speaker: Johannes Ullrich
HTML 5 risky business or security toolchest at app sec usa
HTML 5 is
- Collection of JavaScript APIs
- Features to enable modern desktop like applications or support mobile devices
- Your browser supports HTML 5 even if you don’t use it [well, pieces of it]
Authentication
- Inclusive authentication – proof of identiy of user
- Exclusive authentication – disprove the identify of the user – for example, IP address isn’t for authentication bu can be second level such as making sure in network after log in. Similarly can use GPS
- Half factor – password or token – attack whichever is weaker
[I missed the part about local storage because I was focused on trying to connect to the internet – remember humans can’t really multi-task]
Login with touch
- Circle fpart of image. Don’t circle faces. Everyone does that.
- Android has connect the dots where you pick the pattern. Most people pick a common pattern ike the leter C
Biometrics
- Can do videoconferncing with just HTML5
- Could use faes, hand signals/gestures or fingerprint
- Not there yet. Hard to use when insufficient light
- Can only reognize about 100 different patterns right now for faces
- Apple not giving access t fingerprint reader yet
- Ok as second factor, but not ready for primary use. More of a gimmick than an authentication feature right now
Accelerometer
- Can detect camera moving
- Too much noise for authentication. Too hard to make same pattern repeatedly
- Better for detecting whether walking or if on phone
Notifications
- Only Safari has push notifications with browser closed
- Local notifications widely supported. Good for finding out if have mail
- Could use like SMS messages for security. “Someone else logged in as you”. Proactively notify users of security events.
- Often have to accept acount sharing. Let user decide what to do
URLs:
caniuse.com – what browser support which features
authonthemove.com – has demo
My take
The client side hash is really interesting. It would be nice if browsers would help with/encourage that.