SlideShare a Scribd company logo

Browser security — ROOTS

A
Andre N. Klingsheim

The document summarizes browser security challenges and modern security features. It discusses how the browser enforces the same-origin policy to isolate websites, but how malicious code could turn the browser evil. It then outlines security features like sandboxing, tab isolation, and security headers that browsers implement to minimize damage from compromises and strengthen website security. These features help compensate for website vulnerabilities and block attacks like cross-site scripting.

Technology
1 of 16
Downloaded 141 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
Lightning overview • How important is browser security? • Security challenges • Modern security features 2
Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
The browser is your enemy: MODERN SECURITY CHALLENGES 4
Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
The browser is your friend: MODERN SECURITY FEATURES 6
Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
STS HTTP-header 9
X-Frame-Options HTTP header 10
Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
X-Content-Type-Options HTTP header 12
X-XSS-Protection HTTP header 13
X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16

More Related Content

PPTX
Presentation on web browser
Swasat Dutta
 
PPT
Web browser
Hardik Kakadiya
 
PPT
Browsers comparison
Svetlana Puchkova
 
PDF
Top 10 Internet Browsers
Divyansh Vaidya
 
PPTX
Web browsers
Ramon Olmos
 
PPTX
Web Browser
Shreeram Goswami
 
DOCX
Web browser pdf
Ravi Kumar
 
PPTX
Browsers
aygun96
 
Presentation on web browser
Swasat Dutta
 
Web browser
Hardik Kakadiya
 
Browsers comparison
Svetlana Puchkova
 
Top 10 Internet Browsers
Divyansh Vaidya
 
Web browsers
Ramon Olmos
 
Web Browser
Shreeram Goswami
 
Web browser pdf
Ravi Kumar
 
Browsers
aygun96
 

What's hot (20)

PPT
Web browsers and web servers
Angelica Amolo
 
PPTX
Browsers
Steven Cahill
 
PPT
Web Browsers
Neha Sharma
 
PPTX
Web browsers
learnt
 
PPT
browser presentation
ashanrajpar
 
PPTX
Web browsers
DHANALAKSHMI TALLURI
 
PPTX
difference between browsers
mubeen shahid
 
PPSX
Web browser by group no 03 capt palliyaguru
praeeth palliyaguru
 
PPTX
Web Browsers
Studying
 
PPTX
Research on Web Browsers ppt
Sagar Agarwal
 
PPTX
Web browser
Yousaf Sahota
 
PPSX
Web browser(pp ts)
darpan1118
 
PPTX
Internet browers comparison
ferristic
 
PPTX
Web browsers
Orlando Periñan
 
PPT
Browser Security
Roberto Suggi Liverani
 
PPTX
Web Browser ! Batra Computer Centre
jatin batra
 
PPTX
India's First Web browser
ranjith007
 
PPT
Browser war
Amandeep Kaur
 
PDF
Research on Web Browsers
Sagar Agarwal
 
PPTX
WEB BROWSER
Chanchal Pawar
 
Web browsers and web servers
Angelica Amolo
 
Browsers
Steven Cahill
 
Web Browsers
Neha Sharma
 
Web browsers
learnt
 
browser presentation
ashanrajpar
 
Web browsers
DHANALAKSHMI TALLURI
 
difference between browsers
mubeen shahid
 
Web browser by group no 03 capt palliyaguru
praeeth palliyaguru
 
Web Browsers
Studying
 
Research on Web Browsers ppt
Sagar Agarwal
 
Web browser
Yousaf Sahota
 
Web browser(pp ts)
darpan1118
 
Internet browers comparison
ferristic
 
Web browsers
Orlando Periñan
 
Browser Security
Roberto Suggi Liverani
 
Web Browser ! Batra Computer Centre
jatin batra
 
India's First Web browser
ranjith007
 
Browser war
Amandeep Kaur
 
Research on Web Browsers
Sagar Agarwal
 
WEB BROWSER
Chanchal Pawar
 
Ad

Viewers also liked (20)

