Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and Privacy on the Web in 2016

Francois Marier
April 24, 2016
Technology
0
210

Security and Privacy on the Web in 2016

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).

As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.

This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.

https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016

Francois Marier

April 24, 2016
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
300
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
270
Hardening Firefox for Privacy and Security
fmarier
0
1k
Privacy and Tracking Protection in Firefox
fmarier
0
280
Security and Privacy on the Web in 2015
fmarier
0
280
Security and Privacy on the Web in 2015
fmarier
0
190
Integrity protection for third-party JavaScript
fmarier
1
800
URL to HTML
fmarier
1
280
Integrity protection for third-party JavaScript
fmarier
2
600

Other Decks in Technology

See All in Technology
All You Need Is Kusa 〜Slackデータで始めるデータドリブン〜
jonnojun
0
140
自分の軸足を見つけろ
tsuemura
2
550
NLP2025 参加報告会 / NLP2025
sansan_randd
4
500
アセスメントで紐解く、10Xのデータマネジメントの軌跡
10xinc
1
310
Amazon CloudWatch Application Signals ではじめるバーンレートアラーム / Burn rate alarm with Amazon CloudWatch Application Signals
ymotongpoo
5
260
Webアプリを Lambdaで動かすまでに考えること / How to implement monolithic Lambda Web Application
_kensh
7
1.2k
クォータ監視、AWS Organizations環境でも楽勝です✌️
iwamot
PRO
1
200
Re:VIEWで書いた「Compose で Android の edge-to-edge に対応する」をRoo Codeで発表資料にしてもらった
tomoya0x00
0
260
50人の組織でAIエージェントを使う文化を作るためには / How to Create a Culture of Using AI Agents in a 50-Person Organization
yuitosato
6
3k
AIエージェント開発における「攻めの品質改善」と「守りの品質保証」 / 2024.04.09 GPU UNITE 新年会 2025
smiyawaki0820
0
390
MCP Documentation Server @AI Coding Meetup #1
yyoshiki41
2
2.5k
30 代子育て SRE が考える SRE ナレッジマネジメントの現在と将来
kworkdev
PRO
0
200

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.4k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.3k
For a Future-Friendly Web
brad_frost
176
9.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Embracing the Ebb and Flow
colly
85
4.6k
Site-Speed That Sticks
csswizardry
5
470
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
178
52k
How to Ace a Technical Interview
jacobian
276
23k
Docker and Python
trallard
44
3.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k

Transcript

  1. Security and Privacy on the Web in 2016 François Marier

    @fmarier mozilla

  2. Security and Privacy for users, sysadmins and developers

  3. security

  4. security for users

  5. Safe Browsing

  6. None

  7. pre-downloaded URL hash prefixes

  8. pre-downloaded URL hash prefixes list updated every 30 minutes

  9. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries)

  10. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar

  11. pre-downloaded URL hash prefixes list updated every 30 minutes server

    completions on prefix hit (with noise entries) separate cookie jar list entries expire after 45 minutes

  12. about:config browser.safebrowsing.enabled (phishing) browser.safebrowsing.malware.enabled (malware)

  13. Download Protection

  14. None

  15. is it on the pre-downloaded list of dangerous hosts?

  16. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider?

  17. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)?

  18. is it on the pre-downloaded list of dangerous hosts? is

    it signed by a known good software provider? is it an executable file (.exe, .com, .pif, .dmg, etc.)? what does the apprep server think about it?

  19. about:config browser.safebrowsing.downloads.remote.enabled browser.safebrowsing.downloads.remote.block_potentially_unwanted browser.safebrowsing.downloads.remote.block_uncommon

  20. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

  21. security for developers

  22. Content Security Policy aka CSP mechanism for preventing XSS

  23. telling the browser what external content is allowed to load

  24. Hi y'all<script> alert('p0wned'); </script>! Tweet! What's on your mind?

  25. without CSP

  26. Hi y'all! John Doe - just moments ago p0wned Ok

  27. with CSP

  28. Hi y'all! John Doe - just moments ago

  29. Content-Security-Policy: script-src 'self' https://cdn.example.com

  30. script-src object-src style-src img-src media-src frame-src font-src connect-src

  31. Strict Transport Security aka HSTS mechanism for preventing HTTPS to

    HTTP downgrades

  32. telling the browser that your site should never be reached

    over HTTP
  33. None

  34. GET bank.com 301 → GET https://bank.com 200 → no HSTS,

    no sslstrip

  35. GET bank.com → 200 no HSTS, with sslstrip

  36. what does HSTS look like?

