firefox security
play

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a - PowerPoint PPT Presentation

Nov 19, 2023 •114 likes •560 views

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document

  1. Firefox Security Sid Stamm <sid@mozilla.com>

  2. Browser as a Protector • Protect Site Content • Safe Platform • Third-Party Features • Keeping your Secrets

  3. Content Restrictions Content Security Policy

  4. Content Restrictions Document “Good” behavior... Suppress the “Bad”

  5. Grabbing the Reins Content Restrictions • Content Rules & Regulations • Specify a “Normal Behavior” Policy • Catch and Block Violations <HTML> Content Policy Specify Rules Enforce Rules

  6. Step 1: Smooth Edges Content Restrictions • Scripts served in files (not inline) - “javascript:” URIs - <tag on*=...> event registration - text nodes in <script> tags • Establish Code / Data Separation - eval(“foo”) and friends

  7. Step 2: Restrictions on Content Content Restrictions • Block requests for all resources ... unless explicitly allowed by a policy!

  8. CSP: Policies Content Restrictions • HTTP Response Header X-CONTENT-SECURITY -POLICY • Directives to enforce listed within

  9. Speed Bump Content Restrictions <meta http-equiv=....>? • Designers may not have access to HTTP • T wo entities want restrictions • Multiple policies?

  10. Speed Bump Content Restrictions Intersecting Policies Given Policies P1 and P2: Pe = {u | P1 allows u AND P2 allows u}

  11. Speed Bump Content Restrictions <meta http-equiv=....>? • policy in-band is too dangerous • Multiple header instances!

  12. CSP: Directives Content Restrictions report-uri source directives policy-uri options

  13. CSP: Source Directives Content Restrictions allow (default for these) img-src font-src media-src xhr-src script-src frame-ancestors object-src style-src frame-src

  14. Speed Bump Content Restrictions ‘self’ ... in pieces? https://‘self’:443 ‘self’://foo.com foo.com:‘self’

  15. ‘self’ Content Restrictions ‘self‘ -> http://foo.com:80 bar.com:8080 -> http://bar.com:8080 http://foo.com -> http://foo.com:80 bar.com -> http://bar.com:80

  16. Speed Bump Content Restrictions Redirects http://foo.com http://bar.com http://duh.com

  17. Step 3: Profit • Sites only request explicitly allowed Content Restrictions resources • Injected inline scripts don’t run • Content homogenization (mixed content control) • Cross-domain CSRF reduction • Violation reports = early alert

  18. CSP: Use Case 1 Content Restrictions allow ‘self’ • Site wants all content to come from the same source (scheme, host, port)

  19. CSP: Use Case 2 Content Restrictions allow ‘self’; frame-src ads.net • Site wants all content to come from the same source (scheme, host, port), except content in iframes may be served by a third-party advertising network.

  20. CSP: Use Case 3 Content Restrictions allow ‘self’; img-src *; object-src *.teevee.com; script-src myscripts.com • Auction site wants to allow images from anywhere, plugin content from a trusted media provider network, and scripts only from its server hosting sanitized JavaScript

  21. CSP: Use Case 4 Content Restrictions allow https://*.x.com; • Example site wants to force all content to be served via HTTPS on port 443, from any subdomain of example.com

  22. Wait! That breaks my site! Content Restrictions • Good Option: convert your site • Less Good Option: disable parts of CSP

  23. Ramping Up Content Restrictions • Disable some restrictions via options • Report-Only mode • “Writing a Policy” guide • “Converting your Site” guide • Maybe a policy recommendation tool?

  24. Safe Platform Safe Platform

  25. Wrappers • XPCNativeWrapper Safe Platform

  26. Wrappers • ChromeObjectWrapper Safe Platform

  27. Wrappers • SafeJSObjectWrapper Safe Platform JS

  28. Wrappers • CrossOriginWrapper Safe Platform

  29. Safe Platform Safe Platform Out of Process Plug-Ins

  30. Third-Party Features Add-Ons

  31. Third-Party Features XPCOM and IDL

  32. XPCOM and IDL Third-Party Features Source: http://www.ibm.com/developerworks/java/library/os-xpcomfirefox/

  33. Third-Party Features Untamed Add-Ons

  34. Third-Party Features Jetpack

  35. Jetpack Third-Party Features API module module Jetpack My module Backend Add-On module (XPCOM) module module

  36. Jetpack Third-Party Features API module module Jetpack My module Backend Add-On module (XPCOM) module module JavaScript

  37. Jetpack Third-Party Features API module module Jetpack My Capabilities : module 1. http://foo.com Backend Add-On module 2. graphics (XPCOM) 3. menus module module

  38. Keeping your Secrets Features and Your Privacy

  39. Keeping your Secrets History Sniffing https://wiki.mozilla.org/User:Sidstamm/CSS_History_Sniffing_Links http://dbaron.org/mozilla/visited-privacy

