Security and Privacy on the Web in 2015

Transcript

1. Security and Privacy on the Web in 2015 François Marier

   @fmarier mozilla

2. Firefox Security & Privacy

3. Web Platform

4. Web Platform

5. Content Security Policy aka CSP

6. Content Security Policy aka CSP mechanism for preventing XSS

7. telling the browser what external content is allowed to load

8. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?

9. without CSP

10. Hi you! John Doe - just moments ago p0wned Ok

11. with CSP

12. Hi you! John Doe - just moments ago

13. Content-Security-Policy: script-src 'self' https://cdn.example.com

14. inline scripts are blocked unless unsafe-inline is specified

15. script-src object-src style-src img-src media-src frame-src font-src connect-src

16. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:

17. "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src

    'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/..." }
18. None

19. support for inline scripts Content-Security-Policy: script-src 'sha256-YWIzOW...'

20. None

21. Strict Transport Security aka HSTS

22. Strict Transport Security aka HSTS mechanism for preventing HTTPS to

    HTTP downgrades

23. telling the browser that your site should never be reached

    over HTTP
24. None

25. GET banque.fr 301 → GET https://banque.fr 200 → no HSTS,

    no sslstrip

26. GET banque.fr → 200 no HSTS, with sslstrip

27. what does HSTS look like?

28. $ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...

29. with HSTS, with sslstrip GET https://banque.fr 200 →

30. silent client-side redirects HTTP → HTTPS

31. no HTTP traffic for sslstrip to tamper with

32. except for the very first connection

33. https://hstspreload.appspot.com/

34. None

35. coming up in 2015

36. None
37. None
38. None

39. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

40. how common is this?

41. None

42. what would happen if that server were compromised?

43. None

44. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies

45. simple solution

46. instead of this: <script src=”https://ajax.googleapis.com...”>

47. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...”> do this:

48. guarantee: script won't change or it'll be blocked

49. limitation: won't work for scripts that change all the time

50. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

51. there's a little something missing...

52. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> complete example:

53. None

54. “a web browser permits scripts contained in a first web

    page to access data in a second web page, but only if both web pages have the same origin” same-origin policy

55. example.com/index.html

56. example.com/index.html example.com/data.js: var secret = 42;

57. example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);

58. example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);

59. on the server: Access-Control-Allow-Origin: *

60. on the server: Access-Control-Allow-Origin: * on the client: crossorigin=”anonymous”

61. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> complete example:

62. <link rel="stylesheet" href="style.css" integrity="sha256-PgMdguwx/O..." crossorigin=”anonymous”> complete example:

63. SRIhash.org

64. None
65. None
66. None

67. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
68. None

69. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

70. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

71. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

72. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

73. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

74. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

75. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

76. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

77. (initial implementations)

78. HTTPS

79. if you're not using it, now is the time to

    start :)
80. None
81. None

82. mass surveillance of all Internet traffic is no longer theoretical

83. strong encryption of all Internet traffic is no longer optional

84. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier

85. ps://gigaom.com/2015/02/19/dont-let-att-mislead-you-about-its-29-privacy-fee/

86. None

87. $ apt-get install letsencrypt $ letsencrypt example.com

88. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

89. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

90. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

91. HTTPS is not enough you need to do it properly

92. RC4

93. SHA-1 RC4

94. SHA-1 1024-bit certificates RC4

95. SHA-1 1024-bit certificates RC4 weak DH parameters

96. None
97. None
98. None
99. None

100. https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg">

     </body> </html>
101. None

102. turn on full mixed-content blocking in development

103. Start by enabling HTTPS and HSTS Use SRI for your

     external scripts Set a more restrictive Referrer policy Consider enabling CSP Watch out for mixed content

104. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2015 François Marier <[email protected]>

     This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.

105. photo credits: tinfoil: https://www.flickr.com/photos/laurelrusswurm/15129449047 explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372