Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2016

Security and Privacy on the Web in 2016

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.

This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.

https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016

Francois Marier

April 24, 2016
Tweet

More Decks by Francois Marier

Other Decks in Technology

Transcript

  1. Security and Privacy
    on the Web in 2016
    François Marier @fmarier
    mozilla

    View Slide

  2. Security and Privacy
    for users, sysadmins and developers

    View Slide

  3. security

    View Slide

  4. security
    for users

    View Slide

  5. Safe Browsing

    View Slide

  6. View Slide

  7. pre-downloaded URL hash prefixes

    View Slide

  8. pre-downloaded URL hash prefixes
    list updated every 30 minutes

    View Slide

  9. pre-downloaded URL hash prefixes
    list updated every 30 minutes
    server completions on prefix hit (with noise entries)

    View Slide

  10. pre-downloaded URL hash prefixes
    list updated every 30 minutes
    server completions on prefix hit (with noise entries)
    separate cookie jar

    View Slide

  11. pre-downloaded URL hash prefixes
    list updated every 30 minutes
    server completions on prefix hit (with noise entries)
    separate cookie jar
    list entries expire after 45 minutes

    View Slide

  12. about:config
    browser.safebrowsing.enabled (phishing)
    browser.safebrowsing.malware.enabled (malware)

    View Slide

  13. Download Protection

    View Slide

  14. View Slide

  15. is it on the pre-downloaded list of dangerous hosts?

    View Slide

  16. is it on the pre-downloaded list of dangerous hosts?
    is it signed by a known good software provider?

    View Slide

  17. is it on the pre-downloaded list of dangerous hosts?
    is it signed by a known good software provider?
    is it an executable file (.exe, .com, .pif, .dmg, etc.)?

    View Slide

  18. is it on the pre-downloaded list of dangerous hosts?
    is it signed by a known good software provider?
    is it an executable file (.exe, .com, .pif, .dmg, etc.)?
    what does the apprep server think about it?

    View Slide

  19. about:config
    browser.safebrowsing.downloads.remote.enabled
    browser.safebrowsing.downloads.remote.block_potentially_unwanted
    browser.safebrowsing.downloads.remote.block_uncommon

    View Slide

  20. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

    View Slide

  21. security
    for developers

    View Slide

  22. Content Security Policy
    aka CSP
    mechanism for preventing XSS

    View Slide

  23. telling the browser what external
    content is allowed to load

    View Slide

  24. Hi y'all<br/>alert('p0wned');<br/>!
    Tweet!
    What's on your mind?

    View Slide

  25. without CSP

    View Slide

  26. Hi y'all!
    John Doe - just moments ago
    p0wned
    Ok

    View Slide

  27. with CSP

    View Slide

  28. Hi y'all!
    John Doe - just moments ago

    View Slide

  29. Content-Security-Policy:
    script-src 'self'
    https://cdn.example.com

    View Slide

  30. script-src
    object-src
    style-src
    img-src
    media-src
    frame-src
    font-src
    connect-src

    View Slide

  31. Strict Transport Security
    aka HSTS
    mechanism for preventing
    HTTPS to HTTP downgrades

    View Slide

  32. telling the browser that your site
    should never be reached over HTTP

    View Slide

  33. View Slide

  34. GET bank.com 301

    GET https://bank.com 200

    no HSTS, no sslstrip

    View Slide

  35. GET bank.com → 200
    no HSTS, with sslstrip

    View Slide

  36. what does HSTS look like?

    View Slide

  37. $ curl -i https://bank.com
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Strict-Transport-Security: max-age=31536000
    ...

    View Slide

  38. with HSTS, with sslstrip
    GET https://bank.com 200

    View Slide

  39. no HTTP traffic for
    sslstrip to tamper with

    View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View Slide

  44. what would happen if that
    server were compromised?

    View Slide

  45. View Slide

  46. Bad Things™
    steal sessions
    leak confidential data
    redirect to phishing sites
    enlist DDoS zombies

    View Slide

  47. simple solution

    View Slide

  48. instead of this:
    src=”https://ajax.googleapis.com...”>

    View Slide

  49. src=”https://ajax.googleapis.com...”
    integrity=”sha256-1z4uG/+cVbhShP...”
    crossorigin=”anonymous”>
    do this:

    View Slide

  50. guarantee:
    script won't change
    or it'll be blocked

    View Slide

  51. security
    for sysadmins

    View Slide

  52. HTTPS

    View Slide

  53. if you're not using it, now is the time to start :)

