Soumettre la recherche
Mettre en ligne
Appsec usa roberthansen
•
Télécharger en tant que PPTX, PDF
•
0 j'aime
•
1,253 vues
D
drewz lin
Suivre
Technologie
Signaler
Partager
Signaler
Partager
1 sur 48
Télécharger maintenant
Recommandé
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03
drewz lin
大型网站架构
大型网站架构
drewz lin
Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
那些非理性的测试行为——心理学诠释常见的测试怪象
那些非理性的测试行为——心理学诠释常见的测试怪象
drewz lin
分布式爬虫
分布式爬虫
drewz lin
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
drewz lin
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
Recommandé
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03
drewz lin
大型网站架构
大型网站架构
drewz lin
Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
那些非理性的测试行为——心理学诠释常见的测试怪象
那些非理性的测试行为——心理学诠释常见的测试怪象
drewz lin
分布式爬虫
分布式爬虫
drewz lin
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
drewz lin
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
If we design any page or devoleped any code we use the word shield a.pdf
If we design any page or devoleped any code we use the word shield a.pdf
annaiwatertreatment
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
SandraPaiva
Cyber security awareness for end users
Cyber security awareness for end users
NetWatcher
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
Group of company MUK
Data Privacy for Activists
Data Privacy for Activists
Greg Stromire
Challenges2013
Challenges2013
Lancope, Inc.
Break IT Down by Josh Smith
Break IT Down by Josh Smith
EC-Council
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Dinis Cruz
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World Safety
AEGILITY
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
CiNPA Security SIG
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2
Charles Klondike
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Microsoft Argentina y Uruguay [Official Space]
Security
Security
Bob Cherry
AEPWP09292016
AEPWP09292016
Demi Washington
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
Contenu connexe
Similaire à Appsec usa roberthansen
If we design any page or devoleped any code we use the word shield a.pdf
If we design any page or devoleped any code we use the word shield a.pdf
annaiwatertreatment
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
SandraPaiva
Cyber security awareness for end users
Cyber security awareness for end users
NetWatcher
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
Group of company MUK
Data Privacy for Activists
Data Privacy for Activists
Greg Stromire
Challenges2013
Challenges2013
Lancope, Inc.
Break IT Down by Josh Smith
Break IT Down by Josh Smith
EC-Council
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Dinis Cruz
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World Safety
AEGILITY
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
CiNPA Security SIG
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Avansa Mid- en Zuidwest
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2
Charles Klondike
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Microsoft Argentina y Uruguay [Official Space]
Security
Security
Bob Cherry
AEPWP09292016
AEPWP09292016
Demi Washington
Similaire à Appsec usa roberthansen
(20)
If we design any page or devoleped any code we use the word shield a.pdf
If we design any page or devoleped any code we use the word shield a.pdf
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
Cyber security awareness for end users
Cyber security awareness for end users
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
Data Privacy for Activists
Data Privacy for Activists
Challenges2013
Challenges2013
Break IT Down by Josh Smith
Break IT Down by Josh Smith
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World Safety
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Security
Security
AEPWP09292016
AEPWP09292016
Plus de drewz lin
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
Phu appsec13
Phu appsec13
drewz lin
Owasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
drewz lin
Appsec2013 presentation
Appsec2013 presentation
drewz lin
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
Amol scadaowasp
Amol scadaowasp
drewz lin
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
drewz lin
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
drewz lin
新浪微博稳定性经验谈
新浪微博稳定性经验谈
drewz lin
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
drewz lin
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
drewz lin
Plus de drewz lin
(20)
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
Phu appsec13
Phu appsec13
Owasp2013 johannesullrich
Owasp2013 johannesullrich
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation
Appsec2013 presentation
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
Amol scadaowasp
Amol scadaowasp
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
新浪微博稳定性经验谈
新浪微博稳定性经验谈
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
Dernier
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Dernier
(20)
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Slack Application Development 101 Slides
Slack Application Development 101 Slides
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Appsec usa roberthansen
1.
The Perilous Future of
Browser Security Robert Hansen Director of Product Management
2.
Robert ―RSnake‖ Hansen
Director of Product Management (Labs) International presenter Ran ha.ckers.org Author – Website Security for Dummies – Detecting Malice – Cross-site scripting attacks Hobbies – Breaking the web so you don’t have to © WhiteHat Security 2013 2
3.
