ICS

« March 2009 | Main | May 2009 »

April 2009

April 24, 2009

Ruminations on the Recent OAuth Security Issue

You may have heard about the recent OAuth security hole that left Twitter vulnerable to cross-site scripting attacks. The first response someone looking at the details of the attack and its high media coverage might be to throw up their hands and give up on OAuth altogether.

This is to the wrong way to look at these recent events. The OAuth specification is a great one. Like all great standards, it is easy to read and simple to implement. For example, one of the developers here at the Institute for Cyber Security wrote a robust Java implementation of it in three days from his first look at the specification; there just are not many specs that do something so useful but can be put into practice so easily.

What needs to be understood is that this is exactly how the crypto protocols process works. Any standard worth its salt takes years and years to mature. As an example, SSL was first developed in 1993; people far smarter than I are still improving it a decade and a half later! Yet no one would argue that SSL is not a secure or well-thought-out spec. The fact that this attack even detected shows OAuth is under scrutiny and is gaining traction, which is really a good thing for OAuth. Would you rather use a spec which smart people are trying to break, or a no name spec that only the "wrong smart people" know how to break.

In the end, we do not know what OAuth's fix to this vulnerability will be, but if developers want a quick solution, they may want to consider using the MashSSL protocol that ICS developed with SafeMashups. SafeMashups is our most mature company in incubation, and integrates with OAuth. as well as other popular Web 2.0 standards.

MashSSL a multi-party version of SSL running in the application layer, and from an OAuth-centric standpoint, MashSSL first runs between the Consumer and the Service Provider through the user's browser (using standard SSL certificates for each server; no certificate on the browser is needed or expected). We then set the OAuth credential type to "PLAINTEXT", but all the OAuth messages are encrypted with the SSL "master secret" (the session key the two parties share at end of any SSL session). Except for the first go-round which involves public key operations, all subsequent sessions use the SSL abbreviated handshake, which is very efficient and only uses symmetric key crypto. The session fixation attack will not work as the Service Provider won't operate with a site with which it cannot establish or share an SSL session. So when the "good" URL is moved to "bad" site (as in this OAuth vulnerability), the attack is detected and stopped.

More info on how OAuth can interoperate with MashSSL can be found here. Additionally, a video on MashSSL/OAuth interoperation can be found on the SafeMashups YouTube channel. and in the the education center on the SafeMashups site.

Disclaimers:

  1. MashSSL is moving towards becoming an open standard, but is not there yet (and I suppose that there is an infinitely small but non-zero probability that it may not, although the more people that cloamor for it, the sooner that will occur).
  2. The software though is available under a perpetual royalty free license so you do not have to pay anything to use it.
  3. At the moment it only works with certs from VeriSign (and our own free CA which we absolutely do NOT recommend you use except for testing).

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Image is a graph of SSL's growth over time. Just as SSL was improved via a battery of tests over time, new cryptographic protocols like OAuth can certainly persevere to become ubiquitous standards.

Posted at 07:31 AM in Cryptography, MashSSL, Mashups, OAuth, SafeMashups, Security, SSL/TLS, Startups, Threat Modeling | | Comments (2) | TrackBack (0)

April 21, 2009

ICS Startup SafeMashups Inc. Covered in the News at RSA


SafeMashups, Inc., the latest startup from the Institute for Cyber Security, spoke at the RSA conference Innovator's Sandbox (where the team was selected as a finalist in the "Most Innovative Company at RSA Conference 2009" contest) and at the RSA WhisperSuite. Some press covered the event, and staff from ICS was interviewed on the MashSSL innovation.

Help Net Security, a, covered SafeMashups at the event in an online article and podcast, where I was interviewed. In the article, Berislav Kucan discusses how SafeMashups is a San Antonio-based application authentication pioneer, and how the MashSSL protocol which provides a standardized way for web applications to securely identify each other when mashing through a potentially untrusted browser.

O'Reilly Media (well known for their famous software animal books), covered the event as well, and Ben Lorica interviewed me on the MashSSL protocol at a high level, and how it brings a trust infrastructure to mashups.

