SlideShare ist ein Scribd-Unternehmen logo

Browser security — ROOTS

A
Andre N. Klingsheim

Lightning speach on Browser security at the ROOTS conference 2012

Technologie
1 von 16
Downloaden Sie, um offline zu lesen
The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
Lightning overview • How important is browser security? • Security challenges • Modern security features 2
Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
The browser is your enemy: MODERN SECURITY CHALLENGES 4
Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
The browser is your friend: MODERN SECURITY FEATURES 6
Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
STS HTTP-header 9
X-Frame-Options HTTP header 10
Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
X-Content-Type-Options HTTP header 12
X-XSS-Protection HTTP header 13
X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

Empfohlen

Web browser
Web browserWeb browser
Web browserHardik Kakadiya
 
Browsers comparison
Browsers comparisonBrowsers comparison
Browsers comparisonSvetlana Puchkova
 
Top 10 Internet Browsers
Top 10 Internet BrowsersTop 10 Internet Browsers
Top 10 Internet BrowsersDivyansh Vaidya
 
Web browsers
Web browsersWeb browsers
Web browsersRamon Olmos
 
Web Browser
Web BrowserWeb Browser
Web BrowserShreeram Goswami
 
Web browser pdf
Web browser pdfWeb browser pdf
Web browser pdfRavi Kumar
 
Browsers
BrowsersBrowsers
Browsersaygun96
 
Presentation on web browser
Presentation on web browserPresentation on web browser
Presentation on web browserSwasat Dutta
 

Empfohlen

Web browser
Web browserWeb browser
Web browserHardik Kakadiya
 
Browsers comparison
Browsers comparisonBrowsers comparison
Browsers comparisonSvetlana Puchkova
 
Top 10 Internet Browsers
Top 10 Internet BrowsersTop 10 Internet Browsers
Top 10 Internet BrowsersDivyansh Vaidya
 
Web browsers
Web browsersWeb browsers
Web browsersRamon Olmos
 
Web Browser
Web BrowserWeb Browser
Web BrowserShreeram Goswami
 
Web browser pdf
Web browser pdfWeb browser pdf
Web browser pdfRavi Kumar
 
Browsers
BrowsersBrowsers
Browsersaygun96
 
Presentation on web browser
Presentation on web browserPresentation on web browser
Presentation on web browserSwasat Dutta
 
Web browsers and web servers
Web browsers and web serversWeb browsers and web servers
Web browsers and web serversAngelica Amolo
 
Browsers
BrowsersBrowsers
BrowsersSteven Cahill
 
Web Browsers
Web BrowsersWeb Browsers
Web BrowsersNeha Sharma
 
Web browsers
Web browsersWeb browsers
Web browserslearnt
 
browser presentation
browser presentationbrowser presentation
browser presentationashanrajpar
 
Web browsers
Web browsersWeb browsers
Web browsersDHANALAKSHMI TALLURI
 
difference between browsers
difference between browsersdifference between browsers
difference between browsersmubeen shahid
 
Web browser by group no 03 capt palliyaguru
Web browser by group no 03 capt palliyaguruWeb browser by group no 03 capt palliyaguru
Web browser by group no 03 capt palliyagurupraeeth palliyaguru
 
Web Browsers
Web BrowsersWeb Browsers
Web BrowsersStudying
 
Research on Web Browsers ppt
Research on Web Browsers pptResearch on Web Browsers ppt
Research on Web Browsers pptSagar Agarwal
 
Web browser
Web browser Web browser
Web browserYousaf Sahota
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)darpan1118
 
Internet browers comparison
Internet browers comparisonInternet browers comparison
Internet browers comparisonferristic
 
Web browsers
Web browsersWeb browsers
Web browsersOrlando Periñan
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Web Browser ! Batra Computer Centre
Web Browser ! Batra Computer CentreWeb Browser ! Batra Computer Centre
Web Browser ! Batra Computer Centrejatin batra
 
India's First Web browser
India's First Web browserIndia's First Web browser
India's First Web browserranjith007
 
Browser war
Browser warBrowser war
Browser warAmandeep Kaur
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web BrowsersSagar Agarwal
 
WEB BROWSER
WEB BROWSERWEB BROWSER
WEB BROWSERChanchal Pawar
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsNSS Labs
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web browsers and web servers
Web browsers and web serversWeb browsers and web servers
Web browsers and web serversAngelica Amolo
 
Web browsers
Web browsersWeb browsers
Web browserslearnt
 
browser presentation
browser presentationbrowser presentation
browser presentationashanrajpar
 
difference between browsers
difference between browsersdifference between browsers
difference between browsersmubeen shahid
 
Web browser by group no 03 capt palliyaguru
Web browser by group no 03 capt palliyaguruWeb browser by group no 03 capt palliyaguru
Web browser by group no 03 capt palliyagurupraeeth palliyaguru
 
Web Browsers
Web BrowsersWeb Browsers
Web BrowsersStudying
 
Research on Web Browsers ppt
Research on Web Browsers pptResearch on Web Browsers ppt
Research on Web Browsers pptSagar Agarwal
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)darpan1118
 
Internet browers comparison
Internet browers comparisonInternet browers comparison
Internet browers comparisonferristic
 
