SlideShare a Scribd company logo
The browser -
your best friend and worst enemy

Roots Conference Bergen 23. May 2011

André N.Klingsheim
IT security specialist, PhD
Lightning overview
• How important is browser security?
• Security challenges
• Modern security features




                                       2
Why the web «works»
• Same-origin policy
   – Isolates websites
   – The reason you can safely visit rootsconf.no and
     skandiabanken.no simultaneously in the browser
   – We have to fully trust the browser to enforce this
• SSL/TLS
   – Secure communication: website authentication,
     generate secure keys, choose crypto...

                                                          3
The browser is your enemy:

MODERN SECURITY
CHALLENGES

                             4
Man-in-the browser
How did the man get in the
                                        • Malicious code running in
browser?!?
                                          browser
http://googlechromereleases.blogspot.
com/2011/04/stable-channel-
                                          – The friendly browser
update.html
                                            suddenly becomes evil




                                                                      5
The browser is your friend:

MODERN SECURITY FEATURES


                              6
Working alone
• Google Chrome sandboxing
   – Rendering process
   – Sandboxing underway for Flash and PDF plugins
• Internet Explorer 9 tab isolation
   – Pinned sites load in isolated process
• Minimize damage caused by a compromize




                                                     7
Working for the website
• Special treatment for cookies: secure, httpOnly
• Website can include «security» headers in HTTP
  response
• Triggers security features in browser
• «Invisible» to user
• Headers coming up!




                                                    8
STS HTTP-header




                  9
X-Frame-Options HTTP header




                              10
Compensating for website security bugs
• Security features designed to detect and/or prevent
  webapp security holes




                                                        11
X-Content-Type-Options HTTP header




                                     12
X-XSS-Protection HTTP header




                               13
X-Content-Security-Policy HTTP header
• Firefox Content Security Policy
   – Block inline scripts on webpage
   – Block code creation for strings (eval())
   – Prevents XSS




                                                14
References
•   http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
•   https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet
•   Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx
•   https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior
•   X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace
•   Not a complete list so remember: Google is your friend




                                                                                                15
Thank you!
• Find me online:
   – andre.klingsheim (at) skandiabanken (dot) no
   – Blog: www.dotnetnoob.com
   – Twitter: @klingsen




                                                    16

More Related Content

What's hot

Web browsers and web servers
Web browsers and web serversWeb browsers and web servers
Web browsers and web servers
Angelica Amolo
 
Browsers
BrowsersBrowsers
Browsers
Steven Cahill
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
Neha Sharma
 
Web browsers
Web browsersWeb browsers
Web browsers
learnt
 
browser presentation
browser presentationbrowser presentation
browser presentation
ashanrajpar
 
Web browsers
Web browsersWeb browsers
Web browsers
DHANALAKSHMI TALLURI
 
difference between browsers
difference between browsersdifference between browsers
difference between browsers
mubeen shahid
 
Web browser by group no 03 capt palliyaguru
Web browser by group no 03   capt palliyaguruWeb browser by group no 03   capt palliyaguru
Web browser by group no 03 capt palliyaguru
praeeth palliyaguru
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
Studying
 
Research on Web Browsers ppt
Research on Web Browsers pptResearch on Web Browsers ppt
Research on Web Browsers ppt
Sagar Agarwal
 
Web browser
 Web browser Web browser
Web browser
Yousaf Sahota
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)
darpan1118
 
Internet browers comparison
Internet browers comparisonInternet browers comparison
Internet browers comparison
ferristic
 
Web browsers
Web browsersWeb browsers
Web browsers
Orlando Periñan
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Web Browser ! Batra Computer Centre
Web Browser ! Batra Computer CentreWeb Browser ! Batra Computer Centre
Web Browser ! Batra Computer Centre
jatin batra
 
India's First Web browser
India's First Web browserIndia's First Web browser
India's First Web browser
ranjith007
 
Browser war
Browser warBrowser war
Browser war
Amandeep Kaur
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web Browsers
Sagar Agarwal
 
WEB BROWSER
WEB BROWSERWEB BROWSER
WEB BROWSER
Chanchal Pawar
 

What's hot (20)

Web browsers and web servers
Web browsers and web serversWeb browsers and web servers
Web browsers and web servers
 
Browsers
BrowsersBrowsers
Browsers
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Web browsers
Web browsersWeb browsers
Web browsers
 
browser presentation
browser presentationbrowser presentation
browser presentation
 
Web browsers
Web browsersWeb browsers
Web browsers
 
difference between browsers
difference between browsersdifference between browsers
difference between browsers
 
Web browser by group no 03 capt palliyaguru
Web browser by group no 03   capt palliyaguruWeb browser by group no 03   capt palliyaguru
Web browser by group no 03 capt palliyaguru
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Research on Web Browsers ppt
Research on Web Browsers pptResearch on Web Browsers ppt
Research on Web Browsers ppt
 
