The document summarizes browser security challenges and modern security features. It discusses how the browser enforces the same-origin policy to isolate websites, but how malicious code could turn the browser evil. It then outlines security features like sandboxing, tab isolation, and security headers that browsers implement to minimize damage from compromises and strengthen website security. These features help compensate for website vulnerabilities and block attacks like cross-site scripting.

1. The browser -
your best friend and worst enemy
Roots Conference Bergen 23. May 2011
André N.Klingsheim
IT security specialist, PhD

2. Lightning overview
• How important is browser security?
• Security challenges
• Modern security features
2

3. Why the web «works»
• Same-origin policy
– Isolates websites
– The reason you can safely visit rootsconf.no and
skandiabanken.no simultaneously in the browser
– We have to fully trust the browser to enforce this
• SSL/TLS
– Secure communication: website authentication,
generate secure keys, choose crypto...
3

4. The browser is your enemy:
MODERN SECURITY
CHALLENGES
4

5. Man-in-the browser
How did the man get in the
• Malicious code running in
browser?!?
browser
http://googlechromereleases.blogspot.
com/2011/04/stable-channel-
– The friendly browser
update.html
suddenly becomes evil
5

6. The browser is your friend:
MODERN SECURITY FEATURES
6

7. Working alone
• Google Chrome sandboxing
– Rendering process
– Sandboxing underway for Flash and PDF plugins
• Internet Explorer 9 tab isolation
– Pinned sites load in isolated process
• Minimize damage caused by a compromize
7

8. Working for the website
• Special treatment for cookies: secure, httpOnly
• Website can include «security» headers in HTTP
response
• Triggers security features in browser
• «Invisible» to user
• Headers coming up!
8

9. STS HTTP-header
9

10. X-Frame-Options HTTP header
10

11. Compensating for website security bugs
• Security features designed to detect and/or prevent
webapp security holes
11

12. X-Content-Type-Options HTTP header
12

13. X-XSS-Protection HTTP header
13

14. X-Content-Security-Policy HTTP header
• Firefox Content Security Policy
– Block inline scripts on webpage
– Block code creation for strings (eval())
– Prevents XSS
14

15. References
• http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
• https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet
• Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx
• https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior
• X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace
• Not a complete list so remember: Google is your friend
15

16. Thank you!
• Find me online:
– andre.klingsheim (at) skandiabanken (dot) no
– Blog: www.dotnetnoob.com
– Twitter: @klingsen
16