In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity). As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking. This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser. https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016

1. Security and Privacy
on the Web in 2016
François Marier @fmarier mozilla

2. Security and Privacy
for users, sysadmins and developers

3. security

4. security
for users

5. Safe Browsing

7. pre-downloaded URL hash prefixes

8. pre-downloaded URL hash prefixes
list updated every 30 minutes

9. pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)

10. pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
separate cookie jar

11. pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
separate cookie jar
list entries expire after 45 minutes

12. about:config
browser.safebrowsing.enabled (phishing)
browser.safebrowsing.malware.enabled (malware)

13. Download Protection

15. is it on the pre-downloaded list of dangerous hosts?

16. is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?

17. is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
is it an executable file (.exe, .com, .pif, .dmg, etc.)?

18. is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
is it an executable file (.exe, .com, .pif, .dmg, etc.)?
what does the apprep server think about it?

19. about:config
browser.safebrowsing.downloads.remote.enabled
browser.safebrowsing.downloads.remote.block_potentially_unwanted
browser.safebrowsing.downloads.remote.block_uncommon

20. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

21. security
for developers

22. Content Security Policy
aka CSP
mechanism for preventing XSS

23. telling the browser what external
content is allowed to load

24. Hi y'all<script>
alert('p0wned');
</script>!
Tweet!
What's on your mind?

25. without CSP

26. Hi y'all!
John Doe - just moments ago
p0wned
Ok

27. with CSP

28. Hi y'all!
John Doe - just moments ago

29. Content-Security-Policy:
script-src 'self'
https://cdn.example.com

30. script-src
object-src
style-src
img-src
media-src
frame-src
font-src
connect-src

31. Strict Transport Security
aka HSTS
mechanism for preventing
HTTPS to HTTP downgrades

32. telling the browser that your site
should never be reached over HTTP

34. GET bank.com 301→
GET https://bank.com 200→
no HSTS, no sslstrip

35. GET bank.com → 200
no HSTS, with sslstrip

36. what does HSTS look like?

37. $ curl -i https://bank.com
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
...

38. with HSTS, with sslstrip
GET https://bank.com 200→

39. no HTTP traffic for
sslstrip to tamper with

43. https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js

44. what would happen if that
server were compromised?

46. Bad Things™
steal sessions
leak confidential data
redirect to phishing sites
enlist DDoS zombies

47. simple solution

48. instead of this:
<script
src=”https://ajax.googleapis.com...”>

49. <script
src=”https://ajax.googleapis.com...”
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
do this:

50. guarantee:
script won't change
or it'll be blocked

51. security
for sysadmins

52. HTTPS

53. if you're not using it, now is the time to start :)

56. mass surveillance of
all Internet traffic
is no longer theoretical

57. strong encryption of
all Internet traffic
is no longer optional

58. “If we only use encryption when we're working with
important data, then encryption signals that data's
importance. If only dissidents use encryption in a
country, that country's authorities have an easy way of
identifying them. But if everyone uses it all of the time,
encryption ceases to be a signal. The government can't
tell the dissidents from the rest of the population. Every
time you use encryption, you're protecting someone
who needs to use it to stay alive.”
-Bruce Schneier

62. $ apt-get install letsencrypt
$ letsencrypt example.com

63. automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires

64. automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires

65. automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires

66. HTTPS is not enough
you need to do it properly

67. RC4

68. SHA-1
RC4

69. SHA-11024-bit certificates
RC4

70. SHA-11024-bit certificates
RC4 weak DH parameters

75. https://people.mozilla.org/~fmarier/mixed-content.html
<html>
<head>
<script
src="http://people.mozilla.org/~fmarier/mixed-content.js">
</script>
</head>
<body>
<img src="http://fmarier.org/img/francois_marier.jpg">
</body>
</html>

77. turn on full mixed-content blocking in development

78. privacy

79. privacy
for users

84. about:config
network.cookie.lifetimePolicy = 3
network.cookie.lifetime.days = 5
network.cookie.thirdparty.sessionOnly = true

85. https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/

86. Tracking Protection

88. based on Safe Browsing
pre-downloaded list of full hashes
(no server lookups)

89. 1. is this resource coming from a third-party server?
2. is it on Disconnect's list of trackers?
3. is it actually a third-party or
does it belong to the same org?

90. Q: What does it do?
A: It blocks network loads!

91. No cookies
No fingerprinting
No wasted bandwidth
No performance hit

92. about:config
privacy.trackingprotection.pbmode.enabled

93. about:config
privacy.trackingprotection.enabled

94. https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/

95. privacy
for developers

98. http://example.com/search?q=serious+medical+condition
Click here for
the cheapest
insurance
around!
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla.

100. No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL

101. No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL

102. No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL

103. No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL

104. No Referrer
No Referrer When Downgrade
Origin Only
Origin When Cross Origin
Unsafe URL

105. Referrer-Policy: origin
<meta name="referrer" content="origin">
<a href="http://example.com" referrer="origin">

106. Referrer-Policy: origin
<meta name="referrer" content="origin">
<a href="http://example.com" referrer="origin">

107. Referrer-Policy: origin
<meta name="referrer" content="origin">
<a href="http://example.com"
referrerPolicy="origin">

108. recommendations
for users

109. network.cookie.lifetimePolicy = 3
network.cookie.lifetime.days = 5
network.cookie.thirdparty.sessionOnly = true
network.http.referer.spoofSource = true
privacy.trackingprotection.enabled = true
security.pki.sha1_enforcement_level = 2
security.ssl.errorReporting.automatic = true
Install the EFF's HTTPS Everywhere add-on

110. https://github.com/pyllyukko/user.js

111. recommendations
for developers

112. Use SRI for your external scripts
Set a more restrictive Referrer policy
Consider enabling CSP
Watch out for mixed content
Test your site with Tracking Protection

113. recommendations
for sysadmins

114. Enable HTTPS and HSTS on all your sites
Use our recommended TLS config
Test your site periodically using SSL Labs

115. Questions?
feedback:
francois@mozilla.com
mozilla.dev.security
public-webappsec@w3.org
© 2016 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 License.

116. photo credits:
cookie: https://secure.flickr.com/photos/jamisonjudd/4810986199/
explosion: https://www.flickr.com/photos/-cavin-/2313239884/
snowden: https://www.flickr.com/photos/gageskidmore/16526354372