we're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdffurther reading and...
TRANSCRIPT
![Page 1: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/1.jpg)
We're struggling to keep upA brief history of Browser Security Features
![Page 2: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/2.jpg)
about:frederik
Frederik Braun
FluxFingers Team Member
Security Engineer at Mozilla
https://frederik-braun.com
@freddyb
![Page 4: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/4.jpg)
Table Of Contents
IntroductionThe Past
The PresentThe FutureConclusion
![Page 5: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/5.jpg)
Introduction
The Web and the Browser
![Page 6: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/6.jpg)
The Web is the platform
![Page 7: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/7.jpg)
![Page 8: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/8.jpg)
![Page 9: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/9.jpg)
The Evolution of the Web
Timeline from http://www.evolutionoftheweb.com/
![Page 10: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/10.jpg)
XSS is the new Buffer Overflow
![Page 11: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/11.jpg)
Browsers are Everywhere
Screenshot from a http://techadvisor.co.uk BMW Video
![Page 12: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/12.jpg)
The Past
“Web browsers' access control policies have evolved piecemeal in an ad-hoc fashion with the
introduction of new browser features. This has resulted in numerous incoherencies“
Kapil Singh, Alexander Moshchuk, Helen J. Wang, and Wenke Lee. On the incoherencies in web browser access control policies, (Security and Privacy (SP), 2010 IEEE Symposium)
![Page 13: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/13.jpg)
Piecemeal or “Whac a Mole”
Picture from “Bob B. Brown” on Flickr - https://secure.flickr.com/photos/beleaveme/
![Page 14: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/14.jpg)
The Past (in a nutshell)
Problem Band Aid
HTTP is Stateless Cookies (1994)
Cookies are plain-text HTTPS (1994)
HTTPS is opt-in Strict Transport Security (HSTS) in 2009
HSTS needs first-contact Browser preloads HSTS in 2012
![Page 15: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/15.jpg)
Summarizing
![Page 16: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/16.jpg)
The Present
Secure Hosting of Uploaded Content
Fixing Cross-Site Scripting
![Page 17: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/17.jpg)
How to include potentially untrusted content
![Page 18: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/18.jpg)
Give frames access to the things that are really only necessary
The Principle of not-so-much Authority
![Page 19: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/19.jpg)
Iframe Sandbox
<iframe src="http://example.com" sandbox />
![Page 20: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/20.jpg)
Iframe Sandbox
<iframe src="http://example.com"sandbox="allow-scripts" />
![Page 21: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/21.jpg)
XSS is still hard to fix
My name is <script>alert(1)</script>
![Page 22: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/22.jpg)
Fixing XSS once and for all?
Content Security Policy (CSP)!
![Page 23: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/23.jpg)
Applying CSP
<script>
// fancy animation
</script>
<script src="fancy_animation.js"></script>➡
![Page 24: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/24.jpg)
Using CSP
Content-Security-Policy: default-src: 'self'; script-src: 'self' https://cdn.example.com/;
object-src: 'none'
![Page 25: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/25.jpg)
CSP 2.0: Nonces for Dynamic Inline Scripts
script-src: 'nonce-blahblahblah'
&
<script nonce="blahblahblah">// dynamic generated JavaScript…
</script>
![Page 26: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/26.jpg)
CSP 2.0: Hashes for static third-party Scripts
script-src: 'sha256-blahblahblah'
&
<script>// static, third-party JavaScript…
</script>
![Page 27: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/27.jpg)
Free CSP Introduction & Development Tools!
![Page 28: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/28.jpg)
HTTPS Public Key Pinning
Fixing DOM-Based Cross-Site Scripting
Untrusted, but oh so fast CDNs
The Future
![Page 29: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/29.jpg)
The Situation with Certificate Authorities is not great
![Page 30: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/30.jpg)
This is a request to add the CA root certificate for Honest Achmed's Used Cars and Certificates. The requested information as per the CA information checklist is as follows:
Name: Honest Achmed's Used Cars and Certificates
Website URL: www.honestachmed.dyndns.org
Organizational type: Individual (Achmed, and possibly his cousin Mustafa, who knows a bit about computers).
