Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2015

Security and Privacy on the Web in 2015

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.

https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en

Francois Marier

July 07, 2015
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. Security and Privacy
    on the Web in 2015
    François Marier @fmarier
    mozilla

    View Slide

  2. Firefox
    Security & Privacy

    View Slide

  3. Web Platform

    View Slide

  4. Web Platform

    View Slide

  5. Content Security Policy
    aka CSP

    View Slide

  6. Content Security Policy
    aka CSP
    mechanism for preventing XSS

    View Slide

  7. telling the browser what external
    content is allowed to load

    View Slide

  8. Hi you<br/>alert('p0wned');<br/>!
    Tweet!
    What's on your mind?

    View Slide

  9. without CSP

    View Slide

  10. Hi you!
    John Doe - just moments ago
    p0wned
    Ok

    View Slide

  11. with CSP

    View Slide

  12. Hi you!
    John Doe - just moments ago

    View Slide

  13. Content-Security-Policy:
    script-src 'self'
    https://cdn.example.com

    View Slide

  14. inline scripts are blocked unless
    unsafe-inline is specified

    View Slide

  15. script-src
    object-src
    style-src
    img-src
    media-src
    frame-src
    font-src
    connect-src

    View Slide

  16. $ curl --head https://twitter.com
    HTTP/1.1 200 OK
    content-length: 58347
    content-security-policy: …
    report-uri https://twitter.com/csp_report
    violation reports:

    View Slide

  17. "csp-report": {
    "document-uri":
    "http://example.org/page.html",
    "referrer":
    "http://evil.example.com/haxor.html",
    "blocked-uri":
    "http://evil.example.com/image.png",
    "violated-directive": "default-src 'self'",
    "effective-directive": "img-src",
    "original-policy":
    "default-src 'self';
    report-uri http://example.org/..."
    }

    View Slide

  18. View Slide

  19. support for inline scripts
    Content-Security-Policy:
    script-src 'sha256-YWIzOW...'

    View Slide

  20. View Slide

  21. Strict Transport Security
    aka HSTS

    View Slide

  22. Strict Transport Security
    aka HSTS
    mechanism for preventing
    HTTPS to HTTP downgrades

    View Slide

  23. telling the browser that your site
    should never be reached over HTTP

    View Slide

  24. View Slide

  25. GET banque.fr 301

    GET https://banque.fr 200

    no HSTS, no sslstrip

    View Slide

  26. GET banque.fr → 200
    no HSTS, with sslstrip

    View Slide

  27. what does HSTS look like?

    View Slide

  28. $ curl -i https://example.com
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Strict-Transport-Security: max-age=31536000
    ...

    View Slide

  29. with HSTS, with sslstrip
    GET https://banque.fr 200

    View Slide

  30. silent client-side redirects
    HTTP → HTTPS

    View Slide

  31. no HTTP traffic for
    sslstrip to tamper with

    View Slide

  32. except for the very
    first connection

    View Slide

  33. https://hstspreload.appspot.com/

    View Slide

  34. View Slide

  35. coming up in 2015

    View Slide

  36. View Slide

  37. View Slide

  38. View Slide

  39. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View Slide

  40. how common is this?

    View Slide

  41. View Slide

  42. what would happen if that
    server were compromised?

    View Slide

  43. View Slide

  44. Bad Things™
    steal sessions
    leak confidential data
    redirect to phishing sites
    enlist DDoS zombies

    View Slide

  45. simple solution

    View Slide

  46. instead of this:
    src=”https://ajax.googleapis.com...”>

    View Slide

  47. src=”https://ajax.googleapis.com...”
    integrity=”sha256-1z4uG/+cVbhShP...”>
    do this:

    View Slide

  48. guarantee:
    script won't change
    or it'll be blocked

    View Slide

  49. limitation:
    won't work for scripts
    that change all the time

    View Slide

  50. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View Slide

  51. there's a little something missing...

