Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security (dotSecurity, April 2016)

Web Platform Security (dotSecurity, April 2016)

Like every large software project, browsers are accidentally broken. Put these bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren't safe, because from a security perspective the internet's design is in many ways broken.

I'd like to talk about how we're beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down by reducing the privilege of their applications to the lowest level necessary.

Mike West

April 22, 2016
Tweet

More Decks by Mike West

Other Decks in Technology

Transcript

  1. Web Platform Security
    Mike West / @mikewest / [email protected]

    View full-size slide

  2. Ulysses and the Sirens - John William Waterhouse

    View full-size slide

  3. XSS
    <br/>p { color: {{USER_COLOR}}; }<br/>

    {{USER_NAME}}, hello! Visit this
    nice link.

    <br/>var id = {{USER_ID}};<br/>

    View full-size slide

  4. CSRF/XSSI
    innocent-victim.com evil.com

    View full-size slide

  5. Google's VRP

    View full-size slide

  6. Privilege Reduction

    View full-size slide

  7. Content Security Policy

    View full-size slide

  8. Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https:
    //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.
    com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.
    twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com
    https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-
    ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https:
    //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src
    https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.
    facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.
    riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis.
    com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com
    'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.
    com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https:
    //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.
    twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https:
    //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https:
    //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https:
    //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https:
    //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https:
    //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com
    https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?
    a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

    View full-size slide

  9. Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https:
    //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.
    com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.
    twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com
    https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-
    ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https:
    //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src
    https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.
    facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.
    riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis.
    com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com
    'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.
    com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https:
    //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.
    twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https:
    //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https:
    //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https:
    //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https:
    //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https:
    //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com
    https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?
    a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
    twitter.com
    twitter.com
    evil.com

    View full-size slide

  10. Content-Security-Policy: default-src https: ; script-src 'unsafe-inline'
    'unsafe-dynamic' https://www.gstatic.com/recaptcha/api2/ 'nonce-
    dDMnKbh2kR5narOMRoBpGLQDdQl0KFCw'; child-src https://www.google.
    com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src
    https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none';
    report-uri /csp.do
    crbug.com
    nonce-dDMnK...
    crbug.com
    not-crbug.com

    View full-size slide

  11. scheme://host:port

    View full-size slide

  12. scheme://host:port
    scheme://sub1_host:port scheme://sub2_host:port

    View full-size slide

  13. scheme://host:port
    scheme://sub2_host:port
    ? ?
    scheme://sub1_host:port

    View full-size slide

  14. integrity="sha384-Li9vy3DqF8tnTXui...bOxEbzJr7"
    crossorigin="anonymous">

    View full-size slide

  15. innocent-victim.com evil.com

    View full-size slide

  16. Thanks for listening; go tie your
    origin to a mast!
    Mike West
    @mikewest / [email protected]

    View full-size slide