  40. Keeping your Secrets Private Browsing (roll-back time)

  41. Keeping your Secrets NPAPI Hooks Private Browsing, Clear Recent History, etc

  42. Keeping your Secrets Browser Traces

  43. Browser as a Protector • Protect Site Content • Safe Platform • Third-Party Features • Keeping your Secrets

Recommend

By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To:

By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To:

Introduction to Firefox By JoseeAntonioR INDEX OF CONTENTS 1.- What is Firefox? 2.- Uses of Firefox 3.- How To: Download Files 4.- How To: History 5.- How To: Tabbing 6.- How To: App Tabs 7.- How To: Set Homepage 8.- How To: Block

557 views • 16 slides
Improving Security in Firefox Add-ons Brian Warner, Mozilla Labs QCon 2010, San Francisco

Improving Security in Firefox Add-ons Brian Warner, Mozilla Labs QCon 2010, San Francisco

Improving Security in Firefox Add-ons Brian Warner, Mozilla Labs QCon 2010, San Francisco slides: http://people.mozilla.com/~bwarner/qcon10/ Overview Why add-ons are important Add-on security issues Mozilla Add-ons and Jetpack

645 views • 51 slides
Continuous Localization Agenda Brief History Q&amp;A 1. 4. How we shipped Firefox Continuous

Continuous Localization Agenda Brief History Q&amp;A 1. 4. How we shipped Firefox Continuous

Continuous Localization Agenda Brief History Q&amp;A 1. 4. How we shipped Firefox Continuous L10n 2. Localizing Firefox Nightly 3. Android Analysis of our Android Apps Public 2 Shipping Localized Firefox over time Public 3 The

212 views • 18 slides
Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats

Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats

Firefox POCs BUG 612029: Remote denial of Service POC Actual POC comes from: BUG 833874 Eats up memory! Notice no unresponsive script dialogue Firefox version 13 In current firefox version -- warning + debug option, no

254 views • 12 slides
Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je parle de Firefox Quality Twitter @SylvestreLedru 2 Bonjour ! 3 Bonjour ! 4 Bonjour ! 5 The Firefox scale About:Firefox We release every 6

775 views • 41 slides
Python for Informatics Database Handout Download and install FireFox and the SQLite Manager

Python for Informatics Database Handout Download and install FireFox and the SQLite Manager

Python for Informatics Database Handout Download and install FireFox and the SQLite Manager http://www.mozilla.org/enUS/firefox/new/ https://addons.mozilla.org/enUS/firefox/addon/sqlitemanager/ Queries insert into Users (name, email) values

503 views • 3 slides
A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk

A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk

A new version of Firefox is available Rapid Release of Quality Firefox Products Lukas Blakk &amp; Sylvestre Ledru Who are we ? Sylvestre Lukas Has been at Mozilla for a year Mozillian since 2006 Debian Developer Release

462 views • 30 slides
Cordova and Firefox OS HTML5 for the Mobile Web Jason Weathersby Cordova and Firefox OS

Cordova and Firefox OS HTML5 for the Mobile Web Jason Weathersby Cordova and Firefox OS

Cordova and Firefox OS HTML5 for the Mobile Web Jason Weathersby Cordova and Firefox OS Click Here For Presentation 11/13/14 2 Title Here

190 views • 3 slides
Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden telemetry to Mozilla Per Foyer per@foyer.se 10 10 Cryptoparty 201911-R1 Hardening Firefox: Method To harden Firefox we need to: 1. Adjust

470 views • 14 slides
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free time as part of phoenhex. Member of CTF

1.02k views • 56 slides
Inside Firefox Robert O'Callahan robert@ocallahan.org Mozilla An open Internet An open Web A

Inside Firefox Robert O'Callahan robert@ocallahan.org Mozilla An open Internet An open Web A

Inside Firefox Robert O'Callahan robert@ocallahan.org Mozilla An open Internet An open Web A level playing field Our tool: Firefox Overview Why Web browsers are hard Mozilla development processes and tools Running a successful

350 views • 33 slides
Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by

Sam Foster sfoster@mozilla.com samfosteriam sfoster Firefox OS Open source mobile OS (Apache 2.0) 14 operators / 28+ countries Built by Mozilla + partners + contributors Why Firefox OS? Web under threat from parallel

453 views • 13 slides
A Firefox cluster driven by JavaScript, Perl, and PL/PgSQL A Firefox cluster driven by JavaScript

A Firefox cluster driven by JavaScript, Perl, and PL/PgSQL A Firefox cluster driven by JavaScript

