BSides Munich

Transcript

1. Mike West, @mikewest, [email protected]
   https://goo.gl/F0o9kR
   Hardening the
   Web Platform
   

   View Slide

2. Slides: https://goo.gl/F0o9kR
   

   View Slide

3. View Slide

4. View Slide

5. View Slide

6. https://goo.gl/MycPb7
   

   View Slide

7. "Sharpening", https://flic.kr/p/sbo18H
   

   View Slide

8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
   

   View Slide

9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
   

   View Slide

10. View Slide

11. https://securethe.news/
    

    View Slide

12. https://letsencrypt.org/
    

    View Slide

13. https://caddyserver.com/
    

    View Slide

14. https://goo.gl/ptS8FO
    https://goo.gl/nzbqQo
    

    View Slide

15. Pro tip: Content-Security-Policy:
    default-src https:;
    report-uri /reports-r-us
    

    View Slide

16. Content-Security-Policy: upgrade-insecure-requests
    https://goo.gl/hcin3m
    

    View Slide

17. https://goo.gl/51hqZa
    

    View Slide

18. https://goo.gl/Kd2eMQ
    

    View Slide

19. https://goo.gl/ciyreA
    

    View Slide

20. https://goo.gl/rStTGz
    

    View Slide

21. AppCache
    getUserMedia
    crypto.subtle.*
    ServiceWorker
    navigator.credentials
    navigator.geolocation
    PaymentRequest
    EME
    https://goo.gl/rStTGz
    Notification
    

    View Slide

22. https://goo.gl/Wwpnjw
    https://goo.gl/fzVgNt
    

    View Slide

23. 127.0.0.1
    192.168.1.1
    192.220.74.179
    https://goo.gl/Wwpnjw
    

    View Slide

24. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
    

    View Slide

25. https://goo.gl/Wamh7S
    

    View Slide

26. default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src
    render.githubusercontent.com; connect-src 'self' uploads.github.com
    status.github.com api.github.com www.google-analytics.com
    github-cloud.s3.amazonaws.com wss://live.github.com; font-src
    assets-cdn.github.com; form-action 'self' github.com gist.github.com;
    frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src
    'self' data: assets-cdn.github.com identicons.github.com
    www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com
    *.githubusercontent.com; media-src 'none'; object-src
    assets-cdn.github.com; plugin-types application/x-shockwave-flash;
    script-src assets-cdn.github.com; style-src 'unsafe-inline'
    assets-cdn.github.com
    

    View Slide

27. https://goo.gl/lJq6jj
    https://goo.gl/dqPkYn
    

    View Slide

28. script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com
    https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com
    https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com
    https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com
    https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com
    data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com
    https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com
    blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com
    https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com
    https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self';
    style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com
    https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com
    https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self';
    frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com
    https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com
    https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com
    https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com
    https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com
    https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data:
    https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com
    https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com
    https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com
    blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
    

    View Slide

29. https://goo.gl/wSH6sV
    

    View Slide

30. https://srihash.org/
    

    View Slide

31. https://goo.gl/yxEJiO
    https://goo.gl/IrPX7b
    

    View Slide

32. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax
    

    View Slide

33. https://goo.gl/QcZIBI
    

    View Slide

34. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/
    ✘ Set-Cookie: __Host-SID=12345
    ✘ Set-Cookie: __Host-SID=12345; Secure
    ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/
    ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/
    ✘ Set-Cookie: __Secure-SID=12345; Secure;
    ✘ Set-Cookie: __Secure-SID=12345
    

    View Slide

35. https://goo.gl/gF2clJ
    

    View Slide

36. https://goo.gl/FHAeAm
    

    View Slide

37. Credential Management API @ I/O: https://goo.gl/FbrO5x
    navigator.credentials.get({
    "password": true, "unmediated": true
    })
    .then(c => {
    if (!c) return;
    // Hooray, we have a credential!
    signInToYourApplication(c);
    });
    

    View Slide

38. Credential Management API @ I/O: https://goo.gl/FbrO5x
    function signInToYourApplication(c) {
    fetch("/signin", {
    "method": "POST", "credentials": c
    })
    .then(r => {
    if (r.status == 200) {
    renderSignedInExperience(r);
    // or:
    window.location = "/signedin";
    } else {
    renderUsefulErrorMessage();
    }
    });
    }
    

    View Slide

39. View Slide

40. https://goo.gl/Un07eJ
    

    View Slide

41. https://goo.gl/ILUP12
    

    View Slide

42. https://goo.gl/eZ9SKg
    

    View Slide

43. scheme://host:port
    

    View Slide

44. scheme://host:port
    scheme://sub1_host:port scheme://sub2_host:port
    

    View Slide

45. https://goo.gl/VhLsq2
    

    View Slide

46. View Slide

47. Thank you!
    https://goo.gl/F0o9kR
    @mikewest
    [email protected]
    

    View Slide