Successfully reported this slideshow.

Browser security — ROOTS

2

Share

Apr. 24, 2012
2 likes 4,556 views
Upcoming SlideShare
Browser Security
Browser Security
Loading in …3
×
1 of 16
1 of 16

Browser security — ROOTS

Apr. 24, 2012
2 likes 4,556 views

2

Share

Download to read offline

Technology

Lightning speach on Browser security at the ROOTS conference 2012

Lightning speach on Browser security at the ROOTS conference 2012

Technology

Recommended

More Related Content

Viewers also liked

Intrusion tolerance
samuelrajueda
Googlechrome ppt
abshah37
Network Security
VIKAS SINGH BHADOURIA
Network Security
Manoj Singh
TOR NETWORK
Rishikese MR
FOR SCREEN BY ANURAG SINGH (8318130325)
anurag singh anu
E ball ppt
Mukesh Kumar
Web browser
Hardik Kakadiya
Blue Eyes Technology
Colloquium
Blue eye technology
krishnadeepika01
Compiler Design
Mir Majid
Smart Glass Technology by Kiran
Kiran
E-BALL TECHNOLOGY SEMINAR REPORT
Vikas Kumar

Similar to Browser security — ROOTS

Jinx - Malware 2.0
Itzik Kotler
ruxc0n 2012
mimeframe
PHP {in}security
Michael Clark
Browser Horror Stories
EC-Council
Tuenti: Web Application Security
Tuenti
Advanced Chrome extension exploitation
Krzysztof Kotowicz
Hardening Enterprise Apache
guestd9aa5
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
Attacking Web Proxies
InMobi Technology
Hacking intranet websites
shehab najjar
Evolving web security model v1.1 - Portland OWASP May 29 2014
imelven
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
Content Security Policies: Let's Break Stuff
Matt Brunt
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
WordPress Security 101 - Meetup Nairobi March 2020
stk_jj
W3C Content Security Policy
Markus Wichmann
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
Top 10 Web Hacks 2013
Matt Johansen
DEF CON 27 - ZHANG XIANGQIAN AND LIU HULMING - your secret files are mine
Felipe Prado

More from Andre N. Klingsheim

Federated and fabulous identity
Andre N. Klingsheim
Security "for free" through HTTP headers
Andre N. Klingsheim
Securing your web application through HTTP headers
Andre N. Klingsheim
Getting authentication right
Andre N. Klingsheim
Online banking trojans
Andre N. Klingsheim

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
How to Lie with Maps, Third Edition Mark Monmonier
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free

Browser security — ROOTS

  1. 1. The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
  2. 2. Lightning overview • How important is browser security? • Security challenges • Modern security features 2
  3. 3. Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  4. 4. The browser is your enemy: MODERN SECURITY CHALLENGES 4
  5. 5. Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
  6. 6. The browser is your friend: MODERN SECURITY FEATURES 6
  7. 7. Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
  8. 8. Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
  9. 9. STS HTTP-header 9
  10. 10. X-Frame-Options HTTP header 10
  11. 11. Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
  12. 12. X-Content-Type-Options HTTP header 12
  13. 13. X-XSS-Protection HTTP header 13
  14. 14. X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  15. 15. References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
  16. 16. Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

×