Let me start
by saying… I love (most) people who work on browsers. When I talk to them they seem: – Smart – Honest/Ethical – And they DO get the problem and understand the solutions I mean guys like Dan Veditz (FF), David Ross (Chrome), Katie Moussouris (IE), etc. no disrespect. They’re awesome (really–buy them a drink, give them hugs, etc.). However, I will argue that they are not allowed to do their jobs due to how their company’s business models are structured. © WhiteHat Security 2013 3
4.
Question: Why are
you here? I don’t mean here as in this presentation. I mean, why are you in security? – Money? – Fame/glory? – Protecting yourself? – Protecting others? Jeremiah and I got into this to protect others and fix things. If you want to have the biggest impact on security, browsers matter. © WhiteHat Security 2013 4
5.
Scale of our
problem (not to scale) People using the Internet (2.4BN) People who care about security/privacy (84-90%* = 2.16BN) People we know and could theoretically help directly (probably millions) People who use Noscript (1.9M users = 0.1%) * http://www.innovationexcellence.com/blog/2013/03/14/when-do-people-care-about-privacy/ © WhiteHat Security 2013 5
6.
―…different people want
different experiences, and are going to choose their browser based on that preference‖ Chris Blizzard Director of Web Platform Mozilla
7.
Security Functionality © WhiteHat Security
2013 Usability 7
8.
Shrinking bandwidth: managing
competing demands Monetizing users Advertisers Googl e High conversion Low CPC High CTR Good ROI Higher ad spend Fast Fast performance performance Quality products Users Privacy Security © WhiteHat Security 2013 Search quality 8
9.
Yes, Google’s ads
compete with advertisers http://www.stateofsearch.com/wp-content/uploads/2012/01/ad-page-labeled.png © WhiteHat Security 2013 9
10.
The goal…
11.
You can’t start
a project without a goal Simplest goal possible: Protect sensitive information. My personal path to achieve that goal: Every potential vulnerability should have at least two measures of defense because we should always assume at least one vulnerability in every defense mechanism. © WhiteHat Security 2013 11
12.
Why can’t you
just use Tor Browser? The ―Grandpa‖ problem Tor Exit nodes are compromised (100 embassy password issue) Grandpa sends sensitive info over HTTP Exit node grabs data and steals Grandpa’s retirement © WhiteHat Security 2013 12
13.
Anonymity vs. Privacy Action Anonymity Explanation No Want
to submit a loan app Privacy Yes You must let the loan company know who you are anyway, so anonymity is inherently broken. Want to surf legal Probably not adult material Want to be a dissident Research pressure cookers Yes Yes © WhiteHat Security 2013 Yes Unless your profession/relationships hinge upon morality, privacy is only required Yes No one can be trusted – even relatives. Probably not Someone may take it the wrong way if you search for something ―bad‖ while your family will ask you first. 13
14.
Average websites today ©
WhiteHat Security 2013 14
15.
What I am
personally willing to sacrifice… Usability I don’t personally need anything to be fast. In fact, speed kills (but I do want to be efficient). I don’t need bookmarks, autofill, prefetching, web slice gallery, etc… I don’t need ―whizbang‖ websites, and if I do I’m willing to do ―work‖ to get them to function as intended I don’t care about popups or warnings as long as they are useful warnings of possible irreversible impending danger © WhiteHat Security 2013 15
16.
Our Enemies
17.
1 Xdomain*? Solution: RequestPolicy Noscript
(for iframes, JS and objects) - ABE Port blocking - (both locally egress and at a network level via BSD pf) Removing credentials often/upon logout Split horizon DNS (when applicable) © WhiteHat Security 2013 17
18.
2 Command execution Solution: Noscript
& QuickJava Removing protocol handlers (or they must ask for permission) Click to play Sandboxie (possibly similar to sandbox-exec or jailkit) Windows 7 (gold images) – ASLR (go MS!!) BSD chrooted jail (again, possibily similar to sandbox-exec or jailkit) Anti-virus Geli–similar to ftimes–data integrity Application whitelisting and content integrity monitoring © WhiteHat Security 2013 18
19.
