Tweet
Tweet

Slide 1

Slide 1 text

@mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

Slide 2

Slide 2 text

@mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE https://mths.be/bvs

Slide 3

Slide 3 text

@mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

Slide 4

Slide 4 text

@mathias

Slide 5

Slide 5 text

@mathias

Slide 6

Slide 6 text

@mathias

Slide 7

Slide 7 text

@mathias 30 ms

Slide 8

Slide 8 text

@mathias

Slide 9

Slide 9 text

@mathias 15 ms

Slide 10

Slide 10 text

@mathias

Slide 11

Slide 11 text

@mathias

Slide 12

Slide 12 text

@mathias

Slide 13

Slide 13 text

@mathias

Slide 14

Slide 14 text

@mathias HEIST

Slide 15

Slide 15 text

@mathias

Slide 16

Slide 16 text

@mathias HTTP

Slide 17

Slide 17 text

@mathias HTTP Encrypted

Slide 18

Slide 18 text

@mathias HTTP Encrypted Information can be

Slide 19

Slide 19 text

@mathias HTTP Encrypted Information can be Stolen through

Slide 20

Slide 20 text

@mathias HTTP Encrypted Information can be Stolen through TCP windows

Slide 21

Slide 21 text

@mathias mths.be/bvo

Slide 22

Slide 22 text

@mathias “HEIST is a set of techniques that exploit timing side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

Slide 23

Slide 23 text

@mathias “HEIST is a set of techniques that exploit timing side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

Slide 24

Slide 24 text

@mathias PREVENTION

Slide 25

Slide 25 text

@mathias SAME-SITE COOKIES

Slide 26

Slide 26 text

@mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

Slide 27

Slide 27 text

@mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

Slide 28

Slide 28 text

@mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

Slide 29

Slide 29 text

@mathias BLOCK THIRD-PARTY !!!

Slide 30

Slide 30 text

@mathias

Slide 31

Slide 31 text

@mathias THANKS! Front-End Performance — The Dark Side Ep. I: mths.be/bvs HEIST: mths.be/bvp Introduction to Same-Site cookies: mths.be/bvq