Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2015

Security and Privacy on the Web in 2015

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity).

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.

Francois Marier

September 21, 2015
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries)
  2. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar
  3. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar list entries expire after 45 minutes
  4. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider?
  5. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)?
  6. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)? what does the apprep server think about it?
  7. $ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...
  8. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
  9. RC4

  10. is this resource coming from a third-party server? is it

    on Disconnect's list of trackers? is it actually a third-party or does it belong to the same org?
  11. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  12. Use the non-corporate browser primarily network.cookie.cookieBehavior = 3 network.http.referer.spoofSource =

    true privacy.trackingprotection.enabled = true Install the EFF's HTTPS Everywhere add-on
  13. Use SRI for your external scripts Set a more restrictive

    Referrer policy Consider enabling CSP Watch out for mixed content Test your site with Tracking Protection
  14. Enable HTTPS and HSTS on all your sites Use our

    recommended TLS config Test your site periodically using SSL Labs
  15. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2015 François Marier <[email protected]>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.