Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening the Web Platform - AppSec EU, 2016

Hardening the Web Platform - AppSec EU, 2016

Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.


Mike West

July 01, 2016


  1. Mike West, @mikewest, mkwst@google.com https://goo.gl/YyrmXp Hardening the Web Platform

  2. None
  3. None
  4. None
  5. None
  6. https://goo.gl/MycPb7

  7. "Sharpening", https://flic.kr/p/sbo18H

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  10. None
  11. https://letsencrypt.org/

  12. https://goo.gl/1r7oNF https://goo.gl/nzbqQo

  13. Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us

  14. Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m

  15. https://goo.gl/rStTGz

  16. AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz

  17. https://goo.gl/gF2clJ

  18. https://goo.gl/Kd2eMQ

  19. https://goo.gl/Wwpnjw https://goo.gl/fzVgNt

  20. https://goo.gl/Wwpnjw

  21. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  22. https://goo.gl/Wamh7S

  23. "Making CSP Great Again", https://goo.gl/74D8i5 default-src 'none'; base-uri 'self'; block-all-mixed-content;

    child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status. github.com api.github.com www.google-analytics.com github-cloud.s3. amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form- action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *. gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script- src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
  24. https://goo.gl/lJq6jj https://goo.gl/GXob6d

  25. https://srihash.org/

  26. https://goo.gl/yxEJiO https://goo.gl/IrPX7b

  27. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

  28. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:

    __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
  29. https://goo.gl/FHAeAm

  30. Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":

    true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
  31. Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",

    { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
  32. https://goo.gl/M5yVrc

  33. https://goo.gl/eZ9SKg

  34. scheme://host:port

  35. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

  36. None
  37. Thank you! https://goo.gl/YyrmXp @mikewest mkwst@google.com