firefox security
play

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a - PowerPoint PPT Presentation

Nov 19, 2023 •114 likes •560 views

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document

  1. Firefox Security Sid Stamm <sid@mozilla.com>

  2. Browser as a Protector • Protect Site Content • Safe Platform • Third-Party Features • Keeping your Secrets

  3. Content Restrictions Content Security Policy

  4. Content Restrictions Document “Good” behavior... Suppress the “Bad”

  5. Grabbing the Reins Content Restrictions • Content Rules & Regulations • Specify a “Normal Behavior” Policy • Catch and Block Violations <HTML> Content Policy Specify Rules Enforce Rules

  6. Step 1: Smooth Edges Content Restrictions • Scripts served in files (not inline) - “javascript:” URIs - <tag on*=...> event registration - text nodes in <script> tags • Establish Code / Data Separation - eval(“foo”) and friends

  7. Step 2: Restrictions on Content Content Restrictions • Block requests for all resources ... unless explicitly allowed by a policy!

  8. CSP: Policies Content Restrictions • HTTP Response Header X-CONTENT-SECURITY -POLICY • Directives to enforce listed within

  9. Speed Bump Content Restrictions <meta http-equiv=....>? • Designers may not have access to HTTP • T wo entities want restrictions • Multiple policies?

  10. Speed Bump Content Restrictions Intersecting Policies Given Policies P1 and P2: Pe = {u | P1 allows u AND P2 allows u}

  11. Speed Bump Content Restrictions <meta http-equiv=....>? • policy in-band is too dangerous • Multiple header instances!

  12. CSP: Directives Content Restrictions report-uri source directives policy-uri options

  13. CSP: Source Directives Content Restrictions allow (default for these) img-src font-src media-src xhr-src script-src frame-ancestors object-src style-src frame-src

  14. Speed Bump Content Restrictions ‘self’ ... in pieces? https://‘self’:443 ‘self’://foo.com foo.com:‘self’

  15. ‘self’ Content Restrictions ‘self‘ -> http://foo.com:80 bar.com:8080 -> http://bar.com:8080 http://foo.com -> http://foo.com:80 bar.com -> http://bar.com:80

  16. Speed Bump Content Restrictions Redirects http://foo.com http://bar.com http://duh.com

  17. Step 3: Profit • Sites only request explicitly allowed Content Restrictions resources • Injected inline scripts don’t run • Content homogenization (mixed content control) • Cross-domain CSRF reduction • Violation reports = early alert

  18. CSP: Use Case 1 Content Restrictions allow ‘self’ • Site wants all content to come from the same source (scheme, host, port)

  19. CSP: Use Case 2 Content Restrictions allow ‘self’; frame-src ads.net • Site wants all content to come from the same source (scheme, host, port), except content in iframes may be served by a third-party advertising network.

  20. CSP: Use Case 3 Content Restrictions allow ‘self’; img-src *; object-src *.teevee.com; script-src myscripts.com • Auction site wants to allow images from anywhere, plugin content from a trusted media provider network, and scripts only from its server hosting sanitized JavaScript

  21. CSP: Use Case 4 Content Restrictions allow https://*.x.com; • Example site wants to force all content to be served via HTTPS on port 443, from any subdomain of example.com

  22. Wait! That breaks my site! Content Restrictions • Good Option: convert your site • Less Good Option: disable parts of CSP

  23. Ramping Up Content Restrictions • Disable some restrictions via options • Report-Only mode • “Writing a Policy” guide • “Converting your Site” guide • Maybe a policy recommendation tool?

  24. Safe Platform Safe Platform

  25. Wrappers • XPCNativeWrapper Safe Platform

  26. Wrappers • ChromeObjectWrapper Safe Platform

  27. Wrappers • SafeJSObjectWrapper Safe Platform JS

  28. Wrappers • CrossOriginWrapper Safe Platform

  29. Safe Platform Safe Platform Out of Process Plug-Ins

  30. Third-Party Features Add-Ons

  31. Third-Party Features XPCOM and IDL

  32. XPCOM and IDL Third-Party Features Source: http://www.ibm.com/developerworks/java/library/os-xpcomfirefox/

  33. Third-Party Features Untamed Add-Ons

  34. Third-Party Features Jetpack

  35. Jetpack Third-Party Features API module module Jetpack My module Backend Add-On module (XPCOM) module module

  36. Jetpack Third-Party Features API module module Jetpack My module Backend Add-On module (XPCOM) module module JavaScript

