Browser security — ROOTS

3,008 views

Published on

Lightning speach on Browser security at the ROOTS conference 2012

Published in: Technology
  • Be the first to comment

Browser security — ROOTS

  1. 1. The browser -your best friend and worst enemyRoots Conference Bergen 23. May 2011André N.KlingsheimIT security specialist, PhD
  2. 2. Lightning overview• How important is browser security?• Security challenges• Modern security features 2
  3. 3. Why the web «works»• Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this• SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  4. 4. The browser is your enemy:MODERN SECURITYCHALLENGES 4
  5. 5. Man-in-the browserHow did the man get in the • Malicious code running inbrowser?!? browserhttp://googlechromereleases.blogspot.com/2011/04/stable-channel- – The friendly browserupdate.html suddenly becomes evil 5
  6. 6. The browser is your friend:MODERN SECURITY FEATURES 6
  7. 7. Working alone• Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins• Internet Explorer 9 tab isolation – Pinned sites load in isolated process• Minimize damage caused by a compromize 7
  8. 8. Working for the website• Special treatment for cookies: secure, httpOnly• Website can include «security» headers in HTTP response• Triggers security features in browser• «Invisible» to user• Headers coming up! 8
  9. 9. STS HTTP-header 9
  10. 10. X-Frame-Options HTTP header 10
  11. 11. Compensating for website security bugs• Security features designed to detect and/or prevent webapp security holes 11
  12. 12. X-Content-Type-Options HTTP header 12
  13. 13. X-XSS-Protection HTTP header 13
  14. 14. X-Content-Security-Policy HTTP header• Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  15. 15. References• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace• Not a complete list so remember: Google is your friend 15
  16. 16. Thank you!• Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

×