Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2016

Security and Privacy on the Web in 2016

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.

This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.

https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016

Francois Marier

April 24, 2016
Tweet

More Decks by Francois Marier

Other Decks in Technology

Transcript

  1. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries)
  2. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar
  3. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar list entries expire after 45 minutes
  4. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider?
  5. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)?
  6. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)? what does the apprep server think about it?
  7. $ curl -i https://bank.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...
  8. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
  9. RC4

  10. 1. is this resource coming from a third-party server? 2.

    is it on Disconnect's list of trackers? 3. is it actually a third-party or does it belong to the same org?
  11. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  12. network.cookie.lifetimePolicy = 3 network.cookie.lifetime.days = 5 network.cookie.thirdparty.sessionOnly = true network.http.referer.spoofSource

    = true privacy.trackingprotection.enabled = true security.pki.sha1_enforcement_level = 2 security.ssl.errorReporting.automatic = true Install the EFF's HTTPS Everywhere add-on
  13. Use SRI for your external scripts Set a more restrictive

    Referrer policy Consider enabling CSP Watch out for mixed content Test your site with Tracking Protection
  14. Enable HTTPS and HSTS on all your sites Use our

    recommended TLS config Test your site periodically using SSL Labs
  15. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2016 François Marier <[email protected]>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.