  37. $ curl -i https://bank.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...

  38. with HSTS, with sslstrip GET https://bank.com 200 →

  39. no HTTP traffic for sslstrip to tamper with

  40. None
  41. None
  42. None

  43. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  44. what would happen if that server were compromised?

  45. None

  46. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies

  47. simple solution

  48. instead of this: <script src=”https://ajax.googleapis.com...”>

  49. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> do this:

  50. guarantee: script won't change or it'll be blocked

  51. security for sysadmins

  52. HTTPS

  53. if you're not using it, now is the time to

    start :)
  54. None
  55. None

  56. mass surveillance of all Internet traffic is no longer theoretical

  57. strong encryption of all Internet traffic is no longer optional

  58. “If we only use encryption when we're working with important

    data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
  59. None
  60. None
  61. None

  62. $ apt-get install letsencrypt $ letsencrypt example.com

  63. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

  64. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

  65. automatically prove domain ownership download a free-as-in-beer certificate monitor and

    renew it before it expires

  66. HTTPS is not enough you need to do it properly

  67. RC4

  68. SHA-1 RC4

  69. SHA-1 1024-bit certificates RC4

  70. SHA-1 1024-bit certificates RC4 weak DH parameters

  71. None
  72. None
  73. None
  74. None

  75. https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg">

    </body> </html>
  76. None

  77. turn on full mixed-content blocking in development

  78. privacy

  79. privacy for users

  80. None
  81. None
  82. None
  83. None

  84. about:config network.cookie.lifetimePolicy = 3 network.cookie.lifetime.days = 5 network.cookie.thirdparty.sessionOnly = true

  85. https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/

  86. Tracking Protection

  87. None

  88. based on Safe Browsing pre-downloaded list of full hashes (no

    server lookups)

  89. 1. is this resource coming from a third-party server? 2.

    is it on Disconnect's list of trackers? 3. is it actually a third-party or does it belong to the same org?

  90. Q: What does it do? A: It blocks network loads!

  91. No cookies No fingerprinting No wasted bandwidth No performance hit

  92. about:config privacy.trackingprotection.pbmode.enabled

  93. about:config privacy.trackingprotection.enabled

  94. https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/

  95. privacy for developers

  96. None
  97. None

  98. http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla

    bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
  99. None

  100. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  101. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  102. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  103. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  104. No Referrer No Referrer When Downgrade Origin Only Origin When

    Cross Origin Unsafe URL

  105. Referrer-Policy: origin <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  106. Referrer-Policy: origin <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">

  107. Referrer-Policy: origin <meta name="referrer" content="origin"> <a href="http://example.com" referrerPolicy="origin">

  108. recommendations for users

  109. network.cookie.lifetimePolicy = 3 network.cookie.lifetime.days = 5 network.cookie.thirdparty.sessionOnly = true network.http.referer.spoofSource

    = true privacy.trackingprotection.enabled = true security.pki.sha1_enforcement_level = 2 security.ssl.errorReporting.automatic = true Install the EFF's HTTPS Everywhere add-on

  110. https://github.com/pyllyukko/user.js

  111. recommendations for developers

  112. Use SRI for your external scripts Set a more restrictive

    Referrer policy Consider enabling CSP Watch out for mixed content Test your site with Tracking Protection

  113. recommendations for sysadmins

  114. Enable HTTPS and HSTS on all your sites Use our

    recommended TLS config Test your site periodically using SSL Labs

  115. Questions? feedback: [email protected] mozilla.dev.security [email protected] © 2016 François Marier <[email protected]>

    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.

  116. photo credits: cookie: https://secure.flickr.com/photos/jamisonjudd/4810986199/ explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372