Slide 1
Slide 1 text
Security and Privacy
on the Web in 2016
François Marier @fmarier
mozilla
Slide 2
Slide 2 text
Security and Privacy
for users, sysadmins and developers
Slide 3
Slide 3 text
security
Slide 4
Slide 4 text
security
for users
Slide 5
Slide 5 text
Safe Browsing
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
pre-downloaded URL hash prefixes
Slide 8
Slide 8 text
pre-downloaded URL hash prefixes
list updated every 30 minutes
Slide 9
Slide 9 text
pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
Slide 10
Slide 10 text
pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
separate cookie jar
Slide 11
Slide 11 text
pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
separate cookie jar
list entries expire after 45 minutes
Slide 12
Slide 12 text
about:config
browser.safebrowsing.enabled (phishing)
browser.safebrowsing.malware.enabled (malware)
Slide 13
Slide 13 text
Download Protection
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
is it on the pre-downloaded list of dangerous hosts?
Slide 16
Slide 16 text
is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
Slide 17
Slide 17 text
is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
is it an executable file (.exe, .com, .pif, .dmg, etc.)?
Slide 18
Slide 18 text
is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
is it an executable file (.exe, .com, .pif, .dmg, etc.)?
what does the apprep server think about it?
Slide 19
Slide 19 text
about:config
browser.safebrowsing.downloads.remote.enabled
browser.safebrowsing.downloads.remote.block_potentially_unwanted
browser.safebrowsing.downloads.remote.block_uncommon
Slide 20
Slide 20 text
https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
Slide 21
Slide 21 text
security
for developers
Slide 22
Slide 22 text
Content Security Policy
aka CSP
mechanism for preventing XSS
Slide 23
Slide 23 text
telling the browser what external
content is allowed to load
Slide 24
Slide 24 text
Hi y'all
alert('p0wned');
!
Tweet!
What's on your mind?
Slide 25
Slide 25 text
without CSP
Slide 26
Slide 26 text
Hi y'all!
John Doe - just moments ago
p0wned
Ok
Slide 27
Slide 27 text
with CSP
Slide 28
Slide 28 text
Hi y'all!
John Doe - just moments ago
Slide 29
Slide 29 text
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
Slide 30
Slide 30 text
script-src
object-src
style-src
img-src
media-src
frame-src
font-src
connect-src
Slide 31
Slide 31 text
Strict Transport Security
aka HSTS
mechanism for preventing
HTTPS to HTTP downgrades
Slide 32
Slide 32 text
telling the browser that your site
should never be reached over HTTP
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
GET bank.com 301
→
GET https://bank.com 200
→
no HSTS, no sslstrip
Slide 35
Slide 35 text
GET bank.com → 200
no HSTS, with sslstrip
Slide 36
Slide 36 text
what does HSTS look like?
Slide 37
Slide 37 text
$ curl -i https://bank.com
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
...
Slide 38
Slide 38 text
with HSTS, with sslstrip
GET https://bank.com 200
→
Slide 39
Slide 39 text
no HTTP traffic for
sslstrip to tamper with
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
Slide 44
Slide 44 text
what would happen if that
server were compromised?
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
Bad Things™
steal sessions
leak confidential data
redirect to phishing sites
enlist DDoS zombies
Slide 47
Slide 47 text
simple solution
Slide 48
Slide 48 text
instead of this:
Slide 49
Slide 49 text
do this:
Slide 50
Slide 50 text
guarantee:
script won't change
or it'll be blocked
Slide 51
Slide 51 text
security
for sysadmins
Slide 52
Slide 52 text
HTTPS
Slide 53
Slide 53 text
if you're not using it, now is the time to start :)
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
mass surveillance of
all Internet traffic
is no longer theoretical
Slide 57
Slide 57 text
strong encryption of
all Internet traffic
is no longer optional
Slide 58
Slide 58 text
“If we only use encryption when we're working with
important data, then encryption signals that data's
importance. If only dissidents use encryption in a
country, that country's authorities have an easy way of
identifying them. But if everyone uses it all of the time,
encryption ceases to be a signal. The government can't
tell the dissidents from the rest of the population. Every
time you use encryption, you're protecting someone
who needs to use it to stay alive.”
