browser security at app sec usa

(missed the beginning of this, but apparently not too much. it was standing room only; was lucky to get a seat)

speaker: Robert Hansen

What is wanted

  • Google wants higher ad spend
  • Advertisers want to monetize users
  • Users want quality products and better search results
  • Everyone wants faster performance

Goal: protect sensitive info

Why Tor browser not solution

  • admitted to 100 hacked nodes. know there are more
  • “Grandpa” sends info over http instead of https and then hacked node hass it
  • Can’t do everything anonymously. Anonomous != privacy

What willing to give up for security

  • Usability – speed, bookmarks, autodfill,prefetching
  • Most popups and warnings (“do you want to allow scripts” is useless)

Problems/Current Solutions

  1. XDomain – request domain,no script. port locking,, remove credentials upon logout (limits what CSRF can do), split horizon dns (don’t let internet to see internal dns)
  2. command execution – nocript plugin, quickjava plugin, remove protocol handlers (“are you sure you want to run”), sandboxie (for windows), antivirus (incremental gain if have extra cpu; just don’t rely on it), whitelisting. Many techniques are like an onion. Protection in layers. VM, sandbox, striped down browser.
  3. Data exfiltration and privacy – disable Aero tranparency on Windows 7 so can’t see what behind window
  4. Man in the iddle – SSH, proxies, VN tunnel
  5. Pretext/phishing – NoScript, education. If don’t reuse passwords, it isn’t tgat helpful for someone to get it.

Plugins the speaker users

  • NoScript
  • FoxyProxy
  • RequestPolicy
  • QuickJava

However, to actually be secure, the web looks like 1996 – everything is text. But Lynx isn’t enough because nneed the ability to turn on.

Do Not Track

  • Sends a signal to websites that don’t want to be tracked
  • Three states
  • #1 complaint about IE 10 is that doesn’t respect the spec
  • Most browsers implement only 2 states – track or not at all
  • Firefox follows spec – do no track, track do not tell sites about my security preferences (which is confusing)


  • More than 95% of browser revenue now comes from ads. Google paying almost $1B to be default search in Firefox.
  • Google attacking ad blockers.
  • locally sourced ads, require JavaScript to view websites, regulation in response to consumers.

Tool: Aviator for Mac to make more secure/private

My take on this
This was a lot of information in the part about his browser setup. I’m glad I know enough to be able to understand most of it! Some of it felt theoretical in that the perfect browser doesn’t actually. But I was surprised at how much technology exists to solve the problems we have. And the parts about advertisers influence were interesting.

Leave a Reply

Your email address will not be published.