Browser security — ROOTS

The browser -your best friend and worst enemyRoots Conference Bergen 23. May 2011André N.KlingsheimIT security specialist, PhD

Lightning overview• How important is browser security?• Security challenges• Modern security features 2

Why the web «works»• Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this• SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3

The browser is your enemy:MODERN SECURITYCHALLENGES 4

Man-in-the browserHow did the man get in the • Malicious code running inbrowser?!? browserhttp://googlechromereleases.blogspot.com/2011/04/stable-channel- – The friendly browserupdate.html suddenly becomes evil 5

The browser is your friend:MODERN SECURITY FEATURES 6

Working alone• Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins• Internet Explorer 9 tab isolation – Pinned sites load in isolated process• Minimize damage caused by a compromize 7

Working for the website• Special treatment for cookies: secure, httpOnly• Website can include «security» headers in HTTP response• Triggers security features in browser• «Invisible» to user• Headers coming up! 8

STS HTTP-header 9

X-Frame-Options HTTP header 10

Compensating for website security bugs• Security features designed to detect and/or prevent webapp security holes 11

X-Content-Type-Options HTTP header 12

X-XSS-Protection HTTP header 13

X-Content-Security-Policy HTTP header• Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14

References• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace• Not a complete list so remember: Google is your friend 15

Thank you!• Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

Browser security — ROOTS

by Andre N. Klingsheim

Accessibility

Categories

Upload Details

Usage Rights

Statistics