My talk was titled "Your browser wants you to be secure". The idea was to rapidly present in a short 30 minute presentation all the cool work that browser vendors are doing to help make our web apps more secure. Browsers have really focussed heavily on technology to make the web a safer place for people to browse, and I thought it was a good time to step back and look at all the changes and how they affect our apps.
A friendly red superhero named "PoolDead" has some ideas of how you can stop the evil baddies. Look out for for a red face next to things you should do.
You can view the talk slides on Google Slides, or download a 3mb PDF of the slide deck.
Or here's a video of the talk (30 minutes):
URLs:
The talk was heavy on URLs with additional reading and details of things to look at. A lot of the links go to Google Chrome resources, because that's currently my favourite browser. Most browsers have comparable features and enhancements.
Also, I've heavily linked to Scott Helme's blog. He has a lot of useful, well written posts on HTTP headers, and also runs a useful service called securityheaders.io.
owasp.org.nz: The NZ branch of the Open Web Application Security Project. We run regular meetups in Wellington, Christchurch and Auckland, and an annual (free) conference.
http://info.cern.ch/hypertext/WWW/MarkUp/Tags.html: 1992 definitions of HTML tags
http://lcamtuf.coredump.cx/tangled/ - Michal Zalewski's really cool book that talks about the history and current state of browser security. This is probably my favourite security book.
https://www.google.com/googlebooks/chrome/: The original Chrome comic published when Chrome launched back in 2008.
Microsoft and Google's commitment to browser security extends to financial rewards: https://security.googleblog.com/2017/01/vulnerability-rewards-program-2016-year.html
https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution
Chrome and Firefox have their own built-in PDF viewers: https://support.mozilla.org/t5/Learn-the-Basics-get-started/View-PDF-files-in-Firefox/ta-p/2671
Google's Safe Browsing: https://www.google.com/transparencyreport/safebrowsing/
Malvertising statistics: https://www.riskiq.com/infographic/riskiqs-2016-malvertising-report/
An example of a rogue browser extension: https://blog.malwarebytes.com/threat-analysis/2016/01/rogue-google-chrome-extension-spies-on-you/
Some info on browser storage of passwords:
XSS protection links:
CSP Laboratory by Mozilla: https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
Reporting CSP / Public Key Pins violations: https://wicg.github.io/reporting/
Report-uri.io https://report-uri.io/
Same-site cookies: https://scotthelme.co.uk/csrf-is-dead/
Cookie prefixes: https://scotthelme.co.uk/tough-cookies/
Frames:
"AWS Only" Chrome Extension:
(send me feedback to @kirkj)
WoSign / StartCom back-dating certificates
Symantec issuing certificates for other domains
Certificate Transparency:
https://www.facebook.com/notes/protect-the-graph/introducing-our-certificate-transparency-monitoring-tool/1811919779048165/
CertSpotter
https://sslmate.com/certspotter/
SHA-1 is considered broken:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
SSL Labs’ Server Test
https://www.ssllabs.com/ssltest/
Strict Transport Security:
https://hstspreload.org/
https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
Public Key Pinning:
https://scotthelme.co.uk/hpkp-http-public-key-pinning/
Browser Security Messages:
https://noncombatant.org/2017/02/15/decoding-chromes-https-ux/
https://research.google.com/pubs/AdrienneFelt.html
https://docs.google.com/presentation/d/1TNFx6eaQVfe83PV80-FZ39QY1dSLGCWW8f2i5-NeJ48
Referrer Policy:
https://scotthelme.co.uk/a-new-security-header-referrer-policy/https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Sub-Resource Integrity:
Mixed Content:
https://www.w3.org/TR/mixed-content/
Clear site data:
https://w3c.github.io/webappsec-clear-site-data/
Sub-origins:
https://w3c.github.io/webappsec-suborigins/
Others:
https://www.w3.org/2011/webappsec/
People to follow:
Adrienne Porter Felt @__apf__ Chrome Usable Security
Eric Lawrence @ericlaw Creator of Fiddler, IE team, now Chrome
Mike West @mikewest Chrome / Blink, Content Security Policy and other standards
Scott Helme @scott_helme Creator of @reporturi and @securityheaders
Risky Business podcast: https://risky.biz