Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2015

Security and Privacy on the Web in 2015

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.

https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en

Francois Marier

July 07, 2015
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:
  2. $ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...
  3. “a web browser permits scripts contained in a first web

    page to access data in a second web page, but only if both web pages have the same origin” same-origin policy
  4. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  5. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
  6. RC4

  7. Start by enabling HTTPS and HSTS Use SRI for your

    external scripts Set a more restrictive Referrer policy Consider enabling CSP Watch out for mixed content
  8. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2015 François Marier <[email protected]>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.