  37. Jetpack Third-Party Features API module module Jetpack My Capabilities : module 1. http://foo.com Backend Add-On module 2. graphics (XPCOM) 3. menus module module

  38. Keeping your Secrets Features and Your Privacy

  39. Keeping your Secrets History Sniffing https://wiki.mozilla.org/User:Sidstamm/CSS_History_Sniffing_Links http://dbaron.org/mozilla/visited-privacy

  40. Keeping your Secrets Private Browsing (roll-back time)

  41. Keeping your Secrets NPAPI Hooks Private Browsing, Clear Recent History, etc

  42. Keeping your Secrets Browser Traces

  43. Browser as a Protector • Protect Site Content • Safe Platform • Third-Party Features • Keeping your Secrets

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To:

By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To:

Introduction to Firefox By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To: Download Files 4.- How To: History 5.- How To: Tabbing 6.- How To: App Tabs 7.- How To: Set Homepage 8.- How To: Block

557 views • 16 slides
Improving Security in Firefox Add-ons Brian Warner, Mozilla Labs QCon 2010, San Francisco

Improving Security in Firefox Add-ons Brian Warner, Mozilla Labs QCon 2010, San Francisco

Improving Security in Firefox Add-ons Brian Warner, Mozilla Labs QCon 2010, San Francisco slides: http://people.mozilla.com/~bwarner/qcon10/ Overview Why add-ons are important Add-on security issues Mozilla Add-ons and Jetpack

645 views • 51 slides
Continuous Localization Agenda Brief History Q&amp;A 1. 4. How we shipped Firefox Continuous

Continuous Localization Agenda Brief History Q&amp;A 1. 4. How we shipped Firefox Continuous

Continuous Localization Agenda Brief History Q&amp;A 1. 4. How we shipped Firefox Continuous L10n 2. Localizing Firefox Nightly 3. Android Analysis of our Android Apps Public 2 Shipping Localized Firefox over time Public 3 The

212 views • 18 slides
Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats

Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats

Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats up memory! Notice no unresponsive script dialogue Firefox version 13 In current firefox version -- warning + debug option, no

254 views • 12 slides
Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je parle de Firefox Quality Twitter @SylvestreLedru 2 Bonjour ! 3 Bonjour ! 4 Bonjour ! 5 The Firefox scale About:Firefox We release every 6

775 views • 41 slides
Python for Informatics Database Handout Download and install FireFox and the SQLite Manager

Python for Informatics Database Handout Download and install FireFox and the SQLite Manager

Python for Informatics Database Handout Download and install FireFox and the SQLite Manager http://www.mozilla.org/enUS/firefox/new/ https://addons.mozilla.org/enUS/firefox/addon/sqlitemanager/ Queries insert into Users (name, email) values

503 views • 3 slides
A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk

A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk

A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk &amp; Sylvestre Ledru Who are we ? Sylvestre Lukas Has been at Mozilla for a year Mozillian since 2006 Debian Developer Release

462 views • 30 slides
Cordova and Firefox OS HTML5 for the Mobile Web Jason Weathersby Cordova and Firefox OS

Cordova and Firefox OS HTML5 for the Mobile Web Jason Weathersby Cordova and Firefox OS

Cordova and Firefox OS HTML5 for the Mobile Web Jason Weathersby Cordova and Firefox OS Click Here For Presentation 11/13/14 2 Title Here

190 views • 3 slides
Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden telemetry to Mozilla Per Foyer per@foyer.se 10 10 Cryptoparty 201911-R1 Hardening Firefox: Method To harden Firefox we need to: 1. Adjust

470 views • 14 slides
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free time as part of phoenhex. Member of CTF

1.02k views • 56 slides
Inside Firefox Robert O'Callahan robert@ocallahan.org Mozilla An open Internet An open Web A

Inside Firefox Robert O'Callahan robert@ocallahan.org Mozilla An open Internet An open Web A

Inside Firefox Robert O'Callahan robert@ocallahan.org Mozilla An open Internet An open Web A level playing field Our tool: Firefox Overview Why Web browsers are hard Mozilla development processes and tools Running a successful

350 views • 33 slides
Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Sam Foster sfoster@mozilla.com samfosteriam sfoster Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by Mozilla + partners + contributors Why Firefox OS? Web under threat from parallel

453 views • 13 slides
A Firefox cluster driven by JavaScript, Perl, and PL/PgSQL A Firefox cluster driven by JavaScript