    View Slide

  52. src=”https://ajax.googleapis.com...”
    integrity=”sha256-1z4uG/+cVbhShP...”
    crossorigin=”anonymous”>
    complete example:

    View Slide

  53. View Slide

  54. “a web browser permits scripts contained in a first
    web page to access data in a second web page,
    but only if both web pages have the same origin”
    same-origin policy

    View Slide

  55. example.com/index.html

    View Slide

  56. example.com/index.html
    example.com/data.js:
    var secret = 42;

    View Slide

  57. example.com/index.html
    example.com/data.js:
    var secret = 42;
    evil.net/widget.js:
    exfiltrate(secret);

    View Slide

  58. example.com/index.html
    example.com/data.js:
    var secret = 42;
    evil.net/widget.js:
    exfiltrate(secret);

    View Slide

  59. on the server:
    Access-Control-Allow-Origin: *

    View Slide

  60. on the server:
    Access-Control-Allow-Origin: *
    on the client:
    crossorigin=”anonymous”

    View Slide

  61. src=”https://ajax.googleapis.com...”
    integrity=”sha256-1z4uG/+cVbhShP...”
    crossorigin=”anonymous”>
    complete example:

    View Slide

  62. href="style.css"
    integrity="sha256-PgMdguwx/O..."
    crossorigin=”anonymous”>
    complete example:

    View Slide

  63. SRIhash.org

    View Slide

  64. View Slide

  65. View Slide

  66. View Slide

  67. http://example.com/search?q=serious+medical+condition
    Click here for
    the cheapest
    insurance
    around!
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla.

    View Slide

  68. View Slide

  69. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  70. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  71. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  72. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  73. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  74. Content-Security-Policy: referrer origin;


    View Slide

  75. Content-Security-Policy: referrer origin;


    View Slide

  76. Content-Security-Policy: referrer origin;


    View Slide

  77. (initial implementations)

    View Slide

  78. HTTPS

    View Slide

  79. if you're not using it, now is the time to start :)

    View Slide

  80. View Slide

  81. View Slide

  82. mass surveillance of
    all Internet traffic
    is no longer theoretical

    View Slide

  83. strong encryption of
    all Internet traffic
    is no longer optional

    View Slide

  84. “If we only use encryption when we're working with
    important data, then encryption signals that data's
    importance. If only dissidents use encryption in a
    country, that country's authorities have an easy way of
    identifying them. But if everyone uses it all of the time,
    encryption ceases to be a signal. The government can't
    tell the dissidents from the rest of the population. Every
    time you use encryption, you're protecting someone
    who needs to use it to stay alive.”
    -Bruce Schneier

    View Slide

  85. ps://gigaom.com/2015/02/19/dont-let-att-mislead-you-about-its-29-privacy-fee/

    View Slide

  86. View Slide

  87. $ apt-get install letsencrypt
    $ letsencrypt example.com

    View Slide

  88. automatically prove domain ownership
    download a free-as-in-beer certificate
    monitor and renew it before it expires

    View Slide

  89. automatically prove domain ownership
    download a free-as-in-beer certificate
    monitor and renew it before it expires

    View Slide

  90. automatically prove domain ownership
    download a free-as-in-beer certificate
    monitor and renew it before it expires

    View Slide

  91. HTTPS is not enough
    you need to do it properly

    View Slide

  92. RC4

    View Slide

  93. SHA-1
    RC4

    View Slide

  94. SHA-1
    1024-bit certificates
    RC4

    View Slide

  95. SHA-1
    1024-bit certificates
    RC4 weak DH parameters

    View Slide

  96. View Slide

  97. View Slide

  98. View Slide

  99. View Slide

  100. https://people.mozilla.org/~fmarier/mixed-content.html


    src="http://people.mozilla.org/~fmarier/mixed-content.js">






    View Slide

  101. View Slide

  102. turn on full mixed-content blocking in development

    View Slide

  103. Start by enabling HTTPS and HSTS
    Use SRI for your external scripts
    Set a more restrictive Referrer policy
    Consider enabling CSP
    Watch out for mixed content

    View Slide

  104. Questions?
    feedback:
    [email protected]
    mozilla.dev.security
    [email protected]
    © 2015 François Marier
    This work is licensed under a
    Creative Commons Attribution-ShareAlike 4.0 License.

    View Slide

  105. photo credits:
    tinfoil: https://www.flickr.com/photos/laurelrusswurm/15129449047
    explosion: https://www.flickr.com/photos/-cavin-/2313239884/
    snowden: https://www.flickr.com/photos/gageskidmore/16526354372

    View Slide