Tech Pulse 360 also covered the Innovator's Sandbox in an online article describing how SafeMashups hopes to make it easier for businesses to take advantage of Internet mashups that link their sites to others, quoting founder Ravi Ganesan, stating how companies "have no standard, secure way of knowing who is on the other end".

LeMagIT covered SafeMashups across the pond in France in a fastastic writeup (see it here in Google-translated English) that described SafeMashups as a company specializing in the security of interlinking web applications for the collection of information, particularly in the context of the management of access rights. They also discuss the free MashSSL web toolkit and the free SafeMashups Community Service.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 03:06 PM in Browsers, Cyber Security, Events, MashSSL, Mashups, News, SafeMashups, SSL/TLS, Startups, Web/Tech | | Comments (0) | TrackBack (0)

April 17, 2009

Windows Azure Hello World Tutorial Online

Cloud computing has become a larger reality in web development in the last few years. Units such as Amazon's EC2 Service and Google's App Engine let web developers write web applications that do not reside on a dedicated server, but may move from one physical machine to another (for load balancing purposes) or be "spread" across multiple physical servers (or both). At the Institute for Cyber Security, some of the companies under incubation make use of such services due to cost and ease of use.

Not to be left out, Microsoft has its own cloud computing service it is hoping to deliver to customers in the coming months called Windows Azure. Still in beta, Microsoft offers an SDK and tools for Visual Studio. To some degree, getting an application up and running on Windows Azure is fairly straightforward. Check out the Windows Azure Hello World tutorial online.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 07:16 AM in Browsers, Cloud Computing, Programming, Tutorials, Web/Tech | | Comments (3) | TrackBack (0)

April 15, 2009

ICS Startup SafeMashups Inc. Covered in the News


As covered previously, SafeMashups, Inc., the latest startup from the Institute for Cyber Security, will be speaking at the RSA conference Innovator's Sandbox and has been selected as a finalist in the "Most Innovative Company at RSA Conference 2009" contest they are hosting.

BusinessWire caught the initial press release that discusses each of the ten companies and SafeMashups in specific. From the article:

SafeMashups Inc. is an application authentication pioneer that has developed the MashSSL protocol  which provides a standardized way for web applications to securely identify each other when mashing through a potentially untrusted user or browser. MashSSL allows web applications running emerging Web 2.0 protocols like OAuth, XHR, OpenAJAX, OpenID, etc. to authenticate each other securely using their existing SSL credentials.

SearchSecurity also covered SafeMashups in an article describing how security budget issues may resonate at the RSA Conference, and how vendors that address application security issues are beginning to gain more attention, such as SafeMashups, where its software tools help developers build Web applications more securely. The aricle also mentions the free MashSSL Web Toolkit and free SafeMashups Community Service.

Nemertes Research also highlighed the need for enterprise mashups security in a brief on SafeMashups. In their study, they found 42% of participants are already using mashups, but that for the enterprise, they must implement strong security controls to protect internal mashup applications from insider threats. To this end, SafeMashups has the opportunity to boost enterprise mashup platforms.

More news to come in the following week. Stay tuned!

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 03:41 PM in Contests, Cyber Security, Events, MashSSL, Mashups, OAuth, OpenID, Presentation, SafeMashups, Security, Single Sign-on, SSL/TLS, Startups, Web/Tech | | Comments (0) | TrackBack (0)

April 13, 2009

ICS Startup SafeMashups Inc. Entry into RSA

Folks from the Institute for Cyber Security will be attending the RSA Conference next week, showcasing the  ICS's Incubation program in particular and SafeMashups, the first and most mature startup in incubation, in specific. The SafeMashups entry was nominated as a finalist in this year's "Most Innovative Company at RSA® Conference 2009"! Only ten out of a couple hundred entries made it to the final round, and both the staff at ICS and SafeMashups are very excited.

Part of the submission included a thirty-second video explaining at a high level the MashSSL protocol, using OAuth as an example. The video is available on the SafeMashups YouTube channel. and in the the education center, on the SafeMashups site.

