SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
1.
The browser -
your best friend and worst enemy
Roots Conference Bergen 23. May 2011
André N.Klingsheim
IT security specialist, PhD
2.
Lightning overview
• How important is browser security?
• Security challenges
• Modern security features
2
3.
Why the web «works»
• Same-origin policy
– Isolates websites
– The reason you can safely visit rootsconf.no and
skandiabanken.no simultaneously in the browser
– We have to fully trust the browser to enforce this
• SSL/TLS
– Secure communication: website authentication,
generate secure keys, choose crypto...
3
4.
The browser is your enemy:
MODERN SECURITY
CHALLENGES
4
5.
Man-in-the browser
How did the man get in the
• Malicious code running in
browser?!?
browser
http://googlechromereleases.blogspot.
com/2011/04/stable-channel-
– The friendly browser
update.html
suddenly becomes evil
5
6.
The browser is your friend:
MODERN SECURITY FEATURES
6
7.
Working alone
• Google Chrome sandboxing
– Rendering process
– Sandboxing underway for Flash and PDF plugins
• Internet Explorer 9 tab isolation
– Pinned sites load in isolated process
• Minimize damage caused by a compromize
7
8.
Working for the website
• Special treatment for cookies: secure, httpOnly
• Website can include «security» headers in HTTP
response
• Triggers security features in browser
• «Invisible» to user
• Headers coming up!
8
15.
References
• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet
• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx
• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior
• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace
• Not a complete list so remember: Google is your friend
15
16.
Thank you!
• Find me online:
– andre.klingsheim (at) skandiabanken (dot) no
– Blog: www.dotnetnoob.com
– Twitter: @klingsen
16