Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSP STS PKP SRI ETC OMG WTF | scotthelme.co.uk Scott Helme Security Researcher.

Published byMagdalene Margaret Caldwell Modified over 8 years ago

Similar presentations

Presentation on theme: "CSP STS PKP SRI ETC OMG WTF | scotthelme.co.uk Scott Helme Security Researcher."— Presentation transcript:

1 CSP STS PKP SRI ETC OMG WTF BBQ… @Scott_Helme | scotthelme.co.uk Scott Helme Security Researcher

2 Modern Web Security Standards @Scott_Helme | scotthelme.co.uk Scott Helme Security Researcher

3

4

5

6

7

8 HTTP/2 Image Sprites Concatenating JS / CSS Domain Sharding HTTPS Brotli Compression Powerful Features Geolocation API getUserMedia() AppCache HTTP/2 Image Sprites Concatenating JS / CSS Domain Sharding SEO Boost

9 How security has evolved

10 Browser support

11 Content-Security-Policy Content-Security-Policy-Report-Only X-Webkit-Content-Security-Policy X-Content-Security-Policy Public-Key-Pins Public-Key-Pins-Report-Only Strict-Transport-Security What are security headers? X-Content-Type-Options X-Frame-Options X-XSS-Protection X-Download-Options X-Permitted-Cross-Domain- Policies

12 Content Security Policy

13 Content Injection …

14 What is CSP? cache-control: max-age=0, no-cache content-encoding: gzip content-security-policy: [policy goes here] date: Fri, 07 Oct 2016 12:00:00 server: fronteers status: 200

15 child-src connect-src default-src font-src frame-src CSP Directives img-src media-src object-src script-src style-src

16 A basic policy Content-Security-Policy: default-src ‘self’ example.com

17 Fine tuning Content-Security-Policy: default-src ‘self’; script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com

18 Fine tuning Content-Security-Policy: default-src ‘self’; script-src [source list]; style-src [source list]; img-src [source list]; frame-src [source list];

19 Mixed-Content

20

21

22 block-all-mixed-content

23 Mixed-Content upgrade-insecure- requests

24 Mixed-Content Detection Content-Security-Policy-Report-Only: default-src https:; report-uri https://scotthelme.report-uri.io { "csp-report": { "document-uri": "http://scotthelme.co.uk/blah/", "violated-directive": "default-src https:", ”effective-directive": ”img-src", "blocked-uri": "http://imgur.com"...

25 Testing CSP Content-Security-Policy-Report-Only: [policy] Console: Refused to load the script ‘https://code.jquery.com/jquery.1.11.3min.js’ because it violates the following Content Security Policy directive: script-src

26

27 Strict Transport Security

28 Without HSTS GET http://twitter.com 301 https://twitter.com GET https://twitter.com HTTP HTTP S

29 SSL/TLS stripped HTT P HTTP S

30 What is STS? cache-control: max-age=0, no-cache content-encoding: gzip strict-transport-security: [policy goes here] date: Fri, 07 Oct 2016 12:00:00 server: fronteers status: 200

31 max-age includeSubDomain s preload STS Directives

32 An STS Policy Strict-Transport-Security: max-age=31536000

33 With HSTS http://twitter.com https://twitter.com HTTP S

34 Public Key Pinning

35 Rogue Certificates scotthelme.co.u k

36

37 What is HPKP? cache-control: max-age=0, no-cache content-encoding: gzip public-key-pins: [policy goes here] date: Fri, 07 Oct 2016 12:00:00 server: fronteers status: 200

38 pin-sha256 max-age includeSubDomain s HPKP Directives

39 A HPKP Policy Public-Key-Pins: pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; max-age=2592000

40 What’s in a pin? scott@scotthelme:~$ openssl x509 -in ecdsa.crt -noout -text Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:82:2a:6e:ae:28:2f:9a:9a:e4:46:14:e4:ed:5e: 8d:01:87:e9:cd:22:56:ec:e5:7b:04:55:66:8f:d4: bc:bb:8a:01:9e:a1:f9:be:b6:0b:c4:ec:b7:32:1e: 77:56:01:6b:cd:69:74:f6:32:65:84:d8:36:88:a1: 0f:35:31:9a:7c ASN1 OID: prime256v1

41 Where to pin? scotthelme.co.u k Let’s Encrypt X3 DST Root

42 HPKP Reporting Public-Key-Pins -Report-Only : [policy]; report-uri https://scotthelme.report-uri.io { “served-chain”: “-----BEGIN CERTIFICATE-----”, “validated-chain”: “----- BEGIN CERTIFICATE -----”, “known-pins”: “pin-sha256=X3pGTSOuJeEVw989IJ/cEtX”, “hostname”: “scotthelme.co.uk”

43

44 Subresource Integrity

45 3 rd Party Trust scotthelme.co.u k somecdn.co m

46 What is SRI? <script src=“somecdn.com/jquery.min.js” crossorigin=“anonymous” integrity=“sha256-[base64]”>

47 What’s in an SRI hash? scott@scotthelme:~$ cat jquery.min.js | openssl dgst -sha256 -binary | openssl base64 caPmelCaJqLUfkrgijiKos9lChnIL86LgGnFmlLjeQA= https://report-uri.io/home/sri_hash/ caPmelCaJqLUfkrgijiKos9lChnIL86LgGnFmlLjeQA=

48 SRI deployed <script src=“somecdn.com/jquery.min.js” crossorigin=“anonymous” integrity=“sha256-[hash goes here]”>

49 3 rd Party Trust scotthelme.co.u k somecdn.co m

50 Secure all the things! @Scott_Helme | scotthelme.co.uk Scott Helme Security Researcher

Download ppt "CSP STS PKP SRI ETC OMG WTF | scotthelme.co.uk Scott Helme Security Researcher."

Similar presentations

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Pushing CSP to PROD Case Study of a Real-World Content- Security Policy Implementation.

Pushing CSP to PROD Case Study of a Real-World Content- Security Policy Implementation.
“If you can manipulate the data, game

“If you can manipulate the data, game
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
HTTPS in 2015 Eric Quick Introductions Eric

HTTPS in 2015 Eric Quick Introductions Eric
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.

The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
HTTPS in 2015 Eric Quick Introductions.

HTTPS in 2015 Eric Quick Introductions.
Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.

Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.
Mark Phillip markphillip.com 200s, 304s, Expires Headers, HTTP Compression, And You.

Mark Phillip markphillip.com 200s, 304s, Expires Headers, HTTP Compression, And You.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Lighttpd & Modcache 2009/06/28. Basic lighttpd info Event-driven, single process Event-driven, single process Uses non-block io (network) + writev (memory)

Lighttpd & Modcache 2009/06/28. Basic lighttpd info Event-driven, single process Event-driven, single process Uses non-block io (network) + writev (memory)
Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Krerk Piromsopa. Web Caching Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
CSC 2720 Building Web Applications Getting and Setting HTTP Headers (With PHP Examples)

CSC 2720 Building Web Applications Getting and Setting HTTP Headers (With PHP Examples)
Building Native Mapping Apps with PhoneGap: Advanced Techniques

Building Native Mapping Apps with PhoneGap: Advanced Techniques
Krishna Mohan Koyya Glarimy Technology Services

Krishna Mohan Koyya Glarimy Technology Services
Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.

Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.
Putting Performance Best Practices Together to Create the Perfect SPA Chris Love2Dev.com.

Putting Performance Best Practices Together to Create the Perfect SPA Chris Love2Dev.com.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Similar presentations

Ads by Google