A Firefox cluster driven by JavaScript, Perl, and PL/PgSQL A Firefox cluster driven by JavaScript , Perl , &amp; PL/PgSQL agentzh@yahoo.cn (agentzh) 2009.2 &quot;How about using Firefox in a crawler cluster ?&quot; &quot;Man,

647 views • 52 slides
Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return

647 views • 42 slides
Bringing the Open Web &amp; APIs to @robertnyman mobile devices with Firefox OS @robertnyman

Bringing the Open Web &amp; APIs to @robertnyman mobile devices with Firefox OS @robertnyman

Bringing the Open Web &amp; APIs to @robertnyman mobile devices with Firefox OS @robertnyman Mozilla is a global non- profit dedicated to putting you in control of your online experience and shaping the future of the Web for the public

1.06k views • 82 slides
Project Plan Improvements to &lt;select&gt; Dropdown for Firefox The Capstone Experience Team

Project Plan Improvements to &lt;select&gt; Dropdown for Firefox The Capstone Experience Team

Project Plan Improvements to &lt;select&gt; Dropdown for Firefox The Capstone Experience Team Mozilla Jared Beach Mark Golbeck Fred Luo Tyler Maklebust Michael Wright Department of Computer Science and Engineering Michigan State University

1.13k views • 11 slides
HACL* in Mozilla Firefox Formal methods and high assurance applications for the web B. Beurdouche

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web B. Beurdouche

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web B. Beurdouche F. Kiefer K. Bhargavan E. Rescorla J. Protzenko T. Taubert J-K. Zinzindohou M. Thomson (Project Everest) (Mozilla) Real World Crypto 2018

450 views • 28 slides
Project Plan In-Content Preferences for Firefox The Capstone Experience Team Mozilla Owen

Project Plan In-Content Preferences for Firefox The Capstone Experience Team Mozilla Owen

Project Plan In-Content Preferences for Firefox The Capstone Experience Team Mozilla Owen Carpenter Joe Chen Jon Reitveld Devan Sayles Department of Computer Science and Engineering Michigan State University Spring 2012 From Students

177 views • 14 slides
Project Plan Multi-Touch Gestures for Mac OS X Firefox The Capstone Experience Team Mozilla

Project Plan Multi-Touch Gestures for Mac OS X Firefox The Capstone Experience Team Mozilla

Project Plan Multi-Touch Gestures for Mac OS X Firefox The Capstone Experience Team Mozilla Guilherme de Araujo Raymond Heldt Brandon Waterloo Department of Computer Science and Engineering Michigan State University Spring 2013 From

349 views • 20 slides
Beta Presentation In-Content Preferences for Firefox The Capstone Experience Team Mozilla Devan

Beta Presentation In-Content Preferences for Firefox The Capstone Experience Team Mozilla Devan

Beta Presentation In-Content Preferences for Firefox The Capstone Experience Team Mozilla Devan Sayles Joe Chen Jon Rietveld Owen Carpenter Department of Computer Science and Engineering Michigan State University Spring 2012 From

339 views • 7 slides
Alpha Presentation Optimizing Firefox Localization The Capstone Experience Team Mozilla Avery

Alpha Presentation Optimizing Firefox Localization The Capstone Experience Team Mozilla Avery

Alpha Presentation Optimizing Firefox Localization The Capstone Experience Team Mozilla Avery Berninger Brian Chen Chris Frey Yuan Cheng Nicholas Cowles Ian Kirkpatrick Department of Computer Science and Engineering Michigan State

406 views • 7 slides
Project Plan Optimizing Firefox Localization The Capstone Experience Team Mozilla Avery

Project Plan Optimizing Firefox Localization The Capstone Experience Team Mozilla Avery

Project Plan Optimizing Firefox Localization The Capstone Experience Team Mozilla Avery Berninger Brain Chen Chris Frey Ian Kirkpatrick Nicholas Cowles Yuan Cheng Department of Computer Science and Engineering Michigan State University

249 views • 13 slides
Dr. Scrapelove (or: How I Learned to Beat Anti-Scrape Websites and Love WWW::Mechanize::Firefox)

Dr. Scrapelove (or: How I Learned to Beat Anti-Scrape Websites and Love WWW::Mechanize::Firefox)

Dr. Scrapelove (or: How I Learned to Beat Anti-Scrape Websites and Love WWW::Mechanize::Firefox) By Trevor Cordes MUUG Presentation June 2014 (c) 2014 This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

559 views • 17 slides
CS 410/510: Web Basics Basics Web Clients HTTP Web Servers PC running Firefox Web

CS 410/510: Web Basics Basics Web Clients HTTP Web Servers PC running Firefox Web

CS 410/510: Web Basics Basics Web Clients HTTP Web Servers PC running Firefox Web Server Mac running Chrome Web Clients Basic Terminology | HTML | JavaScript Terminology Web page consists of objects Each object is

761 views • 47 slides

More recommend