Primary market / customer base: Absolutely anyone who'll give us money.
Impact to Mozilla Users: Achmed's business plan is to sell a sufficiently large number of certificates as quickly as possible in order to become too big to fail (see "regulatory capture"), at which point most of the rest of this application will become irrelevant.
Request: Add Honest Achmed's root certificate
![Page 31: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/31.jpg)
Why do we allow every CA out there to create a valid certificate
for all domains?
![Page 32: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/32.jpg)
HTTPS Public Key Pinning (HPKP)
Public-Key-Pins: pin-sha256="…"; max-age=15768000; includeSubDomains
![Page 33: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/33.jpg)
Wait a moment, we can fix XSS with Content Security Policy, but what
about DOM-based XSS?
![Page 34: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/34.jpg)
DOM Based XSS
el.innerHTML = "<input type='text' value='" + searchFromURLParams() + "' />"
![Page 36: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/36.jpg)
ECMAScript6 Template Strings: Interpolation
var x = 1;var y = 2;`${ x } + ${ y } = ${ x + y}` // "1 + 2 = 3"
Examples from the ESWiki at tc39wiki.calculist.org
![Page 37: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/37.jpg)
ECMAScript6 Template Strings: Multiline
var s = `a b c`;assert(s == 'a\n b\n c');
Examples from the ESWiki at tc39wiki.calculist.org
![Page 38: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/38.jpg)
ECMAScript6 Template Strings: Tagging
function tag(strings, ...values) { assert(strings[0] == 'a'); assert(strings[1] == 'b'); assert(values[0] == '42'); Return 'whatever';}tag `a${ 42 }b` // "whatever"
Examples from the ESWiki at tc39wiki.calculist.org
![Page 39: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/39.jpg)
ECMAScript6 Template Strings: Tagging
function tag(strings, ...values) { assert(strings[0] == 'a'); assert(strings[1] == 'b'); assert(values[0] == '42'); Return 'whatever';}tag `a${ 42 }b` // "whatever"
This gives us an array of allInterpolated values!
This gives us an array of allInterpolated values!
Examples from the ESWiki at tc39wiki.calculist.org
![Page 40: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/40.jpg)
DEMO
Let's look at this JS REPL for the DEMO
![Page 41: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/41.jpg)
Speed trumps Security
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
![Page 42: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/42.jpg)
Locking it down with Subresource Integrity
<script src="//code.jquery.com/jquery-1.11.0.min.js"integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-
Y5qFQmYg?ct=application/javascript"></script>
![Page 43: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/43.jpg)
Subresource Integrity and Fallbacks
<script src="/static/lib/jquery-1.11.0.min.js"noncanonical-src="//code.jquery.com/jquery-1.11.0.min.js"
integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=application/javascript"></script>
![Page 44: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/44.jpg)
Conclusion
The Browser can aid the Website
![Page 46: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/46.jpg)
The Evolution of Web Security
![Page 49: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/49.jpg)
Thank you for listening!
Frederik Braun
@freddyb
#security on irc.mozilla.org
Obligatory Red Panda photo by Wikipedia user Aconcagua, CC-BY-SA-3.0
![Page 50: We're struggling to keep uparchive.hack.lu/2014/merely_keeping_up_hacklu.pdfFurther reading and Thanks Mike West and Brad Hill have given presentations about browser security features](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a7fccc67cc303e72c823/html5/thumbnails/50.jpg)
Further reading and Thanks● Mike West and Brad Hill have given presentations about browser security features in the past.
● Stefan Arentz explained Web Security 101.
● Mark Goodwin talked about how to make Content Security Policy (CSP) work for you at SteelCon in Sheffield.
● Devdatta Akhawe et al. wrote about Privilege Separation for HTML5 Applications
● Mario Heiderich's research & white papers
● My Blog post on X-Frame-Options (joint work with Mario Heiderich)
● This presentation also borrows from my diploma thesis which itself builds on great research as listed in its Reference section (p. 67).
● Thanks to Pascal “Pepo” Szewczyk, Tim Taubert, Romain Gauthier, and Christian Heilmann for reviewing.
● Sequence Diagrams made with https://bramp.github.io/js-sequence-diagrams/