$30 off During Our Annual Pro Sale. View Details »

Hardening the Web Platform - AppSec EU, 2016

Hardening the Web Platform - AppSec EU, 2016

Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.

Mike West
PRO

July 01, 2016
Tweet

More Decks by Mike West

Other Decks in Technology

Transcript

  1. Mike West, @mikewest, [email protected]
    https://goo.gl/YyrmXp
    Hardening the
    Web Platform

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. https://goo.gl/MycPb7

    View Slide

  7. "Sharpening", https://flic.kr/p/sbo18H

    View Slide

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  10. View Slide

  11. https://letsencrypt.org/

    View Slide

  12. https://goo.gl/1r7oNF
    https://goo.gl/nzbqQo

    View Slide

  13. Pro tip: Content-Security-Policy:
    default-src https:;
    report-uri /reports-r-us

    View Slide

  14. Content-Security-Policy: upgrade-insecure-requests
    https://goo.gl/hcin3m

    View Slide

  15. https://goo.gl/rStTGz

    View Slide

  16. AppCache
    getUserMedia
    crypto.subtle.*
    ServiceWorker
    navigator.credentials
    navigator.geolocation
    PaymentRequest
    EME
    https://goo.gl/rStTGz

    View Slide

  17. https://goo.gl/gF2clJ

    View Slide

  18. https://goo.gl/Kd2eMQ

    View Slide

  19. https://goo.gl/Wwpnjw
    https://goo.gl/fzVgNt

    View Slide

  20. 127.0.0.1
    192.168.1.1
    192.220.74.179
    https://goo.gl/Wwpnjw

    View Slide

  21. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  22. https://goo.gl/Wamh7S

    View Slide

  23. "Making CSP Great Again", https://goo.gl/74D8i5
    default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src
    render.githubusercontent.com; connect-src 'self' uploads.github.com status.
    github.com api.github.com www.google-analytics.com github-cloud.s3.
    amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-
    action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src
    render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com
    identicons.github.com www.google-analytics.com collector.githubapp.com *.
    gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src
    assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-
    src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

    View Slide

  24. https://goo.gl/lJq6jj
    https://goo.gl/GXob6d

    View Slide

  25. https://srihash.org/

    View Slide

  26. https://goo.gl/yxEJiO
    https://goo.gl/IrPX7b

    View Slide

  27. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

    View Slide

  28. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/
    ✘ Set-Cookie: __Host-SID=12345
    ✘ Set-Cookie: __Host-SID=12345; Secure
    ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/
    ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/
    ✘ Set-Cookie: __Secure-SID=12345; Secure;
    ✘ Set-Cookie: __Secure-SID=12345

    View Slide

  29. https://goo.gl/FHAeAm

    View Slide

  30. Credential Management API @ I/O: https://goo.gl/FbrO5x
    navigator.credentials.get({
    "password": true, "unmediated": true
    })
    .then(c => {
    if (!c) return;
    // Hooray, we have a credential!
    signInToYourApplication(c);
    });

    View Slide

  31. Credential Management API @ I/O: https://goo.gl/FbrO5x
    function signInToYourApplication(c) {
    fetch("/signin", {
    "method": "POST", "credentials": c
    })
    .then(r => {
    if (r.status == 200) {
    renderSignedInExperience(r);
    // or:
    window.location = "/signedin";
    } else {
    renderUsefulErrorMessage();
    }
    });
    }

    View Slide

  32. https://goo.gl/M5yVrc

    View Slide

  33. https://goo.gl/eZ9SKg

    View Slide

  34. scheme://host:port

    View Slide

  35. scheme://host:port
    scheme://sub1_host:port scheme://sub2_host:port

    View Slide

  36. View Slide

  37. Thank you!
    https://goo.gl/YyrmXp
    @mikewest
    [email protected]

    View Slide