Embed Size (px)
Citation preview
About the speaker● Lead Security Architect, JBoss Division, Red Hat● Coeditor of W3C Web Security Context Specifica
tion (http://www.w3.org/TR/wscui/)– Targeted for Web User Agents (Browsers)
2
Overview● Worldwide browser market● Topics for Browser Security● Report Card for the various popular browsers● W3C WSCUI Specification● Tips for secure browsing
Worldwide Browser Market● Microsoft IE – 67.55%● Mozilla Firefox – 21.53%● Apple Safari – 8.29%● Google Chrome – 1.12%● Opera – 0.7%
Net Applications Report, Jan 2009● http://marketshare.hitslink.com/browsermarketshare.aspx?qprid=1
Topics for Browser Security● Security Indicators
– Green Bar (EVCerts)
– Padlock
● Security Architecture– Google Chrome
● Private Browsing● Plugins● Phishing and Web Site Vulnerabilities
Security Indicators● Extended Validation Certificates (EV Certs)
– Special type of X509 Certificates● Certificate Policies extension field (Issuer has a oid)
– CA does extensive background checks on requester
– Guidelines issued by CA/Browser Forum
Security Indicators – EV Certs● CA process for EV Certs
– Verifying the legal, physical and operational existence of the entity
– Verifying that the identity of the entity matches official records
– Verifying that the entity has exclusive right to use the domain specified in the EV Certificate
– Verifying that the entity has properly authorized the issuance of the EV Certificate
Security Indicators – EV Certs
Security Indicators – Padlock
● Browser displays Padlock for a HTTPS site– Firefox 2 displays a YELLOW address bar.
– FF3 dropped yellow bar – Tools > PageInfo
– Opera displays a yellow bar along with the padlock
Security Architecture● Google Chrome
– Two protection domains : ● Browser Kernel with the OS and ● Rendering Engine with limited privileges in a sandbox
– HTML parsing, Javascript VM, DOM : rendering engine.● Complex + historical source of security vulnerabilities
– Browser Kernel ● Persistent Resources (Cookies/Password DB)● OS interaction, user input, network access
“The Security Architecture of the Chromium Browser”,
http://crypto.stanford.edu/websec/chromium/chromiumsecurityarchitecture.pdf
Security Architecture● Google Chrome
– Attacker cannot read/write user file system ● No malware installation
– Two protection domains – one for user, one for web● 70% of critical browser vulnerabilities avoided● 30% cannot be avoided via sandboxing
Private Browsing● Temporary state where the browser stores no lo
cal data – cookies, history● Use cases
– Researching a medical condition
– Surprise vacation/party
– Internet cafes : shared computers on hourly basis
● Apparently an heavily user demanded feature● IE8, FF3.1, Opera, Google Chrome and Safari
Plugins● Typically plugins run outside of the browser
process with the full rights of the user.– Plugin crash should not crash the browser
– Adobe Flash plugin needs to write flash cookies
Phishing and Web Site Vulnerabilities
● Phishing– User taken to a rogue site imitating a legitimate site
– User enters private information (passwords)
● Web Site Vulnerabilities– Crosssite scripting (XSS)
– Crosssite Request Forging (CSRF)● Confused Deputy Attack against the browser
– Header Injection● HTTP headers generated dynamically based on user input
Phishing and Web Site Vulnerabilities
● Browsers maintain a malware list– WARN users when a site is from the list
– IE8 scheduled to incorporate
– Google shares its list with Firefox and Chrome
● Tracking Cookies– Browsers provide you options to disable 3rd party
cookies
– Safari by default rejects 3rd party cooking
Report Card
IE FF Safari Chrome Opera
EV Certs Y Y Y Y Y
Padlock Y Y Y Y Y
Malware Blacklist Y Y Y Y Y
Private Browsing IE8 FF3.1 Y Y Y
Parental Controls Y (via addons) Y N (Mini)
W3C WSC Specification● W3C WSC Working Group
– W3C, IBM, Mozilla, Opera, Google, Verisign, Oracle, Wells Fargo etc
– Mission: specify a baseline set of security context information accessible to Web users, and practices for secure and usable presentation of this information, to enable users to come to a better understanding of the context that they are operating in when making trust decisions on the Web.
● Targeted for Web User Agents● http://www.w3.org/TR/wscui/
W3C WSC Specification● Presentation of identity (of website) information● Error indicators in security protocol● Augmented Assurance Certificates (EV Certs)
– Mandatory: Organization (O) attribute of Subject
● Validated Certificates (Known Trust Anchor)● Mixed Content● Bookmarking API, Software Installation● Spec includes Use Cases and Threat Trees
W3C WSC – Threat Trees● Luring Attacks
– User taken to a different site than what he believes
● Site Impresonation Attacks● Cross Site Request Forgery● Cross Site Scripting● Network based eaves dropping
– Session hijacking, credential stealing or private info
Tips for Secure Browsing● Microsoft Internet Explorer Tips (Source:MS)
– Set your browser security to High – Add safe websites to trusted sites
– Block pop up windows ● Avoids installation of malicious code
Tips for Secure Browsing● Websites with plugins containing peer to peer
technology may install software/viruses– Sites with plugins displaying International TV/sports
● Disable Javascript by default if possible.– NoScript firefox extension can enable it for trusted sites
● Lock down browser configuration based on policies● Tracking Cookies
– Browser setting to disable auto cookie setting>Block 3rd party cookies
