Successfully reported this slideshow.

Browser security — ROOTS

2

Share

Upcoming SlideShare
Browser Security
Browser Security
Loading in …3
×
1 of 16
1 of 16

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Browser security — ROOTS

  1. 1. The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
  2. 2. Lightning overview • How important is browser security? • Security challenges • Modern security features 2
  3. 3. Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  4. 4. The browser is your enemy: MODERN SECURITY CHALLENGES 4
  5. 5. Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
  6. 6. The browser is your friend: MODERN SECURITY FEATURES 6
  7. 7. Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
  8. 8. Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
  9. 9. STS HTTP-header 9
  10. 10. X-Frame-Options HTTP header 10
  11. 11. Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
  12. 12. X-Content-Type-Options HTTP header 12
  13. 13. X-XSS-Protection HTTP header 13
  14. 14. X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  15. 15. References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
  16. 16. Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

×