The browser -
your best friend and worst enemy
Roots Conference Bergen 23. May 2011
André N.Klingsheim
IT security specialist, PhD
Lightning overview
• How important is browser security?
• Security challenges
• Modern security features
2
Why the web «works»
• Same-origin policy
– Isolates websites
– The reason you can safely visit rootsconf.no and
skandiabanken.no simultaneously in the browser
– We have to fully trust the browser to enforce this
• SSL/TLS
– Secure communication: website authentication,
generate secure keys, choose crypto...
3
Man-in-the browser
How did the man get in the
• Malicious code running in
browser?!?
browser
http://googlechromereleases.blogspot.
com/2011/04/stable-channel-
– The friendly browser
update.html
suddenly becomes evil
5
Working alone
• Google Chrome sandboxing
– Rendering process
– Sandboxing underway for Flash and PDF plugins
• Internet Explorer 9 tab isolation
– Pinned sites load in isolated process
• Minimize damage caused by a compromize
7
Working for the website
• Special treatment for cookies: secure, httpOnly
• Website can include «security» headers in HTTP
response
• Triggers security features in browser
• «Invisible» to user
• Headers coming up!
8
References
• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet
• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx
• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior
• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace
• Not a complete list so remember: Google is your friend
15
Thank you!
• Find me online:
– andre.klingsheim (at) skandiabanken (dot) no
– Blog: www.dotnetnoob.com
– Twitter: @klingsen
16