Friday, March 10, 2017

nz.js(con): Your browser wants you to be secure

Today I had the pleasure of speaking at the first nz.js(con) in Wellington - a Javascript conference held over March 9 & 10, 2017. The conference has been a great mix of different javascript (and related) topics, and I really recommend that anyone involved in web application development attends future iterations of the conference.

My talk was titled "Your browser wants you to be secure". The idea was to rapidly present in a short 30 minute presentation all the cool work that browser vendors are doing to help make our web apps more secure. Browsers have really focussed heavily on technology to make the web a safer place for people to browse, and I thought it was a good time to step back and look at all the changes and how they affect our apps.

A friendly red superhero named "PoolDead" has some ideas of how you can stop the evil baddies. Look out for for a red face next to things you should do.

You can view the talk slides on Google Slides, or download a 3mb PDF of the slide deck.

Or here's a video of the talk (30 minutes):




URLs:

The talk was heavy on URLs with additional reading and details of things to look at. A lot of the links go to Google Chrome resources, because that's currently my favourite browser. Most browsers have comparable features and enhancements.

Also, I've heavily linked to Scott Helme's blog. He has a lot of useful, well written posts on HTTP headers, and also runs a useful service called securityheaders.io.

owasp.org.nz: The NZ branch of the Open Web Application Security Project. We run regular meetups in Wellington, Christchurch and Auckland, and an annual (free) conference.

http://info.cern.ch/hypertext/WWW/MarkUp/Tags.html: 1992 definitions of HTML tags

http://lcamtuf.coredump.cx/tangled/ - Michal Zalewski's really cool book that talks about the history and current state of browser security. This is probably my favourite security book.

https://www.google.com/googlebooks/chrome/: The original Chrome comic published when Chrome launched back in 2008.

Microsoft and Google's commitment to browser security extends to financial rewards: https://security.googleblog.com/2017/01/vulnerability-rewards-program-2016-year.html
https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution






XSS protection links:




Frames:


"AWS Only" Chrome Extension:

(send me feedback to @kirkj)


Certificate Transparency:


Facebook Certificate Transparency monitoring tool
https://www.facebook.com/notes/protect-the-graph/introducing-our-certificate-transparency-monitoring-tool/1811919779048165/

CertSpotter
https://sslmate.com/certspotter/

SHA-1 is considered broken:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

SSL Labs’ Server Test
https://www.ssllabs.com/ssltest/

Strict Transport Security:
https://hstspreload.org/
https://scotthelme.co.uk/hsts-the-missing-link-in-tls/

Public Key Pinning:
https://scotthelme.co.uk/hpkp-http-public-key-pinning/

Browser Security Messages:
https://noncombatant.org/2017/02/15/decoding-chromes-https-ux/
https://research.google.com/pubs/AdrienneFelt.html
https://docs.google.com/presentation/d/1TNFx6eaQVfe83PV80-FZ39QY1dSLGCWW8f2i5-NeJ48

Referrer Policy:
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Sub-Resource Integrity:

Mixed Content:
https://www.w3.org/TR/mixed-content/

Clear site data:
https://w3c.github.io/webappsec-clear-site-data/

Sub-origins:
https://w3c.github.io/webappsec-suborigins/

Others:
https://www.w3.org/2011/webappsec/

People to follow:

Adrienne Porter Felt @__apf__ Chrome Usable Security
Eric Lawrence @ericlaw Creator of Fiddler, IE team, now Chrome
Mike West @mikewest Chrome / Blink, Content Security Policy and other standards
Scott Helme @scott_helme Creator of @reporturi and @securityheaders

Risky Business podcast: https://risky.biz