SlideShare uma empresa Scribd logo
1 de 39
Sharing Slides Securely with 10,000 People in Real-
Time : Socket.IO and Node.JS in Production
Aleksandr Yampolskiy and Danny Gershman
Who Are We?
• Aleksandr Yampolskiy, CTO @ayampolskiy
(alexyampolskiy@cinchcast.com)
• Previously head of security and compliance for Gilt Groupe companies, in charge of
securing IT infrastructure, secure architecture, PCI/SOX compliance, etc.
• Various leadership roles in Goldman Sachs, Oracle, Microsoft building scalable,
enterprise software for IDM, SSO, AuthN/AuthZ.
• Ph.D. in Distributed Computing
• Hobbies: chess, Edward Hopper, Ray Bradbury, martial arts, lately foosball and
coffee.
• Danny Gershman @dannygnj, Principal Engineer
(dannygershman@cinchcast.com)
• He's spent over 16 years experience developing software and now focusing on R&D.
• Worked with various technologies such .NET, SQL Server, Redis, NodeJS, Socket.IO,
jwPlayer, Liquid Office, Teleform, Ascent Capture, Classic ASP, and GWBASIC and
DOS
• Paintballer, DJ, Cat-Lover, and from New Jersey (hold the applause please)
Cinchcast, Inc.
Cinchcast, an enterprise
technology company,
provides a cloud-based
solution for conference
calls and webcasts.
BlogTalkRadio, a
consumer media
company, is the largest
online radio network in
the world.
Patented, Cloud-Based Platform
4
Marketing Events
Earnings/Analyst Calls Executive Communications
Employee Townhalls
Team Meetings Training
All-Hands Meetings
Cinchcast Connect
Enhancing internal and external corporate communications
while significantly reducing associated costs
DEMO TIME
Challenge
• Security for sensitive conversations
• Real-time update of slides and analytics
• 10,000s or more participants on various devices, including
older browsers
• No browser plugins + Minimal bandwidth (12 MB/hr)
How Does It All Work?
NodeJS
server
cluster
Cinchcast SaaS
What Do We Use Node.JS+Socket.IO for?
• Keeping track of real-time listeners on the permalink
page
• Pushing the slide notifications to thousands of viewers in
real-time!
Node.JS
• Node.JS = Javascript on your server.
• Asynchronous event loop.
NodeJS Security Issues
• Perennial input validation issues
– Rulle #1 – validate thy input
– Never assume the input is well-formed. Think like a hacker!
• JSON eval
– JSON.parse(str) vs eval(str)
– var queryData = url.parse(req.url, true).query;
– Eval(“console.log(‘”+queryData.log+”’)”);
– what if I call http://127.0.0.1/?log=1’);var sys=require(‘sys’); var
exec=require(‘child_process’).exec;function puts=….
• An unhandled exception can crash your server
Example - XSS
Socket.IO
• Socket.IO = Persistent client-server connection, cross-
browser compatible.
handshake
Handshake accepted ,
transports, connection id,
config
Socket.IO Security Issues
• Communication in ws:// protocol is unencrypted.
• Don’t trust the client! All origins are allowed by default.
• Have to build your own authentication/authorization
(https://github.com/LearnBoost/socket.io/wiki/Authorizing
)
Example – Origin
• Malicious client by Krysztof Kotowicz
(https://github.com/koto/socket_io_client)
• It can handshake with socket.io server, ignore origin
restrictions, handle heartbeats, fuzz messages
What’s Different About Node.JS+Socket.IO
Security?
• More code and complexity in Node.JS/Socket.IO apps.
• We now need to review client-side and server-side
code.
• Dynamic, agile development approach results in code
that’s not thoroughly tested
• Complicated UI frameworks may contain their own
subtle security bugs
• New security attacks
What’s Different About Web 2.0 Security?
• Web 2.0 has completely new app security threats
– Malicious AJAX code execution
– WSDL scanning and enumeration
– RSS injection
– XML poisoning
– CSRF attacks
Relax, it’s not that bad!
Web 2.0 Security Reality
• Fundamentals are still the same, for Web 1.0 and Web 2.0, and for
node.js+socket.io apps.
• Multilayered “onion security”.
• None of the “new” attacks appear on OWASP top 10 list of security
bugs.
• In fact, Verizon 2009 data breach report lists top data breach causes
as
- Weak or default passwords
- SQL injection attacks
- Improper access rights
- XSS attacks
Our Approach
• Security decisions are based on risk, not just threats and
vulnerabilities (risk = threat*vulnerability*cost).
• Don’t chase hot vulnerabilities of the day. Instead, mitigate top
risks.
• AAA and least privilege principle.
• Heavily based on policy and user education.
• “Onion security” – multiple protections at each layer.
• Achieve “essential”, then worry about “excellent”.
• Be a “how team” instead of a “no team”.
• Build security into the software development lifecycle.
What Do We Do To Protect?
HMAC-SHA1 digest authentication based off rooms and
user type. ACLs are applied one authenticated.
What Do We Do To Protect?
• Secure Web-sockets
Multi-core
Multi-core
Multi-server
• Wait…how will we share data?
Session Data in Socket.IO
Of Course
The Greatest Session Store of All Time Is…
Sharing Session
Redis Store for Socket.IO
Storing / Retrieving Data in Session with
Redis
This can start getting out of hand
Matryoshka Code
Async (https://github.com/caolan/async)
Eventing Across Nodes (Pub-Sub)
Multi-server
Each process gets its own port, then individually exposed via a load balancer
with a virtual IP. Uses Layer 4 level proxying and SSL certificate is on the load
balancer.
192.168.1.100
3001 3002
3003 3004
192.168.1.101
3001 3002
3003 3004
Load Balancer
129.186.73.100
Time Sync
Failback with Upstart and Monit
Gotchas
Conclusion
• Security problems may be new but old principles
apply
• Validate thy input
• HMAC-SHA1 digest authentication
• Know the gotchas for multitasking (time sync,
ulimits, data sharing, etc.)
• We will tweet the slides link.
• Talk to us @ayampolskiy or @dannygnj
PITCH: Use Us For Large-Scale Conference
Calls
Contact us at http://cinchcast.com/contact/