A Firefox cluster driven by JavaScript, Perl, and PL/PgSQL A Firefox cluster driven by JavaScript

A Firefox cluster driven by JavaScript, Perl, and PL/PgSQL A Firefox cluster driven by JavaScript , Perl , &amp; PL/PgSQL agentzh@yahoo.cn (agentzh) 2009.2 &quot;How about using Firefox in a crawler cluster ?&quot; &quot;Man,

647 views • 52 slides
Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return

647 views • 42 slides
Bringing the Open Web &amp; APIs to @robertnyman mobile devices with Firefox OS @robertnyman

Bringing the Open Web &amp; APIs to @robertnyman mobile devices with Firefox OS @robertnyman

Bringing the Open Web &amp; APIs to @robertnyman mobile devices with Firefox OS @robertnyman Mozilla is a global non- profit dedicated to putting you in control of your online experience and shaping the future of the Web for the public

1.06k views • 82 slides
Project Plan Improvements to &lt;select&gt; Dropdown for Firefox The Capstone Experience Team

Project Plan Improvements to &lt;select&gt; Dropdown for Firefox The Capstone Experience Team

Project Plan Improvements to &lt;select&gt; Dropdown for Firefox The Capstone Experience Team Mozilla Jared Beach Mark Golbeck Fred Luo Tyler Maklebust Michael Wright Department of Computer Science and Engineering Michigan State University

1.13k views • 11 slides
Ta Taking your Selenium Te Tests for we web and mobile ile beyond your lo local l Fir

Ta Taking your Selenium Te Tests for we web and mobile ile beyond your lo local l Fir

Ta Taking your Selenium Te Tests for we web and mobile ile beyond your lo local l Fir Firefox Brows wser Michael Palotas, Francois Reynaud Element34 Solutions GmbH

479 views • 27 slides
I/O and Syscalls in Critical Sections and their Implications for Transactional Memory Lee Baugh

I/O and Syscalls in Critical Sections and their Implications for Transactional Memory Lee Baugh

I/O and Syscalls in Critical Sections and their Implications for Transactional Memory Lee Baugh and Craig Zilles University of Illinois at Urbana-Champaign Side-Effects in Transactions begin_transaction(); myarr[x]= fgetc(myfile);

891 views • 19 slides
Multiprocessing and MapReduce Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019

Multiprocessing and MapReduce Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019

Multiprocessing and MapReduce Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Announcements Exam on Friday Homework 5 check-in due Monday Learning Objectives To understand the benefits and challenges of multiprocessing and

706 views • 38 slides
Managed So*ware Installa1on with Munki Jon Rhoades St

Managed So*ware Installa1on with Munki Jon Rhoades St

Managed So*ware Installa1on with Munki Jon Rhoades St Vincents Ins1tute &amp; University of Melbourne jrhoades@svi.edu.au Managed Installa1on

667 views • 31 slides
Affinity Group 1 May 14, 2019 The University of Wisconsin Service Center will Serve the

Affinity Group 1 May 14, 2019 The University of Wisconsin Service Center will Serve the

Affinity Group 1 May 14, 2019 The University of Wisconsin Service Center will Serve the people of the University of Wisconsin System Collaborate by being supportive and constructive Act with Integrity always and in all

576 views • 28 slides
topic: web making + learning. mozillas commitment for 2012 build a generation of web makers

topic: web making + learning. mozillas commitment for 2012 build a generation of web makers

topic: web making + learning. mozillas commitment for 2012 build a generation of web makers definition: a web maker is anyone who makes things using the f open ethos and building blocks of the web this is my son f ethan he likes

772 views • 35 slides
Ten-Ten/Garner Suburban Fire Insurance Realignment and Station Closure Presentation to Fire

Ten-Ten/Garner Suburban Fire Insurance Realignment and Station Closure Presentation to Fire

Ten-Ten/Garner Suburban Fire Insurance Realignment and Station Closure Presentation to Fire Commission July 19, 2018 Insurance District Realignment and Station Closure Background Information Initial Request to explore county participation in

469 views • 26 slides
disasters and their impacts peter rupert professor department of economics, ucsb director, ucsb

disasters and their impacts peter rupert professor department of economics, ucsb director, ucsb

disasters and their impacts peter rupert professor department of economics, ucsb director, ucsb economic forecast project Lobero Theater March, 2018 Thomas fire burned 281,893 acres largest California fire on record estimated costs

428 views • 18 slides

More recommend