Your SlideShare is downloading. ×
Browser security — ROOTS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Browser security — ROOTS

983
views

Published on

Lightning speach on Browser security at the ROOTS conference 2012

Lightning speach on Browser security at the ROOTS conference 2012

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
983
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The browser -your best friend and worst enemyRoots Conference Bergen 23. May 2011André N.KlingsheimIT security specialist, PhD
  • 2. Lightning overview• How important is browser security?• Security challenges• Modern security features 2
  • 3. Why the web «works»• Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this• SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  • 4. The browser is your enemy:MODERN SECURITYCHALLENGES 4
  • 5. Man-in-the browserHow did the man get in the • Malicious code running inbrowser?!? browserhttp://googlechromereleases.blogspot.com/2011/04/stable-channel- – The friendly browserupdate.html suddenly becomes evil 5
  • 6. The browser is your friend:MODERN SECURITY FEATURES 6
  • 7. Working alone• Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins• Internet Explorer 9 tab isolation – Pinned sites load in isolated process• Minimize damage caused by a compromize 7
  • 8. Working for the website• Special treatment for cookies: secure, httpOnly• Website can include «security» headers in HTTP response• Triggers security features in browser• «Invisible» to user• Headers coming up! 8
  • 9. STS HTTP-header 9
  • 10. X-Frame-Options HTTP header 10
  • 11. Compensating for website security bugs• Security features designed to detect and/or prevent webapp security holes 11
  • 12. X-Content-Type-Options HTTP header 12
  • 13. X-XSS-Protection HTTP header 13
  • 14. X-Content-Security-Policy HTTP header• Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  • 15. References• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace• Not a complete list so remember: Google is your friend 15
  • 16. Thank you!• Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

×