Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening the Web Platform - AppSec EU, 2016

Mike West
PRO
July 01, 2016
Technology
5
1.3k

Hardening the Web Platform - AppSec EU, 2016

Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.

Mike West
PRO

July 01, 2016
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
19
Isolation by Default
mikewest
PRO
0
1.3k
The Web We Can Ship
mikewest
PRO
0
270
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
1.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
120
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
370
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
78
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
680
BSides Munich
mikewest
PRO
0
260

Other Decks in Technology

See All in Technology
開幕LT
makamaka
0
320
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
150
私達のチームのデプロイ戦略の軌跡 〜継続的デプロイの導入に至るまで〜
hamakou108
0
140
チームにスクラムを導入してみた
sbtechnight
PRO
0
320
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
24k
ノーコードAI開発プラットフォーム「AIMINA」のシステム設計コンセプトと技術的チャレンジ
sbtechnight
PRO
0
300
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
26k
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
2
160
[CI/CD2023]OSSで構築するOpenAPI開発のCI/CD
xibuka
1
140
Power Automateの子フローについて
miyakemito
1
270
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
240
インターネットの最新技術をモバイル網に持ち込んで最強のエッジコンピューティング基盤を作ってみた
sbtechnight
PRO
0
320

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
KATA
mclloyd
12
10k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Become a Pro
speakerdeck
PRO
6
3.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
Web Components: a chance to create the future
zenorocha
304
41k
How to Ace a Technical Interview
jacobian
270
22k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
14
1.2k
Music & Morning Musume
bryan
37
4.7k
Embracing the Ebb and Flow
colly
76
3.6k
A Modern Web Designer's Workflow
chriscoyier
689
180k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k

Transcript

  1. Mike West, @mikewest, [email protected]
    https://goo.gl/YyrmXp
    Hardening the
    Web Platform

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. https://goo.gl/MycPb7

    View Slide

  7. "Sharpening", https://flic.kr/p/sbo18H

    View Slide

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  10. View Slide

  11. https://letsencrypt.org/

    View Slide

  12. https://goo.gl/1r7oNF
    https://goo.gl/nzbqQo

    View Slide

  13. Pro tip: Content-Security-Policy:
    default-src https:;
    report-uri /reports-r-us

    View Slide

  14. Content-Security-Policy: upgrade-insecure-requests
    https://goo.gl/hcin3m

    View Slide

  15. https://goo.gl/rStTGz

    View Slide

  16. AppCache
    getUserMedia
    crypto.subtle.*
    ServiceWorker
    navigator.credentials
    navigator.geolocation
    PaymentRequest
    EME
    https://goo.gl/rStTGz

    View Slide

  17. https://goo.gl/gF2clJ

    View Slide

  18. https://goo.gl/Kd2eMQ

    View Slide

  19. https://goo.gl/Wwpnjw
    https://goo.gl/fzVgNt

    View Slide

  20. 127.0.0.1
    192.168.1.1
    192.220.74.179
    https://goo.gl/Wwpnjw

    View Slide

  21. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  22. https://goo.gl/Wamh7S

    View Slide

  23. "Making CSP Great Again", https://goo.gl/74D8i5
    default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src
    render.githubusercontent.com; connect-src 'self' uploads.github.com status.
    github.com api.github.com www.google-analytics.com github-cloud.s3.
    amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-
    action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src
    render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com
    identicons.github.com www.google-analytics.com collector.githubapp.com *.
    gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src
    assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-
    src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

    View Slide

  24. https://goo.gl/lJq6jj
    https://goo.gl/GXob6d

    View Slide

  25. https://srihash.org/

    View Slide

  26. https://goo.gl/yxEJiO
    https://goo.gl/IrPX7b

    View Slide

  27. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

    View Slide

  28. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/
    ✘ Set-Cookie: __Host-SID=12345
    ✘ Set-Cookie: __Host-SID=12345; Secure
    ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/
    ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/
    ✘ Set-Cookie: __Secure-SID=12345; Secure;
    ✘ Set-Cookie: __Secure-SID=12345

    View Slide

  29. https://goo.gl/FHAeAm

    View Slide

  30. Credential Management API @ I/O: https://goo.gl/FbrO5x
    navigator.credentials.get({
    "password": true, "unmediated": true
    })
    .then(c => {
    if (!c) return;
    // Hooray, we have a credential!
    signInToYourApplication(c);
    });

    View Slide

  31. Credential Management API @ I/O: https://goo.gl/FbrO5x
    function signInToYourApplication(c) {
    fetch("/signin", {
    "method": "POST", "credentials": c
    })
    .then(r => {
    if (r.status == 200) {
    renderSignedInExperience(r);
    // or:
    window.location = "/signedin";
    } else {
    renderUsefulErrorMessage();
    }
    });
    }

    View Slide

  32. https://goo.gl/M5yVrc

    View Slide

  33. https://goo.gl/eZ9SKg

    View Slide

  34. scheme://host:port

    View Slide

  35. scheme://host:port
    scheme://sub1_host:port scheme://sub2_host:port

    View Slide

  36. View Slide

  37. Thank you!
    https://goo.gl/YyrmXp
    @mikewest
    [email protected]

    View Slide