browser security at app sec usa

Main menu:

Topics

Recent Posts

Feeds

RSS Feed RSS - Posts

November 2013
M T W T F S S
« Oct   Dec »
 123
45678910
11121314151617
18192021222324
252627282930  

Past Posts

Java/Java EE

JDBC

Other

browser security at app sec usa

November 20th, 2013 by Jeanne Boyarsky

(missed the beginning of this, but apparently not too much. it was standing room only; was lucky to get a seat)

speaker: Robert Hansen

What is wanted

  • Google wants higher ad spend
  • Advertisers want to monetize users
  • Users want quality products and better search results
  • Everyone wants faster performance

Goal: protect sensitive info

Why Tor browser not solution

  • admitted to 100 hacked nodes. know there are more
  • “Grandpa” sends info over http instead of https and then hacked node hass it
  • Can’t do everything anonymously. Anonomous != privacy

What willing to give up for security

  • Usability – speed, bookmarks, autodfill,prefetching
  • Most popups and warnings (“do you want to allow scripts” is useless)

Problems/Current Solutions

  1. XDomain – request domain,no script. port locking,, remove credentials upon logout (limits what CSRF can do), split horizon dns (don’t let internet to see internal dns)
  2. command execution – nocript plugin, quickjava plugin, remove protocol handlers (“are you sure you want to run”), sandboxie (for windows), antivirus (incremental gain if have extra cpu; just don’t rely on it), whitelisting. Many techniques are like an onion. Protection in layers. VM, sandbox, striped down browser.
  3. Data exfiltration and privacy – disable Aero tranparency on Windows 7 so can’t see what behind window
  4. Man in the iddle – SSH, proxies, VN tunnel
  5. Pretext/phishing – NoScript, education. If don’t reuse passwords, it isn’t tgat helpful for someone to get it.

Plugins the speaker users

  • NoScript
  • FoxyProxy
  • RequestPolicy
  • QuickJava

However, to actually be secure, the web looks like 1996 – everything is text. But Lynx isn’t enough because nneed the ability to turn on.

Do Not Track

  • Sends a signal to websites that don’t want to be tracked
  • Three states
  • #1 complaint about IE 10 is that doesn’t respect the spec
  • Most browsers implement only 2 states – track or not at all
  • Firefox follows spec – do no track, track do not tell sites about my security preferences (which is confusing)

Future

  • More than 95% of browser revenue now comes from ads. Google paying almost $1B to be default search in Firefox.
  • Google attacking ad blockers.
  • locally sourced ads, require JavaScript to view websites, regulation in response to consumers.

Tool: Aviator for Mac to make more secure/private

My take on this
This was a lot of information in the part about his browser setup. I’m glad I know enough to be able to understand most of it! Some of it felt theoretical in that the perfect browser doesn’t actually. But I was surprised at how much technology exists to solve the problems we have. And the parts about advertisers influence were interesting.

Write a comment