Mais conteúdo relacionado

Destaque

Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Eduard Trayan
 
Building notification system in NodeJS + Redis
Building notification system in NodeJS + RedisBuilding notification system in NodeJS + Redis
Building notification system in NodeJS + RedisLe Duc
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IOChristian Joudrey
 
NodeJS基礎教學&簡介
NodeJS基礎教學&簡介NodeJS基礎教學&簡介
NodeJS基礎教學&簡介GO LL
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application Carlo Bonamico
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 

Destaque (6)

Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
 
Building notification system in NodeJS + Redis
Building notification system in NodeJS + RedisBuilding notification system in NodeJS + Redis
Building notification system in NodeJS + Redis
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IO
 
NodeJS基礎教學&簡介
NodeJS基礎教學&簡介NodeJS基礎教學&簡介
NodeJS基礎教學&簡介
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 

Mais de Aleksandr Yampolskiy

New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter BellAleksandr Yampolskiy
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of virusesAleksandr Yampolskiy
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsAleksandr Yampolskiy
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networksAleksandr Yampolskiy
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelementAleksandr Yampolskiy
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topologyAleksandr Yampolskiy
 

Mais de Aleksandr Yampolskiy (20)

New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
 
"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter Bell
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy Steps
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-Commerce
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Social media security challenges
Social media security challengesSocial media security challenges
Social media security challenges
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the movies
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of viruses
 
Number theory lecture (part 1)
Number theory lecture (part 1)Number theory lecture (part 1)
Number theory lecture (part 1)
 
Number theory lecture (part 2)
Number theory lecture (part 2)Number theory lecture (part 2)
Number theory lecture (part 2)
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random Permutations
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networks
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keys
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelement
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topology
 

Último

QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Exactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaExactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaHostedbyConfluent
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureAntonio de Llamas
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactivestartupro
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
Technology Governance & Migration In The AI Era
Technology Governance & Migration In The AI EraTechnology Governance & Migration In The AI Era
Technology Governance & Migration In The AI Era2toLead Limited
 
Brick-by-Brick: Exploring the Elements of Apache Kafka®
Brick-by-Brick: Exploring the Elements of Apache Kafka®Brick-by-Brick: Exploring the Elements of Apache Kafka®
Brick-by-Brick: Exploring the Elements of Apache Kafka®HostedbyConfluent
 
Case Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LBCase Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LBHostedbyConfluent
 