It’s like an
onion… FreeBSD building chrooted jails wrapping every VM individually, wrapping OSs, wrapping Sandboxie, wrapping Firefox © WhiteHat Security 2013 19
20.
3 Data exfiltration and
privacy Solution: Disabling Aero transparency theme (Windows 7+) Removing credentials upon logout Disabling anti-phishing and anti-malware support RequestPolicy > AdBlock Settings require plugin permissions BurpProxy + Wireshark + processexplorer Firefox built in lack of access to res:// file:// and Windows variables, but chrome:// and about:// could be just as deadly… Gold image upon reboot removes old Flash cookies, etc… and has no access to ―sensitive‖ files FF is fixed CSS history hack © WhiteHat Security 2013 20
21.
4 Man in the
middle Solution: Internal CA instead of relying on Verisign, etc… Gold image to remove temporarily allowed certs Stand alone proxy support in Firefox + FoxyProxy SSH and/or VPN tunnels (both are preferable) Perspectives or sslvis (Just wish it worked!) Problem! What about burp proxy!? Chain Firefox -> Burp -> local SSH tunnel Or use a VPN in a VM and wrap all traffic © WhiteHat Security 2013 21
22.
5 Pretexting/phishing Anti-phishing lists can’t
be trusted No good solutions, but there are funky solutions: OpenDNS’s phish tank (if you trust them and can use them) NoScript + ABE + Request Policy to disable JS in superbait scenarios and break links to high value pages (if they don’t break, that’s a problem). Of course this doesn’t work with email. Education! - I worked on anti-phishing products at eBay, am a life-member of APWG, am on the advisory board of phishme.com, etc… so…. - No password re-use minimizes potential impact © WhiteHat Security 2013 22
23.
Some of my
plugins Noscript XSS, clickjacking, ABE Foxyproxy Noscript FF has stand alone proxy support (both good and bad) RequestPolicy CSRF, clickjacking, some XSS QuickJava Redundancy Perspectives Foxy Proxy Quick Java Request Policy Perspectives MitM © WhiteHat Security 2013 23
24.
Scorched earth approach ©
WhiteHat Security 2013 24
25.
What must my browser
look like? (be afraid…)
26.
Behold: CNN © WhiteHat
Security 2013 26
27.
© WhiteHat Security
2013 27
28.
Ads “…we couldn't run
our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model.” – Vince Cerf, Google “You get the smartest people in the world together, the best people this industry has to offer, for the sole purpose of serving up ads?” – Jeremiah Grossman, WhiteHat Security © WhiteHat Security 2013 28
29.
People actively dislike
advertisers Percent of adult internet users who say they have used the internet in ways to avoid being observed or seen by… © WhiteHat Security 2013 29
30.
Why are ads
so bad anyway? Often fraudulent (E.g., Malvertising, virii) Waste of time/ bandwidth/page load Synonymous with tracking Often very offensive (E.g.: women/children) Obnoxious to the eyes and ears © WhiteHat Security 2013 30
31.
Big business drives
big data © WhiteHat Security 2013 31
32.
DNT: number one
complaint IE10 doesn’t respect the spec. © WhiteHat Security 2013 32
33.
DNT UI: not
compliant © WhiteHat Security 2013 33
34.
DNT Yahoo/Pinterest/Twitter support
it, sorta When asked, consumers want privacy: (84%) http://www.innovationexcellence.com/blog/2013/03/14/when-do-people-care-about-privacy/ (90%) http://www.neowin.net/news/microsoft-only-47-percent-of-people-try-to-protect-their-privacy-online Ad co’s are backing out of compliance © WhiteHat Security 2013 34
35.
DNT by the
numbers: Part I How many clicks away? IE10: ALT, Tools, Internet Options, Advanced, Scroll, Click, OK (7, however on by default so really, 0) FF: Click on Firefox, Options, Privacy, Click, OK (5) Chrome: Click on Chrome, Preferences, Scroll, Click ―Show advanced settings‖, Scroll, Click (6) Safari: Click on Safari, Preferences, Privacy, Click, OK (5) © WhiteHat Security 2013 35
36.
