Security and Privacy on the Web in 2015

Security and Privacy on the Web in 2015

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.

https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en

0110e86fdb31486c22dd381326d99de9?s=128

Francois Marier

July 07, 2015
Tweet

Transcript

  1. Security and Privacy on the Web in 2015 François Marier

    @fmarier mozilla
  2. Firefox Security & Privacy

  3. Web Platform

  4. Web Platform

  5. Content Security Policy aka CSP

  6. Content Security Policy aka CSP mechanism for preventing XSS

  7. telling the browser what external content is allowed to load

  8. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?

  9. without CSP

  10. Hi you! John Doe - just moments ago p0wned Ok

  11. with CSP

  12. Hi you! John Doe - just moments ago

  13. Content-Security-Policy: script-src 'self' https://cdn.example.com

  14. inline scripts are blocked unless unsafe-inline is specified

  15. script-src object-src style-src img-src media-src frame-src font-src connect-src

  16. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:
  17. "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src

    'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/..." }
  18. None
  19. support for inline scripts Content-Security-Policy: script-src 'sha256-YWIzOW...'

  20. None
  21. Strict Transport Security aka HSTS

  22. Strict Transport Security aka HSTS mechanism for preventing HTTPS to

    HTTP downgrades
  23. telling the browser that your site should never be reached

    over HTTP
  24. None
  25. GET banque.fr 301 → GET https://banque.fr 200 → no HSTS,

    no sslstrip
  26. GET banque.fr → 200 no HSTS, with sslstrip

  27. what does HSTS look like?

  28. $ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...
  29. with HSTS, with sslstrip GET https://banque.fr 200 →

  30. silent client-side redirects HTTP → HTTPS

  31. no HTTP traffic for sslstrip to tamper with

  32. except for the very first connection

  33. https://hstspreload.appspot.com/

  34. None
  35. coming up in 2015

  36. None
  37. None
  38. None
  39. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  40. how common is this?

  41. None
  42. what would happen if that server were compromised?

  43. None
  44. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies
  45. simple solution

  46. instead of this: <script src=”https://ajax.googleapis.com...”>

  47. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...”> do this:

  48. guarantee: script won't change or it'll be blocked

  49. limitation: won't work for scripts that change all the time

  50. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  51. there's a little something missing...

  52. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> complete example:

  53. None
  54. “a web browser permits scripts contained in a first web

    page to access data in a second web page, but only if both web pages have the same origin” same-origin policy
  55. example.com/index.html

  56. example.com/index.html example.com/data.js: var secret = 42;

  57. example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);

  58. example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);

  59. on the server: Access-Control-Allow-Origin: *

  60. on the server: Access-Control-Allow-Origin: * on the client: crossorigin=”anonymous”

  61. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> complete example:

  62. <link rel="stylesheet" href="style.css" integrity="sha256-PgMdguwx/O..." crossorigin=”anonymous”> complete example:

  63. SRIhash.org

  64. None
  65. None
  66. None
  67. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  68. None
  69. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL
  70. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL
  71. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL
  72. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL
  73. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL
  74. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  75. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  76. Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  77. (initial implementations)

  78. HTTPS

  79. if you're not using it, now is the time to

    start :)
  80. None
  81. None
  82. mass surveillance of all Internet traffic is no longer theoretical

  83. strong encryption of all Internet traffic is no longer optional

  84. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
  85. ps://gigaom.com/2015/02/19/dont-let-att-mislead-you-about-its-29-privacy-fee/

  86. None
  87. $ apt-get install letsencrypt $ letsencrypt example.com

  88. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires
  89. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires
  90. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires
  91. HTTPS is not enough you need to do it properly

  92. RC4

  93. SHA-1 RC4

  94. SHA-1 1024-bit certificates RC4

  95. SHA-1 1024-bit certificates RC4 weak DH parameters

  96. None
  97. None
  98. None
  99. None
  100. https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg">

    </body> </html>
  101. None
  102. turn on full mixed-content blocking in development

  103. Start by enabling HTTPS and HSTS Use SRI for your

    external scripts Set a more restrictive Referrer policy Consider enabling CSP Watch out for mixed content
  104. Questions? feedback: francois@mozilla.com mozilla.dev.security public-webappsec@w3.org © 2015 François Marier <francois@mozilla.com>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
  105. photo credits: tinfoil: https://www.flickr.com/photos/laurelrusswurm/15129449047 explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372