Fish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit LondonFish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit LondonHostedbyConfluent
 
🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶
🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶
🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶HostedbyConfluent
 
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdfWeb Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdfSeasia Infotech
 
Real-time Geospatial Aircraft Monitoring Using Apache Kafka
Real-time Geospatial Aircraft Monitoring Using Apache KafkaReal-time Geospatial Aircraft Monitoring Using Apache Kafka
Real-time Geospatial Aircraft Monitoring Using Apache KafkaHostedbyConfluent
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?Rustici Software
 
Modifying Your SQL Streaming Queries on the Fly: The Impossible Trinity
Modifying Your SQL Streaming Queries on the Fly: The Impossible TrinityModifying Your SQL Streaming Queries on the Fly: The Impossible Trinity
Modifying Your SQL Streaming Queries on the Fly: The Impossible TrinityHostedbyConfluent
 
Aggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at InvidiAggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at InvidiHostedbyConfluent
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfDS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfROWELL MARQUINA
 
Data Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and BeyondData Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and BeyondHostedbyConfluent
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecYashSomalkar
 

Último (20)

QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Exactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaExactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and Kafka
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for Rotogravure
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactive
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
Technology Governance & Migration In The AI Era
Technology Governance & Migration In The AI EraTechnology Governance & Migration In The AI Era
Technology Governance & Migration In The AI Era
 
Brick-by-Brick: Exploring the Elements of Apache Kafka®
Brick-by-Brick: Exploring the Elements of Apache Kafka®Brick-by-Brick: Exploring the Elements of Apache Kafka®
Brick-by-Brick: Exploring the Elements of Apache Kafka®
 
Case Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LBCase Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LB
 
Fish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit LondonFish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit London
 
🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶
🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶
🎶🎵Bo-stream-ian Rhapsody: A Musical Demo of Kafka Connect and Kafka Streams 🎵🎶
 
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdfWeb Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
 
Real-time Geospatial Aircraft Monitoring Using Apache Kafka
Real-time Geospatial Aircraft Monitoring Using Apache KafkaReal-time Geospatial Aircraft Monitoring Using Apache Kafka
Real-time Geospatial Aircraft Monitoring Using Apache Kafka
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?
 
Modifying Your SQL Streaming Queries on the Fly: The Impossible Trinity
Modifying Your SQL Streaming Queries on the Fly: The Impossible TrinityModifying Your SQL Streaming Queries on the Fly: The Impossible Trinity
Modifying Your SQL Streaming Queries on the Fly: The Impossible Trinity
 
Aggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at InvidiAggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfDS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
 
Data Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and BeyondData Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and Beyond
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
 

Sharing Slides Securely with 10,000 People in Real-Time : Socket.IO and Node.JS in Production

