Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening the Web Platform - AppSec EU, 2016

Mike West
PRO
July 01, 2016
Technology
5
1.4k

Hardening the Web Platform - AppSec EU, 2016

Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.

Mike West
PRO

July 01, 2016
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
100
Isolation by Default
mikewest
PRO
0
1.8k
The Web We Can Ship
mikewest
PRO
0
450
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
160
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
410
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
110
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
900
BSides Munich
mikewest
PRO
0
320

Other Decks in Technology

See All in Technology
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
180
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
複雑なState管理からの脱却
sansantech
PRO
1
150
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
170
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.3k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160

Featured

See All Featured
Building an army of robots
kneath
302
43k
Why Our Code Smells
bkeepers
PRO
334
57k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
What's in a price? How to price your products and services
michaelherold
243
12k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
The Language of Interfaces
destraynor
154
24k
RailsConf 2023
tenderlove
29
900
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Become a Pro
speakerdeck
PRO
25
5k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
97

Transcript

  1. Mike West, @mikewest, [email protected] https://goo.gl/YyrmXp Hardening the Web Platform

  2. None
  3. None
  4. None
  5. None

  6. https://goo.gl/MycPb7

  7. "Sharpening", https://flic.kr/p/sbo18H

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  10. None

  11. https://letsencrypt.org/

  12. https://goo.gl/1r7oNF https://goo.gl/nzbqQo

  13. Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us

  14. Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m

  15. https://goo.gl/rStTGz

  16. AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz

  17. https://goo.gl/gF2clJ

  18. https://goo.gl/Kd2eMQ

  19. https://goo.gl/Wwpnjw https://goo.gl/fzVgNt

  20. 127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw

  21. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  22. https://goo.gl/Wamh7S

  23. "Making CSP Great Again", https://goo.gl/74D8i5 default-src 'none'; base-uri 'self'; block-all-mixed-content;

    child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status. github.com api.github.com www.google-analytics.com github-cloud.s3. amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form- action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *. gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script- src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

  24. https://goo.gl/lJq6jj https://goo.gl/GXob6d

  25. https://srihash.org/

  26. https://goo.gl/yxEJiO https://goo.gl/IrPX7b

  27. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

  28. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:

    __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345

  29. https://goo.gl/FHAeAm

  30. Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":

    true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });

  31. Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",

    { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }

  32. https://goo.gl/M5yVrc

  33. https://goo.gl/eZ9SKg

  34. scheme://host:port

  35. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

  36. None

  37. Thank you! https://goo.gl/YyrmXp @mikewest [email protected]