Hi, Billy Rios here, I was recently invited to speak at Hack in the Box (HITB) in Dubai. While at HITB, I participated in two different talks, but I’m going to focus on the talk Chris Evans and I co-presented: “Cross Domain Leakiness.” Chris Evans is a security lead for Google’s Core Security team. Some may find it strange to see a Microsoft and a Google employee sharing the same stage, but regardless of the corporate logos we wear on our t-shirts, it is refreshing to have collaboration between passionate engineers on security issues.
We divided the talk into two central themes. First, we presented some browser bugs we had discovered over the last year. For the second piece, we focused on the browser and Web application scenario where a user joins an untrusted network, more commonly known as the “Starbucks scenario.” In this scenario, the attacker has control over the network utilized by the user. As Internet access becomes more ubiquitous, the scenario in which a user joins an untrusted network is becoming more and more common. Many business offer Wi-Fi access to their customers as a convenience and there are even some cities that have “gone online”, offering its residents free Wi-Fi access in city parks and business centers, all these circumstances fall within the “Starbucks scenario.
While most of the threats in a “Starbucks scenario” can be mitigated by simply using Secure Sockets Layer (SSL) encryption, certain Web application designs and browser behaviors can weaken the protection provided by SSL. Chris and I talked about some of these designs and behaviors and provided some examples on how various browsers handle mixed content, the ability of non-SSL pages to write Secure cookies, and how browser plug-ins can complicate matters. If you’re interested in reading about some of the items we spoke about at HITB, you can find the materials here. Protecting an application in a hostile environment is difficult. It requires a solid understanding of what can be trusted (not much) and what cannot be trusted. It is vital that today’s applications consider the “Starbucks scenario” in their threat models and design reviews. Administrators of such networks must understand where the trust boundaries end; otherwise they may find users losing their data before their first cup of coffee!
After the conference, it was time for some “Dune Busting”. A few of us loaded up into air-conditioned 4x4 Toyota Land Cruisers and hit the dunes of Dubai. It was loads of fun blasting through the sand dunes, racing through the desert, nearly tipping the vehicle over several times as we egged our driver on over the dunes. Dubai is a marvelous city, full of amazing sights and attractions. HITB was loads of fun. Thanks to Dhillon K for inviting me out!
-Billy Rios
[Editor’s note: check out the MSRC Ecosystem Strategy Blog for another Microsoft perspective on HITB-Dubai]