  • 1. Sharing Slides Securely with 10,000 People in Real- Time : Socket.IO and Node.JS in Production Aleksandr Yampolskiy and Danny Gershman
  • 2. Who Are We? • Aleksandr Yampolskiy, CTO @ayampolskiy (alexyampolskiy@cinchcast.com) • Previously head of security and compliance for Gilt Groupe companies, in charge of securing IT infrastructure, secure architecture, PCI/SOX compliance, etc. • Various leadership roles in Goldman Sachs, Oracle, Microsoft building scalable, enterprise software for IDM, SSO, AuthN/AuthZ. • Ph.D. in Distributed Computing • Hobbies: chess, Edward Hopper, Ray Bradbury, martial arts, lately foosball and coffee. • Danny Gershman @dannygnj, Principal Engineer (dannygershman@cinchcast.com) • He's spent over 16 years experience developing software and now focusing on R&D. • Worked with various technologies such .NET, SQL Server, Redis, NodeJS, Socket.IO, jwPlayer, Liquid Office, Teleform, Ascent Capture, Classic ASP, and GWBASIC and DOS • Paintballer, DJ, Cat-Lover, and from New Jersey (hold the applause please)
  • 3. Cinchcast, Inc. Cinchcast, an enterprise technology company, provides a cloud-based solution for conference calls and webcasts. BlogTalkRadio, a consumer media company, is the largest online radio network in the world. Patented, Cloud-Based Platform
  • 4. 4 Marketing Events Earnings/Analyst Calls Executive Communications Employee Townhalls Team Meetings Training All-Hands Meetings Cinchcast Connect Enhancing internal and external corporate communications while significantly reducing associated costs
  • 6. Challenge • Security for sensitive conversations • Real-time update of slides and analytics • 10,000s or more participants on various devices, including older browsers • No browser plugins + Minimal bandwidth (12 MB/hr)
  • 7. How Does It All Work? NodeJS server cluster Cinchcast SaaS
  • 8. What Do We Use Node.JS+Socket.IO for? • Keeping track of real-time listeners on the permalink page • Pushing the slide notifications to thousands of viewers in real-time!
  • 9. Node.JS • Node.JS = Javascript on your server. • Asynchronous event loop.
  • 10. NodeJS Security Issues • Perennial input validation issues – Rulle #1 – validate thy input – Never assume the input is well-formed. Think like a hacker! • JSON eval – JSON.parse(str) vs eval(str) – var queryData = url.parse(req.url, true).query; – Eval(“console.log(‘”+queryData.log+”’)”); – what if I call http://127.0.0.1/?log=1’);var sys=require(‘sys’); var exec=require(‘child_process’).exec;function puts=…. • An unhandled exception can crash your server
  • 12. Socket.IO • Socket.IO = Persistent client-server connection, cross- browser compatible. handshake Handshake accepted , transports, connection id, config
  • 13. Socket.IO Security Issues • Communication in ws:// protocol is unencrypted. • Don’t trust the client! All origins are allowed by default. • Have to build your own authentication/authorization (https://github.com/LearnBoost/socket.io/wiki/Authorizing )
  • 14. Example – Origin • Malicious client by Krysztof Kotowicz (https://github.com/koto/socket_io_client) • It can handshake with socket.io server, ignore origin restrictions, handle heartbeats, fuzz messages
  • 15. What’s Different About Node.JS+Socket.IO Security? • More code and complexity in Node.JS/Socket.IO apps. • We now need to review client-side and server-side code. • Dynamic, agile development approach results in code that’s not thoroughly tested • Complicated UI frameworks may contain their own subtle security bugs • New security attacks
  • 16. What’s Different About Web 2.0 Security? • Web 2.0 has completely new app security threats – Malicious AJAX code execution – WSDL scanning and enumeration – RSS injection – XML poisoning – CSRF attacks
  • 17. Relax, it’s not that bad!
  • 18. Web 2.0 Security Reality • Fundamentals are still the same, for Web 1.0 and Web 2.0, and for node.js+socket.io apps. • Multilayered “onion security”. • None of the “new” attacks appear on OWASP top 10 list of security bugs. • In fact, Verizon 2009 data breach report lists top data breach causes as - Weak or default passwords - SQL injection attacks - Improper access rights - XSS attacks
  • 19. Our Approach • Security decisions are based on risk, not just threats and vulnerabilities (risk = threat*vulnerability*cost). • Don’t chase hot vulnerabilities of the day. Instead, mitigate top risks. • AAA and least privilege principle. • Heavily based on policy and user education. • “Onion security” – multiple protections at each layer. • Achieve “essential”, then worry about “excellent”. • Be a “how team” instead of a “no team”. • Build security into the software development lifecycle.
  • 20. What Do We Do To Protect? HMAC-SHA1 digest authentication based off rooms and user type. ACLs are applied one authenticated.
  • 21. What Do We Do To Protect? • Secure Web-sockets
  • 25. Session Data in Socket.IO
  • 26. Of Course The Greatest Session Store of All Time Is…
  • 28. Redis Store for Socket.IO
  • 29. Storing / Retrieving Data in Session with Redis
  • 30. This can start getting out of hand
  • 34. Multi-server Each process gets its own port, then individually exposed via a load balancer with a virtual IP. Uses Layer 4 level proxying and SSL certificate is on the load balancer. 192.168.1.100 3001 3002 3003 3004 192.168.1.101 3001 3002 3003 3004 Load Balancer 129.186.73.100
  • 38. Conclusion • Security problems may be new but old principles apply • Validate thy input • HMAC-SHA1 digest authentication • Know the gotchas for multitasking (time sync, ulimits, data sharing, etc.) • We will tweet the slides link. • Talk to us @ayampolskiy or @dannygnj
  • 39. PITCH: Use Us For Large-Scale Conference Calls Contact us at http://cinchcast.com/contact/