Web Browser ! Batra Computer Centre
Web Browser ! Batra Computer CentreWeb Browser ! Batra Computer Centre
Web Browser ! Batra Computer Centrejatin batra
 
India's First Web browser
India's First Web browserIndia's First Web browser
India's First Web browserranjith007
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web BrowsersSagar Agarwal
 

Was ist angesagt? (20)

Web browsers and web servers
Web browsers and web serversWeb browsers and web servers
Web browsers and web servers
 
Browsers
BrowsersBrowsers
Browsers
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Web browsers
Web browsersWeb browsers
Web browsers
 
browser presentation
browser presentationbrowser presentation
browser presentation
 
Web browsers
Web browsersWeb browsers
Web browsers
 
difference between browsers
difference between browsersdifference between browsers
difference between browsers
 
Web browser by group no 03 capt palliyaguru
Web browser by group no 03 capt palliyaguruWeb browser by group no 03 capt palliyaguru
Web browser by group no 03 capt palliyaguru
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Research on Web Browsers ppt
Research on Web Browsers pptResearch on Web Browsers ppt
Research on Web Browsers ppt
 
Web browser
Web browser Web browser
Web browser
 
Web browser(pp ts)
Web browser(pp ts)Web browser(pp ts)
Web browser(pp ts)
 
Internet browers comparison
Internet browers comparisonInternet browers comparison
Internet browers comparison
 
Web browsers
Web browsersWeb browsers
Web browsers
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Web Browser ! Batra Computer Centre
Web Browser ! Batra Computer CentreWeb Browser ! Batra Computer Centre
Web Browser ! Batra Computer Centre
 
India's First Web browser
India's First Web browserIndia's First Web browser
India's First Web browser
 
Browser war
Browser warBrowser war
Browser war
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web Browsers
 
WEB BROWSER
WEB BROWSERWEB BROWSER
WEB BROWSER
 

Andere mochten auch

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsNSS Labs
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpointArifa Ali
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Workstrusteer
 
Best topics for seminar
Best topics for seminarBest topics for seminar
Best topics for seminarshilpi nagpal
 
Googlechrome ppt
Googlechrome pptGooglechrome ppt
Googlechrome pptabshah37
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)anurag singh anu
 
Blue Eyes Technology
Blue Eyes TechnologyBlue Eyes Technology
Blue Eyes TechnologyColloquium
 
Compiler Design
Compiler DesignCompiler Design
Compiler DesignMir Majid
 
Smart Glass Technology by Kiran
Smart Glass Technology by KiranSmart Glass Technology by Kiran
Smart Glass Technology by KiranKiran
 
E-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORTE-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORTVikas Kumar
 

Andere mochten auch (20)

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test Results
 
Web Security
Web SecurityWeb Security
Web Security
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Works
 
Best topics for seminar
Best topics for seminarBest topics for seminar
Best topics for seminar
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Intrusion tolerance
Intrusion toleranceIntrusion tolerance
Intrusion tolerance
 
Googlechrome ppt
Googlechrome pptGooglechrome ppt
Googlechrome ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)FOR SCREEN BY ANURAG SINGH (8318130325)
FOR SCREEN BY ANURAG SINGH (8318130325)
 
E ball ppt
E ball pptE ball ppt
E ball ppt
 
Blue Eyes Technology
Blue Eyes TechnologyBlue Eyes Technology
Blue Eyes Technology
 
Blue eye technology
Blue eye technologyBlue eye technology
Blue eye technology
 
Compiler Design
Compiler DesignCompiler Design
Compiler Design
 
Smart Glass Technology by Kiran
Smart Glass Technology by KiranSmart Glass Technology by Kiran
Smart Glass Technology by Kiran
 
E-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORTE-BALL TECHNOLOGY SEMINAR REPORT
E-BALL TECHNOLOGY SEMINAR REPORT
 

Ähnlich wie Browser security — ROOTS

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)Joseph Lewis
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpStephen Donner
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricksmaxo_64
 
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast TrackHCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Trackpanagenda
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Front end for back end developers
Front end for back end developersFront end for back end developers
Front end for back end developersWojciech Bednarski
 

Ähnlich wie Browser security — ROOTS (20)

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Maths
MathsMaths
Maths
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)Introduction to HTML5 and CSS3 (revised)
Introduction to HTML5 and CSS3 (revised)
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricks
 
Flashack
FlashackFlashack
Flashack
 
Frontend State of the union
Frontend State of the unionFrontend State of the union
Frontend State of the union
 
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast TrackHCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
HCL Nomad Web 101: Skip the Mistakes and Get on the Fast Track
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Front end for back end developers
Front end for back end developersFront end for back end developers
Front end for back end developers
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Kürzlich hochgeladen (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Browser security — ROOTS

  • 1. The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
  • 2. Lightning overview • How important is browser security? • Security challenges • Modern security features 2
  • 3. Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  • 4. The browser is your enemy: MODERN SECURITY CHALLENGES 4
  • 5. Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
  • 6. The browser is your friend: MODERN SECURITY FEATURES 6
  • 7. Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
  • 8. Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
  • 11. Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
  • 14. X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  • 15. References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
  • 16. Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16