mode browser</p>
                </section>
				<section>
                    <p class="threat"><span class="caps-label">Threat:</span>Banner spoofing</p>
                    <ul>
                        <li class="fragment">Pages can dynamically edit the archive's banner</li>
                    </ul>
					<p class="fragment"><img src="img/perma_fake.png"></p>
				</section>
				<section>
                    <p class="miti"><span class="caps-label">Mitigation:</span>Use iframes for replay</p>
                    <ul>
                        <li class="fragment">Don't inject banner into replay frame</li>
                        <li class="fragment">Use <span class="url">X-Frame-Options</span> header to limit embedding</li>
                        <li class="fragment">Serve from separate content domain</li>
                        <li class="fragment">Use iframe sandbox (more restrictive)</li>
                    </ul>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span> Run archive in containerized/proxy mode browser</p>
                    <p class="miti fragment"><span class="caps-label">Mitigation:</span> Display rendered DOM and strip javascript (archive.is)</p>
				</section>
                <section>
                    <h3 style="margin-top:12%">What's next?</h3>
                    <ul>
                        <li class="fragment">Build tools for web archive security research</li>
                        <li class="fragment">Challenge researchers to find security issues</li>
                        <li class="fragment"><h3>Introducing: <a href="http://warc.games">http://warc.games/</a></h3></li>
                    </ul>
                </section>
                <section>
                    <h3 style="margin-top:15%">Thank you!</h3>
                    <br/>
                    <h4>Questions?</h4>
                </section>
            </div>
        </div>

    <!-- Footer -->
    <div style="position:absolute; bottom:1%; left:2%; width:100%; vertical-align: middle">
        <a href="https://webrecorder.io/"><img style="vertical-align: middle; width: auto; height: 60px" src="img/Webrecorder_logo_text-shaded.png"></a>
        <!-- <img style="vertical-align: middle" width="18%" src="img/wr-text.png"> -->
        <!--<span class="footer-links">
            <a href="https://webrecorder.io/" target="_blank">webrecorder.io</a><br/>
            <a href="http://rhizome.org/" target="_blank">rhizome.org</a>
        </span>-->
        <a href="https://perma.cc/"><img style="vertical-align: middle; width: auto; height: 60px" src="img/Perma-cc_412px.png"/></a>
        <!--<p class="footer-text">Web Archive Security</p>-->
        <!--<span class="footer-links">
            <a href="https://perma.cc/" target="_blank">Perma.cc</a>
        </span>-->
    </div>

    <script src="lib/js/head.min.js"></script>
    <script src="js/reveal.js"></script>

    <script>

        // Full list of configuration options available at:
        // https://github.com/hakimel/reveal.js#configuration
        Reveal.initialize({
            controls: true,
            progress: true,
            history: true,
            center: false,
            margin: 0.05,

            transition: 'slide', // none/fade/slide/convex/concave/zoom

            // Optional reveal.js plugins
            dependencies: [
                { src: 'lib/js/classList.js', condition: function() { return !document.body.classList; } },
                { src: 'plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
                { src: 'plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
                { src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
                { src: 'plugin/zoom-js/zoom.js', async: true },
                { src: 'plugin/notes/notes.js', async: true }
            ]
        });

    </script>

    </body>
</html>
g