DNT by the
numbers: Part II It’s not how the spec works – it’s how browsers user it. Opt out = no signal. If we believe the Trueffect numbers: – IE10: 86.46%* Now sends DNT – FF: 19.27%* Now sends DNT – Chrome: 2.85% Now sends DNT http://blog.trueffect.com/bid/328804/Microsoft-Internet-Explorer-10-and-Trueffect-Changes-To-Do-Not-Track http://news.softpedia.com/news/17-Percent-of-Firefox-Users-Have-Enabled-Do-Not-Track-351175.shtml © WhiteHat Security 2013 36
37.
DNT by the
numbers: Part III Which browser (IE10, Chrome or Firefox) respects user wishes more? Let’s ignore IE10? That’s good for everyone, everywhere, IE, FF, Google, the Advertisers — everyone except the consumer. DNT was a distraction, but a useful one for (ironically) for data collection. © WhiteHat Security 2013 100% 90% 80% 70% Consumer preference IE10 60% 50% FF 40% 30% Chrome 20% 10% 0% 37
38.
How does that
relate with ad blocking? http://downloads.pagefair.com/reports/the_rise_of_adblocking.pdf © WhiteHat Security 2013 38
39.
An ―ad war?‖
Yes. First there was annoying ads ABP became the most downloaded add-on at 14.9M Then Congress got involved??? active users Then ads companies pay off ABP © WhiteHat Security 2013 39
40.
Say WHAAAAT? That’s
right, Congress! http://stanford.edu/~jmayer/content/Pompeo_Mozilla_Letter.pdf © WhiteHat Security 2013 40
41.
Payoffs? What payoffs? ©
WhiteHat Security 2013 41
42.
The battle lines
are drawn The Ad industry doesn’t believe in 3rd party cookie blocking because it hurts tracking and therefore revenue. Remember: $40 billion a year for Googe alone! Browser companies do what the industry wants because they are paid by ads: Google: 96% of it’s revenues = ads* Firefox: 98% of it’s revenues = search deals, of which Google makes up ~80-90% of those deals* http://www.investopedia.com/stock-analysis/2012/what-does-google-actually-make-money-from-goog1121.aspx http://www.computerworld.com/s/article/9220695/Mozilla_relies_on_search_deals_for_98_of_revenues http://www.pcmag.com/article2/0,2817,2398046,00.asp © WhiteHat Security 2013 42
43.
Where are ads
(probably) heading? Logical conclusion is that derivatives of ad blocking (E.g. Disconnect) will win against most 3rd party JavaScript ads, sans virus evasion techniques: fast-flux. However, advertisers will react by creating locally hosted/obfuscated ads. Companies will increase blackmail tactics to force viewers to see ads. Regulation. DNT via FTC. Consumers win, sorta. Google attacks Ad blockers. © WhiteHat Security 2013 43
44.
Where are ads
(probably) heading? What? Google attacking ad blockers? ―No wayyyyy…‖ I can hear you saying…. ―4.4 Prohibited Actions. You agree that you will not engage in any activity with the Market, including the development or distribution of Products, that interferes with, disrupts, damages, or accesses in an unauthorized manner the devices, servers, networks, or other properties or services of any third party including, but not limited to, Android users, Google or any mobile network operator…‖ © WhiteHat Security 2013 44
45.
What’s the ―so
what?‖ So yes, DNT may be a waste of time and as a result, IAB and advertisers ignore it. Numbers-wise it’s still great. So let’s build technical controls to opt for what the consumer actually wants, not what the advertisers want. Do-Not-Track < Can-Not-Track Once the advertisers learn how to behave we can reconsider this approach. © WhiteHat Security 2013 45
46.
What should we
do? Don’t recommend my setup to the masses – we need something better! Socialize that most browser vendors probably want to do the right thing, but their $40BN/year business models (and fear of lawsuits) prohibit it. Start tackling the problems one at a time: higher security and privacy to feature ratio. Always side with the consumer, they are our families and they should always win. It’s ethical and good for our Internet. © WhiteHat Security 2013 46
47.
What is WhiteHat
doing? WhiteHat is in a unique position of zero conflict of interest with privacy/security. We don’t believe in ―Do-Not-Track‖, we continue to embrace ―Can-Not-Track‖ Aviator will add in additional security and privacy features. © WhiteHat Security 2013 47
48.
Thank You. Robert Hansen Director
of Product Management @RSnake
Télécharger maintenant