PPTX
Browser Security 101
Stormpath
 
PDF
Web Browser Security - 2016 Comparative Test Results
NSS Labs
 
PPT
Web Security
Bharath Manoharan
 
PPT
Internet Security
Chris Rodgers
 
PPTX
Internet security powerpoint
Arifa Ali
 
PPT
Trusteer Rapport – Browser Security - How It Works
trusteer
 
DOCX
Best topics for seminar
shilpi nagpal
 
PDF
Internet Security
Peter R. Egli
 
TXT
Intrusion tolerance
samuelrajueda
 
PPT
Googlechrome ppt
abshah37
 
PPT
Network Security
VIKAS SINGH BHADOURIA
 
PPTX
Network Security
Manoj Singh
 
PPTX
TOR NETWORK
Rishikese MR
 
PPT
FOR SCREEN BY ANURAG SINGH (8318130325)
anurag singh anu
 
PPTX
E ball ppt
Mukesh Kumar
 
PPTX
Blue Eyes Technology
Colloquium
 
PPT
Blue eye technology
krishnadeepika01
 
PPT
Compiler Design
Mir Majid
 
PPTX
Smart Glass Technology by Kiran
Kiran
 
DOCX
E-BALL TECHNOLOGY SEMINAR REPORT
Vikas Kumar
 
Browser Security 101
Stormpath
 
Web Browser Security - 2016 Comparative Test Results
NSS Labs
 
Web Security
Bharath Manoharan
 
Internet Security
Chris Rodgers
 
Internet security powerpoint
Arifa Ali
 
Trusteer Rapport – Browser Security - How It Works
trusteer
 
Best topics for seminar
shilpi nagpal
 
Internet Security
Peter R. Egli
 
Intrusion tolerance
samuelrajueda
 
Googlechrome ppt
abshah37
 
Network Security
VIKAS SINGH BHADOURIA
 
Network Security
Manoj Singh
 
TOR NETWORK
Rishikese MR
 
FOR SCREEN BY ANURAG SINGH (8318130325)
anurag singh anu
 
E ball ppt
Mukesh Kumar
 
Blue Eyes Technology
Colloquium
 
Blue eye technology
krishnadeepika01
 
Compiler Design
Mir Majid
 
Smart Glass Technology by Kiran
Kiran
 
E-BALL TECHNOLOGY SEMINAR REPORT
Vikas Kumar
 
Ad

Similar to Browser security — ROOTS (20)

PPTX
Browser Security ppt.pptx
AjaySahre
 
DOCX
Browser Security – Issues and Best Practices1Outli
VannaSchrader3
 
PPT
Lecture 1 (2)
erick chuwa
 
PDF
Advances inbrowsersecurity
Anil Saldanha
 
PDF
Securing your web application through HTTP headers
Andre N. Klingsheim
 
PPTX
I Want These * Bugs Off My * Internet
Dan Kaminsky
 
PPTX
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
PDF
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
PDF
Html5 security
tsinghua university
 
PDF
BeEF: The Browser Exploitation Framework
awiasecretary
 
PDF
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
PDF
Html5 Application Security
chuckbt
 
PPT
(In)Security Implication in the JS Universe
Stefano Di Paola
 
PDF
Secure client
Hai Nguyen
 
PDF
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
PPTX
Html5 security
Krishna T
 
PPTX
HTML5 - The Promise & The Peril
Security Innovation
 
PDF
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PDF
Web Security - Introduction
SQALab
 
Browser Security ppt.pptx
AjaySahre
 
Browser Security – Issues and Best Practices1Outli
VannaSchrader3
 
Lecture 1 (2)
erick chuwa
 
Advances inbrowsersecurity
Anil Saldanha
 
Securing your web application through HTTP headers
Andre N. Klingsheim
 
I Want These * Bugs Off My * Internet
Dan Kaminsky
 
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Html5 security
tsinghua university
 
BeEF: The Browser Exploitation Framework
awiasecretary
 
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Html5 Application Security
chuckbt
 
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Secure client
Hai Nguyen
 
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Html5 security
Krishna T
 
HTML5 - The Promise & The Peril
Security Innovation
 
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Web Security - Introduction v.1.3
Oles Seheda
 
Web Security - Introduction
SQALab
 

Recently uploaded (20)

PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Cloud computing and distributed systems.
kkkkkhan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Teaching material agriculture food technology
LiaRayya
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 

Browser security — ROOTS

  • 1. The browser - your best friend and worst enemy Roots Conference Bergen 23. May 2011 André N.Klingsheim IT security specialist, PhD
  • 2. Lightning overview • How important is browser security? • Security challenges • Modern security features 2
  • 3. Why the web «works» • Same-origin policy – Isolates websites – The reason you can safely visit rootsconf.no and skandiabanken.no simultaneously in the browser – We have to fully trust the browser to enforce this • SSL/TLS – Secure communication: website authentication, generate secure keys, choose crypto... 3
  • 4. The browser is your enemy: MODERN SECURITY CHALLENGES 4
  • 5. Man-in-the browser How did the man get in the • Malicious code running in browser?!? browser http://googlechromereleases.blogspot. com/2011/04/stable-channel- – The friendly browser update.html suddenly becomes evil 5
  • 6. The browser is your friend: MODERN SECURITY FEATURES 6
  • 7. Working alone • Google Chrome sandboxing – Rendering process – Sandboxing underway for Flash and PDF plugins • Internet Explorer 9 tab isolation – Pinned sites load in isolated process • Minimize damage caused by a compromize 7
  • 8. Working for the website • Special treatment for cookies: secure, httpOnly • Website can include «security» headers in HTTP response • Triggers security features in browser • «Invisible» to user • Headers coming up! 8
  • 11. Compensating for website security bugs • Security features designed to detect and/or prevent webapp security holes 11
  • 14. X-Content-Security-Policy HTTP header • Firefox Content Security Policy – Block inline scripts on webpage – Block code creation for strings (eval()) – Prevents XSS 14
  • 15. References • http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html • https://sites.google.com/a/chromium.org/dev/Home/chromium-security/brag-sheet • Pinned sites: http://msdn.microsoft.com/en-us/library/gg131029(v=vs.85).aspx • https://wiki.mozilla.org/Security/CSP/Specification#User_Agent_Behavior • X-XSS-Protection: http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#_replace • Not a complete list so remember: Google is your friend 15
  • 16. Thank you! • Find me online: – andre.klingsheim (at) skandiabanken (dot) no – Blog: www.dotnetnoob.com – Twitter: @klingsen 16