Enjoy!

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 08:46 AM in Contests, Events, MashSSL, Mashups, OAuth, SafeMashups, Security, SSL/TLS, Startups, Web/Tech | | Comments (0) | TrackBack (0)

April 10, 2009

ICS Startup SafeMashups Inc. Adobe Flash Demo Tutorial Online

SafeMashups, Inc., the latest startup from the Institute for Cyber Security to go live, has released a new tutorial on mashing Adobe Flash applications with MashSSL on its YouTube channel. Other demos on mashing MashSSL with OpenAJAX, Kerberos, OAuth, and Cross-Domain XHR, and more can be found there, too.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 05:42 PM in Browsers, Cryptography, Cyber Security, Flash/Flex, Kerberos, MashSSL, Mashups, SafeMashups, Security, SSL/TLS, Startups, Tutorials, Web/Tech | | Comments (0) | TrackBack (0)

April 08, 2009

MySpace now Supports OpenID

Yesterday, the OpenID group announced  that MySpace had fully implemented an OpenID Provider to their sngle-signon mechanism, MySpaceID. This might breathe some new life into the OpenID program, as they have a shared competitor in both of their respective scapes: Facebook is the largest competitor to MySpace, just as Facebook Connect is the largest competitor to OpenID.

From the announcement: OpenID aligned perfectly with MySpaceID as an authentication technology. As a social portal, we already embraced the notion of representing identity with a URL. An overwhelming number of our users have setup vanity URL’s (i.e. myspace.com/pixelelated) and so we knew that OpenID would align well with our users.

This might be the most compelling argument for MySpace bringing OpenID into larger use. Other ID providers to have implemented OpenID, such as Google, AOL, and Yahoo!, can lay claim to being identity hosts for a user, but all of those are email addresses, which is a shift in vision from OpenID's paradigm, which is identity-as-URI, a structure that MySpace's "vanity URLs" fill nicely.

Erhan J. Kartaltepe
erhan.kartaltepe-at-utsa.edu

Posted at 10:50 AM in OAuth, OpenID, Single Sign-on, Web/Tech | | Comments (1) | TrackBack (0)

April 06, 2009

ICS Startup SafeMashups Inc. a Finalist as Most Innovative Company at RSA Conference


For folks who are attending The RSA Conference is the likely the largest and most prestigious cyber security event of the year, the Institute for Cyber Security will be speaking Monday April 20th about ICS's Incubation program in particular and SafeMashups, the first and most mature startup in incubation, in specific.

As it turns out, this year RSA is holding an Innovation Sandbox Monday afternoon, showcasing this year's promising startups. Nearly two hundred entries were submitted as the "Most Innovative Company at RSA® Conference 2009", and of those, only ten were selected as a finalist, one of which was us!

Definitely swing by our booth and listen to our talk as we will cover how server-side and client-side mashup security currently works and how to use two-party protocols such as TLS in a multi-party environment.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 08:03 AM in Browsers, Contests, Events, MashSSL, Mashups, Presentation, SafeMashups, Security, SSL/TLS, Startups, Web/Tech | | Comments (0) | TrackBack (0)

April 03, 2009

Interoperability Testing Workshop Slide Deck Online

The MIT Kerberos Consortium held its first Interoperability Testing Workshop this week, hosted by Microsoft Corporation on their Redmond, Washington campus. Representatives from MIT, Microsoft, Sun, Cornell, and the Institute for Cyber Security were in attendance, with a lot of folks interested in Kerberos and trust security participating. The slide deck from our talk at the is now up online.

ICS was there with its first startup, SafeMashups, Inc., to introduce MashSSL and how the protocol can seamlessly work with Kerberos. Our talk discusses MashSSL as a new standard for establishing trust in mashups and how it can provide application-level trust for Kerberized web applications, and non-Kerberized applications that want to make use of a KDC.

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 07:02 AM in Cryptography, Events, Kerberos, MashSSL, Mashups, SafeMashups, SSL/TLS | | Comments (0) | TrackBack (0)