Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Privacy on the Web in 2016

494 views

Published on

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.

This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.

https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016

Published in: Internet
  • Be the first to comment

Security and Privacy on the Web in 2016

  1. 1. Security and Privacy on the Web in 2016 François Marier @fmarier mozilla
  2. 2. Security and Privacy for users, sysadmins and developers
  3. 3. security
  4. 4. security for users
  5. 5. Safe Browsing
  6. 6. pre-downloaded URL hash prefixes
  7. 7. pre-downloaded URL hash prefixes list updated every 30 minutes
  8. 8. pre-downloaded URL hash prefixes list updated every 30 minutes server completions on prefix hit (with noise entries)
  9. 9. pre-downloaded URL hash prefixes list updated every 30 minutes server completions on prefix hit (with noise entries) separate cookie jar
  10. 10. pre-downloaded URL hash prefixes list updated every 30 minutes server completions on prefix hit (with noise entries) separate cookie jar list entries expire after 45 minutes
  11. 11. about:config browser.safebrowsing.enabled (phishing) browser.safebrowsing.malware.enabled (malware)
  12. 12. Download Protection
  13. 13. is it on the pre-downloaded list of dangerous hosts?
  14. 14. is it on the pre-downloaded list of dangerous hosts? is it signed by a known good software provider?
  15. 15. is it on the pre-downloaded list of dangerous hosts? is it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)?
  16. 16. is it on the pre-downloaded list of dangerous hosts? is it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)? what does the apprep server think about it?
  17. 17. about:config browser.safebrowsing.downloads.remote.enabled browser.safebrowsing.downloads.remote.block_potentially_unwanted browser.safebrowsing.downloads.remote.block_uncommon
  18. 18. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
  19. 19. security for developers
  20. 20. Content Security Policy aka CSP mechanism for preventing XSS
  21. 21. telling the browser what external content is allowed to load
  22. 22. Hi y'all<script> alert('p0wned'); </script>! Tweet! What's on your mind?
  23. 23. without CSP
  24. 24. Hi y'all! John Doe - just moments ago p0wned Ok
  25. 25. with CSP
  26. 26. Hi y'all! John Doe - just moments ago
  27. 27. Content-Security-Policy: script-src 'self' https://cdn.example.com
  28. 28. script-src object-src style-src img-src media-src frame-src font-src connect-src
  29. 29. Strict Transport Security aka HSTS mechanism for preventing HTTPS to HTTP downgrades
  30. 30. telling the browser that your site should never be reached over HTTP
  31. 31. GET bank.com 301→ GET https://bank.com 200→ no HSTS, no sslstrip
  32. 32. GET bank.com → 200 no HSTS, with sslstrip
  33. 33. what does HSTS look like?
  34. 34. $ curl -i https://bank.com HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...
  35. 35. with HSTS, with sslstrip GET https://bank.com 200→
  36. 36. no HTTP traffic for sslstrip to tamper with
  37. 37. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js
  38. 38. what would happen if that server were compromised?
  39. 39. Bad Things™ steal sessions leak confidential data redirect to phishing sites enlist DDoS zombies
  40. 40. simple solution
  41. 41. instead of this: <script src=”https://ajax.googleapis.com...”>
  42. 42. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> do this:
  43. 43. guarantee: script won't change or it'll be blocked
  44. 44. security for sysadmins
  45. 45. HTTPS
  46. 46. if you're not using it, now is the time to start :)
  47. 47. mass surveillance of all Internet traffic is no longer theoretical
  48. 48. strong encryption of all Internet traffic is no longer optional
  49. 49. “If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
  50. 50. $ apt-get install letsencrypt $ letsencrypt example.com
  51. 51. automatically prove domain ownership download a free-as-in-beer certificate monitor and renew it before it expires
  52. 52. automatically prove domain ownership download a free-as-in-beer certificate monitor and renew it before it expires
  53. 53. automatically prove domain ownership download a free-as-in-beer certificate monitor and renew it before it expires
  54. 54. HTTPS is not enough you need to do it properly
  55. 55. RC4
  56. 56. SHA-1 RC4
  57. 57. SHA-11024-bit certificates RC4
  58. 58. SHA-11024-bit certificates RC4 weak DH parameters
  59. 59. https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg"> </body> </html>
  60. 60. turn on full mixed-content blocking in development
  61. 61. privacy
  62. 62. privacy for users
  63. 63. about:config network.cookie.lifetimePolicy = 3 network.cookie.lifetime.days = 5 network.cookie.thirdparty.sessionOnly = true
  64. 64. https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
  65. 65. Tracking Protection
  66. 66. based on Safe Browsing pre-downloaded list of full hashes (no server lookups)
  67. 67. 1. is this resource coming from a third-party server? 2. is it on Disconnect's list of trackers? 3. is it actually a third-party or does it belong to the same org?
  68. 68. Q: What does it do? A: It blocks network loads!
  69. 69. No cookies No fingerprinting No wasted bandwidth No performance hit
  70. 70. about:config privacy.trackingprotection.pbmode.enabled
  71. 71. about:config privacy.trackingprotection.enabled
  72. 72. https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
  73. 73. privacy for developers
  74. 74. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  75. 75. No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
  76. 76. No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
  77. 77. No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
  78. 78. No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
  79. 79. No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
  80. 80. Referrer-Policy: origin <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
  81. 81. Referrer-Policy: origin <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
  82. 82. Referrer-Policy: origin <meta name="referrer" content="origin"> <a href="http://example.com" referrerPolicy="origin">
  83. 83. recommendations for users
  84. 84. network.cookie.lifetimePolicy = 3 network.cookie.lifetime.days = 5 network.cookie.thirdparty.sessionOnly = true network.http.referer.spoofSource = true privacy.trackingprotection.enabled = true security.pki.sha1_enforcement_level = 2 security.ssl.errorReporting.automatic = true Install the EFF's HTTPS Everywhere add-on
  85. 85. https://github.com/pyllyukko/user.js
  86. 86. recommendations for developers
  87. 87. Use SRI for your external scripts Set a more restrictive Referrer policy Consider enabling CSP Watch out for mixed content Test your site with Tracking Protection
  88. 88. recommendations for sysadmins
  89. 89. Enable HTTPS and HSTS on all your sites Use our recommended TLS config Test your site periodically using SSL Labs
  90. 90. Questions? feedback: francois@mozilla.com mozilla.dev.security public-webappsec@w3.org © 2016 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
  91. 91. photo credits: cookie: https://secure.flickr.com/photos/jamisonjudd/4810986199/ explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372

×