Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Browser security — ROOTS

3,461 views

Published on

Lightning speach on Browser security at the ROOTS conference 2012

Published in: Technology
  • Be the first to comment

Browser security — ROOTS

  1. 1. The browser -your best friend and worst enemyRoots Conference Bergen 23. May 2011André N.KlingsheimIT security specialist, PhD
  2. 2. Lightning overview• How important is browser security?• Security challenges• Modern security features 2
  3. 3. Why the web «works»• Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this• SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  4. 4. The browser is your enemy:MODERN SECURITYCHALLENGES 4
  5. 5. Man-in-the browserHow did the man get in the • Malicious code running inbrowser?!? browserhttp://googlechromereleases.blogspot.com/2011/04/stable-channel- – The friendly browserupdate.html suddenly becomes evil 5
  6. 6. The browser is your friend:MODERN SECURITY FEATURES 6
  7. 7. Working alone• Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins• Internet Explorer 9 tab isolation – Pinned sites load in isolated process• Minimize damage caused by a compromize 7
  8. 8. Working for the website• Special treatment for cookies: secure, httpOnly• Website can include «security» headers in HTTP response• Triggers security features in browser• «Invisible» to user• Headers coming up! 8
  9. 9. STS HTTP-header 9
  10. 10. X-Frame-Options HTTP header 10
  11. 11. Compensating for website security bugs• Security features designed to detect and/or prevent webapp security holes 11
  12. 12. X-Content-Type-Options HTTP header 12
  13. 13. X-XSS-Protection HTTP header 13
  14. 14. X-Content-Security-Policy HTTP header• Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  15. 15. References• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace• Not a complete list so remember: Google is your friend 15
  16. 16. Thank you!• Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

×