SlideShare une entreprise Scribd logo

Security and Privacy on the Web in 2015

F
Francois Marier

In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages. As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications. https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en

Logiciels
1  sur  105
Télécharger pour lire hors ligne
Security and Privacy on the Web in 2015 François Marier @fmarier mozilla
Firefox Security & Privacy
Web Platform
Web Platform
Content Security Policy aka CSP
Content Security Policy aka CSP mechanism for preventing XSS
telling the browser what external content is allowed to load
Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?
without CSP
Hi you! John Doe - just moments ago p0wned Ok
with CSP
Hi you! John Doe - just moments ago
Content-Security-Policy: script-src 'self' https://cdn.example.com
inline scripts are blocked unless unsafe-inline is specified
script-src object-src style-src img-src media-src frame-src font-src connect-src
$ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy: … report-uri https://twitter.com/csp_report violation reports:
"csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/..." }
support for inline scripts Content-Security-Policy: script-src 'sha256-YWIzOW...'
Strict Transport Security aka HSTS
Strict Transport Security aka HSTS mechanism for preventing HTTPS to HTTP downgrades
telling the browser that your site should never be reached over HTTP
GET banque.fr 301→ GET https://banque.fr 200→ no HSTS, no sslstrip
GET banque.fr → 200 no HSTS, with sslstrip
what does HSTS look like?
$ curl -i https://example.com HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 ...
with HSTS, with sslstrip GET https://banque.fr 200→
silent client-side redirects HTTP → HTTPS
no HTTP traffic for sslstrip to tamper with
except for the very first connection
https://hstspreload.appspot.com/
coming up in 2015
https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js
how common is this?
what would happen if that server were compromised?
Bad Things™ steal sessions leak confidential data redirect to phishing sites enlist DDoS zombies
simple solution
instead of this: <script src=”https://ajax.googleapis.com...”>
<script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...”> do this:
guarantee: script won't change or it'll be blocked
limitation: won't work for scripts that change all the time
https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js
there's a little something missing...
<script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> complete example:
“a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin” same-origin policy
example.com/index.html
example.com/index.html example.com/data.js: var secret = 42;
example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);
example.com/index.html example.com/data.js: var secret = 42; evil.net/widget.js: exfiltrate(secret);
on the server: Access-Control-Allow-Origin: *
on the server: Access-Control-Allow-Origin: * on the client: crossorigin=”anonymous”
<script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> complete example:
<link rel="stylesheet" href="style.css" integrity="sha256-PgMdguwx/O..." crossorigin=”anonymous”> complete example:
SRIhash.org
http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
No Referrer No Referrer When Downgrade Origin Only Origin When Cross Origin Unsafe URL
Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
Content-Security-Policy: referrer origin; <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
(initial implementations)
HTTPS
if you're not using it, now is the time to start :)
mass surveillance of all Internet traffic is no longer theoretical
strong encryption of all Internet traffic is no longer optional
“If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.” -Bruce Schneier
ps://gigaom.com/2015/02/19/dont-let-att-mislead-you-about-its-29-privacy-fee/
$ apt-get install letsencrypt $ letsencrypt example.com
automatically prove domain ownership download a free-as-in-beer certificate monitor and renew it before it expires
automatically prove domain ownership download a free-as-in-beer certificate monitor and renew it before it expires
automatically prove domain ownership download a free-as-in-beer certificate monitor and renew it before it expires
HTTPS is not enough you need to do it properly
RC4
SHA-1 RC4
SHA-11024-bit certificates RC4
SHA-11024-bit certificates RC4 weak DH parameters
https://people.mozilla.org/~fmarier/mixed-content.html <html> <head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script> </head> <body> <img src="http://fmarier.org/img/francois_marier.jpg"> </body> </html>
turn on full mixed-content blocking in development
Start by enabling HTTPS and HSTS Use SRI for your external scripts Set a more restrictive Referrer policy Consider enabling CSP Watch out for mixed content
Questions? feedback: francois@mozilla.com mozilla.dev.security public-webappsec@w3.org © 2015 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
photo credits: tinfoil: https://www.flickr.com/photos/laurelrusswurm/15129449047 explosion: https://www.flickr.com/photos/-cavin-/2313239884/ snowden: https://www.flickr.com/photos/gageskidmore/16526354372

Recommandé

Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
SecuRing
 

Recommandé

Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
SecuRing
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
SecurityTube.Net
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Ontico
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
I See You
I See YouI See You
I See You
Andrew Beard
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 

Contenu connexe

Tendances

Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Ontico
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
I See You
I See YouI See You
I See You
Andrew Beard
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
 

Tendances (20)

Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
I See You
I See YouI See You
I See You
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 

Similaire à Security and Privacy on the Web in 2015

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PROIDEA
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 

Similaire à Security and Privacy on the Web in 2015 (20)

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chainPLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 

Plus de Francois Marier

Security and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power UsersSecurity and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power Users
Francois Marier
 
Hardening Firefox for Security and Privacy
Hardening Firefox for Security and PrivacyHardening Firefox for Security and Privacy
Hardening Firefox for Security and Privacy
Francois Marier
 
Outsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to DebianOutsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to Debian
Francois Marier
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
Francois Marier
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
Francois Marier
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
Francois Marier
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 
Easy logins for PHP web applications
Easy logins for PHP web applicationsEasy logins for PHP web applications
Easy logins for PHP web applications
Francois Marier
 
Persona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebPersona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole Web
Francois Marier
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users in
Francois Marier
 
Mozilla Persona for your domain
Mozilla Persona for your domainMozilla Persona for your domain
Mozilla Persona for your domain
Francois Marier
 
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Francois Marier
 

Plus de Francois Marier (20)

Security and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power UsersSecurity and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power Users
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
Hardening Firefox for Security and Privacy
Hardening Firefox for Security and PrivacyHardening Firefox for Security and Privacy
Hardening Firefox for Security and Privacy
 
Privacy and Tracking Protection in Firefox
Privacy and Tracking Protection in FirefoxPrivacy and Tracking Protection in Firefox
Privacy and Tracking Protection in Firefox
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
Outsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to DebianOutsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to Debian
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applications
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Easy logins for PHP web applications
Easy logins for PHP web applicationsEasy logins for PHP web applications
Easy logins for PHP web applications
 
Persona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebPersona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole Web
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users in
 
Mozilla Persona for your domain
Mozilla Persona for your domainMozilla Persona for your domain
Mozilla Persona for your domain
 
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
 
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
 
The problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about itThe problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about it
 

Dernier

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Dernier (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Security and Privacy on the Web in 2015