Browser security — ROOTS
Upcoming SlideShare
Loading in...5
×
 

Browser security — ROOTS

on

  • 994 views

Lightning speach on Browser security at the ROOTS conference 2012

Lightning speach on Browser security at the ROOTS conference 2012

Statistics

Views

Total Views
994
Views on SlideShare
994
Embed Views
0

Actions

Likes
0
Downloads
31
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Browser security — ROOTS Browser security — ROOTS Presentation Transcript

    • The browser -your best friend and worst enemyRoots Conference Bergen 23. May 2011André N.KlingsheimIT security specialist, PhD
    • Lightning overview• How important is browser security?• Security challenges• Modern security features 2
    • Why the web «works»• Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this• SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
    • The browser is your enemy:MODERN SECURITYCHALLENGES 4
    • Man-in-the browserHow did the man get in the • Malicious code running inbrowser?!? browserhttp://googlechromereleases.blogspot.com/2011/04/stable-channel- – The friendly browserupdate.html suddenly becomes evil 5
    • The browser is your friend:MODERN SECURITY FEATURES 6
    • Working alone• Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins• Internet Explorer 9 tab isolation – Pinned sites load in isolated process• Minimize damage caused by a compromize 7
    • Working for the website• Special treatment for cookies: secure, httpOnly• Website can include «security» headers in HTTP response• Triggers security features in browser• «Invisible» to user• Headers coming up! 8
    • STS HTTP-header 9
    • X-Frame-Options HTTP header 10
    • Compensating for website security bugs• Security features designed to detect and/or prevent webapp security holes 11
    • X-Content-Type-Options HTTP header 12
    • X-XSS-Protection HTTP header 13
    • X-Content-Security-Policy HTTP header• Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
    • References• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace• Not a complete list so remember: Google is your friend 15
    • Thank you!• Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16