-Bruce Schneier
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
No content
Slide 61
Slide 61 text
No content
Slide 62
Slide 62 text
$ apt-get install letsencrypt
$ letsencrypt example.com
Slide 63
Slide 63 text
automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires
Slide 64
Slide 64 text
automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires
Slide 65
Slide 65 text
automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires
Slide 66
Slide 66 text
HTTPS is not enough
you need to do it properly
Slide 67
Slide 67 text
RC4
Slide 68
Slide 68 text
SHA-1
RC4
Slide 69
Slide 69 text
SHA-1
1024-bit certificates
RC4
Slide 70
Slide 70 text
SHA-1
1024-bit certificates
RC4 weak DH parameters
Slide 71
Slide 71 text
No content
Slide 72
Slide 72 text
No content
Slide 73
Slide 73 text
No content
Slide 74
Slide 74 text
No content
Slide 75
Slide 75 text
https://people.mozilla.org/~fmarier/mixed-content.html
Slide 76
Slide 76 text
No content
Slide 77
Slide 77 text
turn on full mixed-content blocking in development
Slide 78
Slide 78 text
privacy
Slide 79
Slide 79 text
privacy
for users
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
No content
Slide 82
Slide 82 text
No content
Slide 83
Slide 83 text
No content
Slide 84
Slide 84 text
about:config
network.cookie.lifetimePolicy = 3
network.cookie.lifetime.days = 5
network.cookie.thirdparty.sessionOnly = true
Slide 85
Slide 85 text
https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
Slide 86
Slide 86 text
Tracking Protection
Slide 87
Slide 87 text
No content
Slide 88
Slide 88 text
based on Safe Browsing
pre-downloaded list of full hashes
(no server lookups)
Slide 89
Slide 89 text
1. is this resource coming from a third-party server?
2. is it on Disconnect's list of trackers?
3. is it actually a third-party or
does it belong to the same org?
Slide 90
Slide 90 text
Q: What does it do?
A: It blocks network loads!
Slide 91
Slide 91 text
No cookies
No fingerprinting
No wasted bandwidth
No performance hit
Slide 92
Slide 92 text
about:config
privacy.trackingprotection.pbmode.enabled
Slide 93
Slide 93 text
about:config
privacy.trackingprotection.enabled
Slide 94
Slide 94 text
https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
Slide 95
Slide 95 text
privacy
for developers
Slide 96
Slide 96 text
No content
Slide 97
Slide 97 text
No content
Slide 98
Slide 98 text
http://example.com/search?q=serious+medical+condition
Click here for
the cheapest
insurance
around!
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla.
Slide 99
Slide 99 text
No content
Slide 100
Slide 100 text
No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL
Slide 101
Slide 101 text
No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL
Slide 102
Slide 102 text
No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL
Slide 103
Slide 103 text
No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL
Slide 104
Slide 104 text
No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL
Slide 108
Slide 108 text
recommendations
for users
Slide 109
Slide 109 text
network.cookie.lifetimePolicy = 3
network.cookie.lifetime.days = 5
network.cookie.thirdparty.sessionOnly = true
network.http.referer.spoofSource = true
privacy.trackingprotection.enabled = true
security.pki.sha1_enforcement_level = 2
security.ssl.errorReporting.automatic = true
Install the EFF's HTTPS Everywhere add-on
Slide 110
Slide 110 text
https://github.com/pyllyukko/user.js
Slide 111
Slide 111 text
recommendations
for developers
Slide 112
Slide 112 text
Use SRI for your external scripts
Set a more restrictive Referrer policy
Consider enabling CSP
Watch out for mixed content
Test your site with Tracking Protection
Slide 113
Slide 113 text
recommendations
for sysadmins
Slide 114
Slide 114 text
Enable HTTPS and HSTS on all your sites
Use our recommended TLS config
Test your site periodically using SSL Labs
Slide 115
Slide 115 text
Questions?
feedback:
francois@mozilla.com
mozilla.dev.security
public-webappsec@w3.org
© 2016 François Marier
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 License.
Slide 116
Slide 116 text
photo credits:
cookie: https://secure.flickr.com/photos/jamisonjudd/4810986199/
explosion: https://www.flickr.com/photos/-cavin-/2313239884/
snowden: https://www.flickr.com/photos/gageskidmore/16526354372