Web browser
 Web browser Web browser
Web browser
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)
 
Internet browers comparison
Internet browers comparisonInternet browers comparison
Internet browers comparison
 
Web browsers
Web browsersWeb browsers
Web browsers
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Web Browser ! Batra Computer Centre
Web Browser ! Batra Computer CentreWeb Browser ! Batra Computer Centre
Web Browser ! Batra Computer Centre
 
India's First Web browser
India's First Web browserIndia's First Web browser
India's First Web browser
 
Browser war
Browser warBrowser war
Browser war
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web Browsers
 
WEB BROWSER
WEB BROWSERWEB BROWSER
WEB BROWSER
 

Viewers also liked

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test Results
NSS Labs
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Internet Security
Internet SecurityInternet Security
Internet Security
Chris Rodgers
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
Arifa Ali
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Works
trusteer
 
Best topics for seminar
Best topics for seminarBest topics for seminar
Best topics for seminar
shilpi nagpal
 
Internet Security
Internet SecurityInternet Security
Internet Security
Peter R. Egli
 
Intrusion tolerance
Intrusion toleranceIntrusion tolerance
Intrusion tolerance
samuelrajueda
 
Googlechrome ppt
Googlechrome pptGooglechrome ppt
Googlechrome ppt
abshah37
 
Network Security
Network  SecurityNetwork  Security
Network Security
VIKAS SINGH BHADOURIA
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
Rishikese MR
 
FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)
anurag singh anu
 
E ball ppt
E ball pptE ball ppt
E ball ppt
Mukesh Kumar
 
Blue Eyes Technology
Blue Eyes TechnologyBlue Eyes Technology
Blue Eyes Technology
Colloquium
 
Blue eye technology
Blue eye technologyBlue eye technology
Blue eye technology
krishnadeepika01
 
Compiler Design
Compiler DesignCompiler Design
Compiler Design
Mir Majid
 
Smart Glass Technology by Kiran
Smart Glass Technology by KiranSmart Glass Technology by Kiran
Smart Glass Technology by Kiran
Kiran
 
E-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORTE-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORT
Vikas Kumar
 

Viewers also liked (20)

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test Results
 
Web Security
Web SecurityWeb Security
Web Security
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Works
 
Best topics for seminar
Best topics for seminarBest topics for seminar
Best topics for seminar
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Intrusion tolerance
Intrusion toleranceIntrusion tolerance
Intrusion tolerance
 
Googlechrome ppt
Googlechrome pptGooglechrome ppt
Googlechrome ppt
 
Network Security
Network  SecurityNetwork  Security
Network Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)
 
E ball ppt
E ball pptE ball ppt
E ball ppt
 
Blue Eyes Technology
Blue Eyes TechnologyBlue Eyes Technology
Blue Eyes Technology
 
Blue eye technology
Blue eye technologyBlue eye technology
Blue eye technology
 
Compiler Design
Compiler DesignCompiler Design
Compiler Design
 
Smart Glass Technology by Kiran
Smart Glass Technology by KiranSmart Glass Technology by Kiran
Smart Glass Technology by Kiran
 
E-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORTE-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORT
 

Similar to Browser security — ROOTS

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
Andre N. Klingsheim
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
ssuserec53e73
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Maths
MathsMaths
Maths
MdMehana
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
Pablo Gazmuri
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)
Joseph Lewis
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Stephen Donner
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricks
maxo_64
 
Flashack
FlashackFlashack
Frontend State of the union
Frontend State of the unionFrontend State of the union
Frontend State of the union
Filip Bruun Bech-Larsen
 
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast TrackHCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
panagenda
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
Security Innovation
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Front end for back end developers
Front end for back end developersFront end for back end developers
Front end for back end developers
Wojciech Bednarski
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 

Similar to Browser security — ROOTS (20)

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Maths
MathsMaths
Maths
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricks
 
Flashack
FlashackFlashack
Flashack
 
Frontend State of the union
Frontend State of the unionFrontend State of the union
Frontend State of the union
 
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast TrackHCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Front end for back end developers
Front end for back end developersFront end for back end developers
Front end for back end developers
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 

Recently uploaded

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 

Browser security — ROOTS

  • 1. The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
  • 2. Lightning overview • How important is browser security? • Security challenges • Modern security features 2
  • 3. Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  • 4. The browser is your enemy: MODERN SECURITY CHALLENGES 4
  • 5. Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
  • 6. The browser is your friend: MODERN SECURITY FEATURES 6
  • 7. Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
  • 8. Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
  • 11. Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
  • 14. X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  • 15. References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
  • 16. Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16