Lesson 11 / Topic 11B - Implement Secure Application Protocols
Explain the flow of information aided by HTTP.
A client connects to the HTTP server using an appropriate TCP port (the default is port 80) and submits a request for a resource using a uniform resource locator (URL). The response and request formats are defined in an HTTP header. The HTTP payload is usually used to serve HTML web pages, which are plaintext files with coded tags (HyperText Markup Language) describing how the page should be formatted. A web browser can interpret the tags and display the text and other resources associated with the page.
Voice over IP (VoIP)
A generic name for protocols that carry voice traffic over data networks. The protocols designed to support real-time services including session control, data transport, and quality of service.
Application Programming Interface (API)
A library of programming utilities is used, for example, to enable software developers to access TCP/IP network stack functions under a particular operating system.
Post Office Protocol v3 (POP3)
A mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient's email client. Communication is on port 110. POP3S is the secured version of the protocol, operating over TCP port 995 by default.
Internet Message Access Protocol v4 (IMAP4)
A mailbox protocol that supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage mail folders on the server. Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve messages from the designated folders. As with other email protocols, the connection can be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993.
Implicit TLS (FTPS)
A means of securing FTP requiring the negotiation of an SSL/TLS tunnel before the exchange of any FTP commands. This mode uses the secure port 990 for the control connection. FTPS is tricky to configure when there are firewalls between the client and server. Consequently, FTPES is usually the preferred method.
Explicit TLS (FTPES)
A means of securing FTP using the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials. The data connection for the actual file transfers can also be encrypted (using the PROT command).
SMTPS
A method of securing SMTP using TLS requiring an established secure connection before any SMTP commands (HELO, for instance) are exchanged. This is also referred to as implicit TLS. Communication is on port 465.
STARTTLS
A method of securing SMTP using TLS where a command upgrades an existing unsecure connection to use TLS. This is also referred to as explicit TLS or opportunistic TLS. The STARTTLS method is generally more widely implemented than SMTPS. Communication is on port 587.
File Transfer Protocol (FTP)
A protocol used to transfer files between network hosts. Variants include S(ecure)FTP, FTP with SSL (FTPS and FTPES) and T(rivial)FTP. FTP utilizes ports 20 and 21. Most HTTP servers also function as FTP servers, and FTP services, accounts, and directories may be installed and enabled by default when you install a web server. FTP is more efficient than file attachments or HTTP file transfer but has no security mechanisms. All authentication and data transfer are communicated as plaintext, meaning that credentials can easily be picked out of any intercepted FTP traffic.
SSH FTP (SFTP)
A secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.
Transport Layer Security (TLS)
A security protocol that uses certificates for authentication and encryption to protect web communication. This protocol is used with the HTTP application (referred to as HTTPS or HTTP Secure) but can also be used to secure other application protocols and as a virtual private networking (VPN) solution.
How could a threat actor exploit voice and video communications?
A threat actor could exploit unencrypted voice and video communications to try to intercept passwords, credit card details, and so on. Without strong mutual authentication, connections are also vulnerable to man-in-the-middle attacks.
Secure/Multipurpose Internet Mail Extensions (S/MIME).
An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications. To use S/MIME, the user is issued a digital certificate containing his or her public key, signed by a CA to establish its validity. The public key is a pair with a private key kept secret by the user. To establish the exchange of secure emails, both users must be using S/MIME and exchange certificates.
XML Injection
Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.
How are subscription services used and what attack vector should be considered?
Employees may require access to all kinds of subscription services. It may be necessary to provision authentication mechanisms for enterprise single sign-on (SSO) access to the services. Another use of subscriptions is a web feed, where updated articles or news items are pushed to the client or browser. Web feeds are based on either the Really Simple Syndication (RSS) or Atom formats, both of which use XML to mark up each document supplied by the feed. It is possible that such feeds may be vulnerable to XML injection style attacks, allowing an attacker to show malicious links or even interact with the file system.
Discuss how increased flexibility and interactivity of HTTP exposes the potential for more vulnerabilities.
HTTP is nominally a stateless protocol; this means that the server preserves no information about the client during a session. The basic functionality of HTTP servers is often extended by support for scripting and programmable features (web applications). Servers can also set text file cookies to preserve session information. These coding features, plus database integration, increase flexibility and interactivity, but also the attack surface and expose more vulnerabilities. Many argue that HTTP is a stateful protocol. Version 2 of HTTP adds more state-preserving features.
Real-Time Transport Protocol (RTP)
Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping). While SIP provides session management features, the actual delivery of real-time data uses different protocols - principally RTP.
Explain ways to secure an API.
Use of these APIs is authorized via a token or secret key. Effective management of these API secrets is a key consideration in modern networks, as they have been widely used to perpetrate various breaches and data thefts. For example, putting the key in the URL carries a severe risk of exposure. APIs can use more secure authentication and authorization methods, such as SAML and OAuth, but these still come with secrets management requirements. Another API consideration is that usage should be monitored to ensure only authorized endpoints are making transactions.
Session Initiation Protocol (SIP)
Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination. SIP endpoints are the end-user devices (also known as user-agents), such as IP-enabled handsets or client and server web conference software. Where unencrypted SIP typically runs over TCP port 5060. SIPS uses TCP port 5061.
Discuss which SSL/TLS versions are safe, what versions are susceptible to a downgrade attack, and why TLS 1.3 could have improved performance.
While the acronym SSL is still used, the Transport Layer Security versions are the only ones that are safe to use. A server can provide support for legacy clients, but obviously this is less secure. For example, a TLS 1.2 server could be configured to allow clients to downgrade to TLS 1.1 or 1.0 or even SSL 3.0 if they do not support TLS 1.2. A downgrade attack is where a man-in-the-middle tries to force the use of a weak cipher suite and SSL/TLS version. TLS version 1.3 was approved in 2018. One of the main features of TLS 1.3 is the removal of the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. There are also changes to the handshake protocol to reduce the number of messages and speed up connections.
Simple Mail Transfer Protocol (SMTP)
The Internet standard protocol for transferring e-mail messages from one computer to another. Communication is on port 25.
Cipher Suite
The algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol.
Hypertext Transfer Protocol (HTTP)
The protocol used to provide web content to browsers. HTTP uses port 80. HTTPS (secure) provides for encrypted transfers using SSL/TLS and port 443.
Secure RTP
The secure connection established by SIPS can also be used to generate a master key to use with the secure versions of the transport protocol (SRTP). SRTP provides confidentiality for the actual call data.
Explain how you would implement TLS.
To implement TLS, a server is assigned a digital certificate signed by some trusted certificate authority (CA). The certificate proves the server's identity (assuming that the client trusts the CA) and validates the server's public/private key pair. The server uses its key pair and the TLS protocol to agree mutually supported ciphers with the client and negotiate an encrypted communications session. Installing a certificate on the client is also possible so the server can trust the client. This is not often used on the web but is a feature of VPNs and enterprise networks that require mutual authentication.
