Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2015

Francois Marier
September 21, 2015
Programming
0
240

Security and Privacy on the Web in 2015

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity).

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.

Francois Marier

September 21, 2015
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
280
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
980
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
270
Integrity protection for third-party JavaScript
fmarier
2
570

Other Decks in Programming

See All in Programming
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
4
1.6k
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
Golang と Erlang
taiyow
8
1.9k
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
150
2万ページのSSG運用における工夫と注意点 / Vue Fes Japan 2024
chinen
3
1.4k
Honoの来た道とこれから
yusukebe
19
3k
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
140
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
7
2.8k
推し活の ハイトラフィックに立ち向かう Railsとアーキテクチャ - Kaigi on Rails 2024
falcon8823
6
2.2k
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
The Cult of Friendly URLs
andyhume
78
6k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
GraphQLとの向き合い方2022年版
quramy
43
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Ruby is Unlike a Banana
tanoku
96
11k
Building Adaptive Systems
keathley
38
2.2k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
The Invisible Side of Design
smashingmag
297
50k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Designing the Hi-DPI Web
ddemaree
280
34k

Transcript

  1. Security and Privacy on the Web in 2015 François Marier

    @fmarier mozilla

  2. Firefox Security & Privacy

  3. overview of what we work on

  4. overview of what we work on interrupt me!

  5. security privacy &

  6. ??????????????? ??????????????? security privacy &

  7. security

  8. security for users

  9. Safe Browsing

  10. None

  11. pre-downloaded URL hash prefixes

  12. pre-downloaded URL hash prefixes list updated every 30 minutes

  13. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries)

  14. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar

  15. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar list entries expire after 45 minutes

  16. about:config browser.safebrowsing.enabled (phishing) browser.safebrowsing.malware.enabled (malware)

  17. Application Reputation

  18. None

  19. is it on the pre-downloaded list of dangerous hosts?

  20. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider?

  21. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)?

  22. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)? what does the apprep server think about it?

  23. about:config browser.safebrowsing.downloads.remote.enabled

  24. security for developers

  25. Content Security Policy aka CSP mechanism for preventing XSS

  26. telling the browser what external content is allowed to load

  27. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?

  28. without CSP

  29. Hi you! John Doe - just moments ago p0wned Ok

  30. with CSP

  31. Hi you! John Doe - just moments ago

  32. Content-Security-Policy: script-src 'self' https://cdn.example.com

  33. script-src object-src style-src img-src media-src frame-src font-src connect-src

  34. Strict Transport Security aka HSTS mechanism for preventing HTTPS to

    HTTP downgrades

  35. telling the browser that your site should never be reached

    over HTTP
  36. None

  37. GET bank.ca 301 → GET https://bank.ca 200 → no HSTS,

    no sslstrip

  38. GET bank.ca → 200 no HSTS, with sslstrip

  39. what does HSTS look like?

  40. $ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...

  41. with HSTS, with sslstrip GET https://bank.ca 200 →

  42. no HTTP traffic for sslstrip to tamper with

  43. None
  44. None
  45. None

  46. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  47. what would happen if that server were compromised?

  48. None

  49. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies

  50. simple solution

  51. instead of this: <script src=”https://ajax.googleapis.com...”>

  52. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> do this:

  53. guarantee: script won't change or it'll be blocked

  54. security for sysadmins

  55. HTTPS

  56. if you're not using it, now is the time to

    start :)
  57. None
  58. None

  59. mass surveillance of all Internet traffic is no longer theoretical

  60. strong encryption of all Internet traffic is no longer optional

  61. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier

  62. ps://gigaom.com/2015/02/19/dont-let-att-mislead-you-about-its-29-privacy-fee/

  63. None

  64. $ apt-get install letsencrypt $ letsencrypt example.com

  65. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

  66. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

  67. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

  68. HTTPS is not enough you need to do it properly

  69. RC4

  70. SHA-1 RC4

  71. SHA-1 1024-bit certificates RC4

  72. SHA-1 1024-bit certificates RC4 weak DH parameters

  73. None
  74. None
  75. None
  76. None

  77. https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg">

    </body> </html>
  78. None

  79. turn on full mixed-content blocking in development

  80. privacy

  81. privacy for users

  82. None
  83. None
  84. None

  85. Tracking Protection

  86. Tracking Protection in Private Browsing mode

  87. based on Safe Browsing pre-downloaded list of full hashes (no

    server lookups)

  88. is this resource coming from a third-party server? is it

    on Disconnect's list of trackers? is it actually a third-party or does it belong to the same org?

  89. Q: What does it do? A: It blocks network loads!

  90. No cookies No fingerprinting No wasted bandwidth No performance hit

  91. about:config privacy.trackingprotection.pbmode.enabled

  92. about:config privacy.trackingprotection.enabled

  93. privacy for developers

  94. None
  95. None

  96. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  97. None

  98. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  99. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  100. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  101. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  102. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  103. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  104. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  105. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  106. recommendations for users

  107. Use the non-corporate browser primarily network.cookie.cookieBehavior = 3 network.http.referer.spoofSource =

    true privacy.trackingprotection.enabled = true Install the EFF's HTTPS Everywhere add-on

  108. recommendations for developers

  109. Use SRI for your external scripts Set a more restrictive

    Referrer policy Consider enabling CSP Watch out for mixed content Test your site with Tracking Protection

  110. recommendations for sysadmins

  111. Enable HTTPS and HSTS on all your sites Use our

    recommended TLS config Test your site periodically using SSL Labs

  112. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2015 François Marier <[email protected]>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.

  113. photo credits: tinfoil: https://www.flickr.com/photos/laurelrusswurm/15129449047 explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372