$30 off During Our Annual Pro Sale. View Details »

Hardening the Web Platform - AppSec EU, 2016

Mike West
PRO
July 01, 2016
Technology
5
1.3k

Hardening the Web Platform - AppSec EU, 2016

Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.

Mike West
PRO

July 01, 2016
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
65
Isolation by Default
mikewest
PRO
0
1.5k
The Web We Can Ship
mikewest
PRO
0
320
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.1k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
130
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
390
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
90
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
730
BSides Munich
mikewest
PRO
0
280

Other Decks in Technology

See All in Technology
なぜ
リアーキテクティング専任チームを作ったのか
kei_s
PRO
2
980
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
120
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
390
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
640
Vertex AI Feature Store に 機械学習エンジニアが涙した 理由
asei
3
1.2k
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
710
CSSパフォーマンスに関する計測結果
poteboy
3
1k
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
7
5.2k
イベント企画設計における「フロントエンド」な考え方とその魅力
kgsi
1
1.9k
【論文紹介】 A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions
tomoaki25
4
160
技術的負債あるある早く言いたい〜/RookiesLT-link-and-motivation
lmi
0
1.9k
Railsアプリをコスパよく読むための環境整備
ikumatadokoro
1
130

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
7
650
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
GraphQLの誤解/rethinking-graphql
sonatard
45
8.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740
Rails Girls Zürich Keynote
gr2m
90
12k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1k
Music & Morning Musume
bryan
38
5.2k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Practical Orchestrator
shlominoach
179
9.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k

Transcript

  1. Mike West, @mikewest, [email protected]
    https://goo.gl/YyrmXp
    Hardening the
    Web Platform

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. https://goo.gl/MycPb7

    View Slide

  7. "Sharpening", https://flic.kr/p/sbo18H

    View Slide

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  10. View Slide

  11. https://letsencrypt.org/

    View Slide

  12. https://goo.gl/1r7oNF
    https://goo.gl/nzbqQo

    View Slide

  13. Pro tip: Content-Security-Policy:
    default-src https:;
    report-uri /reports-r-us

    View Slide

  14. Content-Security-Policy: upgrade-insecure-requests
    https://goo.gl/hcin3m

    View Slide

  15. https://goo.gl/rStTGz

    View Slide

  16. AppCache
    getUserMedia
    crypto.subtle.*
    ServiceWorker
    navigator.credentials
    navigator.geolocation
    PaymentRequest
    EME
    https://goo.gl/rStTGz

    View Slide

  17. https://goo.gl/gF2clJ

    View Slide

  18. https://goo.gl/Kd2eMQ

    View Slide

  19. https://goo.gl/Wwpnjw
    https://goo.gl/fzVgNt

    View Slide

  20. 127.0.0.1
    192.168.1.1
    192.220.74.179
    https://goo.gl/Wwpnjw

    View Slide

  21. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  22. https://goo.gl/Wamh7S

    View Slide

  23. "Making CSP Great Again", https://goo.gl/74D8i5
    default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src
    render.githubusercontent.com; connect-src 'self' uploads.github.com status.
    github.com api.github.com www.google-analytics.com github-cloud.s3.
    amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-
    action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src
    render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com
    identicons.github.com www.google-analytics.com collector.githubapp.com *.
    gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src
    assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-
    src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

    View Slide

  24. https://goo.gl/lJq6jj
    https://goo.gl/GXob6d

    View Slide

  25. https://srihash.org/

    View Slide

  26. https://goo.gl/yxEJiO
    https://goo.gl/IrPX7b

    View Slide

  27. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

    View Slide

  28. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/
    ✘ Set-Cookie: __Host-SID=12345
    ✘ Set-Cookie: __Host-SID=12345; Secure
    ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/
    ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/
    ✘ Set-Cookie: __Secure-SID=12345; Secure;
    ✘ Set-Cookie: __Secure-SID=12345

    View Slide

  29. https://goo.gl/FHAeAm

    View Slide

  30. Credential Management API @ I/O: https://goo.gl/FbrO5x
    navigator.credentials.get({
    "password": true, "unmediated": true
    })
    .then(c => {
    if (!c) return;
    // Hooray, we have a credential!
    signInToYourApplication(c);
    });

    View Slide

  31. Credential Management API @ I/O: https://goo.gl/FbrO5x
    function signInToYourApplication(c) {
    fetch("/signin", {
    "method": "POST", "credentials": c
    })
    .then(r => {
    if (r.status == 200) {
    renderSignedInExperience(r);
    // or:
    window.location = "/signedin";
    } else {
    renderUsefulErrorMessage();
    }
    });
    }

    View Slide

  32. https://goo.gl/M5yVrc

    View Slide

  33. https://goo.gl/eZ9SKg

    View Slide

  34. scheme://host:port

    View Slide

  35. scheme://host:port
    scheme://sub1_host:port scheme://sub2_host:port

    View Slide

  36. View Slide

  37. Thank you!
    https://goo.gl/YyrmXp
    @mikewest
    [email protected]

    View Slide