Security and Privacy on the Web in 2015

Transcript

1. Security and Privacy on the Web in 2015 François Marier

   @fmarier mozilla

2. Firefox Security & Privacy

3. overview of what we work on

4. overview of what we work on interrupt me!

5. security privacy &

6. ??????????????? ??????????????? security privacy &

7. security

8. security for users

9. Safe Browsing

10. None

11. pre-downloaded URL hash prefixes

12. pre-downloaded URL hash prefixes list updated every 30 minutes

13. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries)

14. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar

15. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar list entries expire after 45 minutes

16. about:config browser.safebrowsing.enabled (phishing) browser.safebrowsing.malware.enabled (malware)

17. Application Reputation

18. None

19. is it on the pre-downloaded list of dangerous hosts?

20. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider?

21. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)?

22. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)? what does the apprep server think about it?

23. about:config browser.safebrowsing.downloads.remote.enabled

24. security for developers

25. Content Security Policy aka CSP mechanism for preventing XSS

26. telling the browser what external content is allowed to load

27. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?

28. without CSP

29. Hi you! John Doe - just moments ago p0wned Ok

30. with CSP

31. Hi you! John Doe - just moments ago

32. Content-Security-Policy: script-src 'self' https://cdn.example.com

33. script-src object-src style-src img-src media-src frame-src font-src connect-src

34. Strict Transport Security aka HSTS mechanism for preventing HTTPS to

    HTTP downgrades

35. telling the browser that your site should never be reached

    over HTTP
36. None

37. GET bank.ca 301 → GET https://bank.ca 200 → no HSTS,

    no sslstrip

38. GET bank.ca → 200 no HSTS, with sslstrip

39. what does HSTS look like?

40. $ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...

41. with HSTS, with sslstrip GET https://bank.ca 200 →

42. no HTTP traffic for sslstrip to tamper with

43. None
44. None
45. None

46. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

47. what would happen if that server were compromised?

48. None

49. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies

50. simple solution

51. instead of this: <script src=”https://ajax.googleapis.com...”>

52. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> do this:

53. guarantee: script won't change or it'll be blocked

54. security for sysadmins

55. HTTPS

56. if you're not using it, now is the time to

    start :)
57. None
58. None

59. mass surveillance of all Internet traffic is no longer theoretical

60. strong encryption of all Internet traffic is no longer optional

61. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier

62. ps://gigaom.com/2015/02/19/dont-let-att-mislead-you-about-its-29-privacy-fee/

63. None

64. $ apt-get install letsencrypt $ letsencrypt example.com

65. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

66. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

67. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

68. HTTPS is not enough you need to do it properly

69. RC4

70. SHA-1 RC4

71. SHA-1 1024-bit certificates RC4

72. SHA-1 1024-bit certificates RC4 weak DH parameters

73. None
74. None
75. None
76. None

77. https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg">

    </body> </html>
78. None

79. turn on full mixed-content blocking in development

80. privacy

81. privacy for users

82. None
83. None
84. None

85. Tracking Protection

86. Tracking Protection in Private Browsing mode

87. based on Safe Browsing pre-downloaded list of full hashes (no

    server lookups)

88. is this resource coming from a third-party server? is it

    on Disconnect's list of trackers? is it actually a third-party or does it belong to the same org?

89. Q: What does it do? A: It blocks network loads!

90. No cookies No fingerprinting No wasted bandwidth No performance hit

91. about:config privacy.trackingprotection.pbmode.enabled

92. about:config privacy.trackingprotection.enabled

93. privacy for developers

94. None
95. None

96. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
97. None

98. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

99. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

100. No Referrer No Referrer When Downgrade Origin Only Origin When

     Cross Origin Unsafe URL

101. No Referrer No Referrer When Downgrade Origin Only Origin When

     Cross Origin Unsafe URL

102. No Referrer No Referrer When Downgrade Origin Only Origin When

     Cross Origin Unsafe URL

103. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

104. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

105. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

106. recommendations for users

107. Use the non-corporate browser primarily network.cookie.cookieBehavior = 3 network.http.referer.spoofSource =

     true privacy.trackingprotection.enabled = true Install the EFF's HTTPS Everywhere add-on

108. recommendations for developers

109. Use SRI for your external scripts Set a more restrictive

     Referrer policy Consider enabling CSP Watch out for mixed content Test your site with Tracking Protection

110. recommendations for sysadmins

111. Enable HTTPS and HSTS on all your sites Use our

     recommended TLS config Test your site periodically using SSL Labs

112. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2015 François Marier <[email protected]>

     This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.

113. photo credits: tinfoil: https://www.flickr.com/photos/laurelrusswurm/15129449047 explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372