    View Slide

  54. View Slide

  55. View Slide

  56. mass surveillance of
    all Internet traffic
    is no longer theoretical

    View Slide

  57. strong encryption of
    all Internet traffic
    is no longer optional

    View Slide

  58. “If we only use encryption when we're working with
    important data, then encryption signals that data's
    importance. If only dissidents use encryption in a
    country, that country's authorities have an easy way of
    identifying them. But if everyone uses it all of the time,
    encryption ceases to be a signal. The government can't
    tell the dissidents from the rest of the population. Every
    time you use encryption, you're protecting someone
    who needs to use it to stay alive.”
    -Bruce Schneier

    View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. $ apt-get install letsencrypt
    $ letsencrypt example.com

    View Slide

  63. automatically prove domain ownership
    download a free-as-in-beer certificate
    monitor and renew it before it expires

    View Slide

  64. automatically prove domain ownership
    download a free-as-in-beer certificate
    monitor and renew it before it expires

    View Slide

  65. automatically prove domain ownership
    download a free-as-in-beer certificate
    monitor and renew it before it expires

    View Slide

  66. HTTPS is not enough
    you need to do it properly

    View Slide

  67. RC4

    View Slide

  68. SHA-1
    RC4

    View Slide

  69. SHA-1
    1024-bit certificates
    RC4

    View Slide

  70. SHA-1
    1024-bit certificates
    RC4 weak DH parameters

    View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. https://people.mozilla.org/~fmarier/mixed-content.html


    src="http://people.mozilla.org/~fmarier/mixed-content.js">






    View Slide

  76. View Slide

  77. turn on full mixed-content blocking in development

    View Slide

  78. privacy

    View Slide

  79. privacy
    for users

    View Slide

  80. View Slide

  81. View Slide

  82. View Slide

  83. View Slide

  84. about:config
    network.cookie.lifetimePolicy = 3
    network.cookie.lifetime.days = 5
    network.cookie.thirdparty.sessionOnly = true

    View Slide

  85. https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/

    View Slide

  86. Tracking Protection

    View Slide

  87. View Slide

  88. based on Safe Browsing
    pre-downloaded list of full hashes
    (no server lookups)

    View Slide

  89. 1. is this resource coming from a third-party server?
    2. is it on Disconnect's list of trackers?
    3. is it actually a third-party or
    does it belong to the same org?

    View Slide

  90. Q: What does it do?
    A: It blocks network loads!

    View Slide

  91. No cookies
    No fingerprinting
    No wasted bandwidth
    No performance hit

    View Slide

  92. about:config
    privacy.trackingprotection.pbmode.enabled

    View Slide

  93. about:config
    privacy.trackingprotection.enabled

    View Slide

  94. https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/

    View Slide

  95. privacy
    for developers

    View Slide

  96. View Slide

  97. View Slide

  98. http://example.com/search?q=serious+medical+condition
    Click here for
    the cheapest
    insurance
    around!
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla.

    View Slide

  99. View Slide

  100. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  101. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  102. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  103. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  104. No Referrer
    No Referrer When Downgrade
    Origin Only
    Origin When Cross Origin
    Unsafe URL

    View Slide

  105. Referrer-Policy: origin


    View Slide

  106. Referrer-Policy: origin


    View Slide

  107. Referrer-Policy: origin

    referrerPolicy="origin">

    View Slide

  108. recommendations
    for users

    View Slide

  109. network.cookie.lifetimePolicy = 3
    network.cookie.lifetime.days = 5
    network.cookie.thirdparty.sessionOnly = true
    network.http.referer.spoofSource = true
    privacy.trackingprotection.enabled = true
    security.pki.sha1_enforcement_level = 2
    security.ssl.errorReporting.automatic = true
    Install the EFF's HTTPS Everywhere add-on

    View Slide

  110. https://github.com/pyllyukko/user.js

    View Slide

  111. recommendations
    for developers

    View Slide

  112. Use SRI for your external scripts
    Set a more restrictive Referrer policy
    Consider enabling CSP
    Watch out for mixed content
    Test your site with Tracking Protection

    View Slide

  113. recommendations
    for sysadmins

    View Slide

  114. Enable HTTPS and HSTS on all your sites
    Use our recommended TLS config
    Test your site periodically using SSL Labs

    View Slide

  115. Questions?
    feedback:
    [email protected]
    mozilla.dev.security
    [email protected]
    © 2016 François Marier
    This work is licensed under a
    Creative Commons Attribution-ShareAlike 4.0 License.

    View Slide

  116. photo credits:
    cookie: https://secure.flickr.com/photos/jamisonjudd/4810986199/
    explosion: https://www.flickr.com/photos/-cavin-/2313239884/
    snowden: https://www.flickr.com/photos/gageskidmore/16526354372

    View Slide