Embed Size (px)
DESCRIPTION
A mid-level managers talk about the new capabilities in HTML5 and what to watch out for security-wise.
Citation preview
HTML5 SecurityWilliam J. Edney
Technical Pursuit Inc.
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Clarification
• Much of what is termed “HTML5”, insofar as new programming capability is concerned, is really not HTML. It is really more JavaScript API added to the browser.
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
“Hot button” issue
• Much of ‘external facing’ computing is done on the Web these days
• E-commerce
• Customer care
• Partner collaboration
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
What hasn’t changed: Same Origin Model
• Core of web security
• Same host
• Same protocol
• Same port
• XMLHTTPRequest is bound by this model
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
What hasn’t changed: Extensions / addons
• Browsers can get access to:
• Bookmarks
• File system
• Cross-origin XHR
• Require extra user permission to install
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
“HTML5” additions• Cross-Origin Resource Sharing (CORS)
• [Web, DOM, Local] Storage
• Indexed DB (supplants WebDB)
• Offline Apps (‘HTML5 manifest’)
• Geolocation API
• Downloadable Fonts
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
“HTML5” additions
• Cross-window messaging (‘postMessage’)
• Filesystem APIs
• Device APIs (Camera, GPS, etc.)
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Future
• Web Crypto
• Web Real Time Communication (WebRTC)
• Today in Chrome and Firefox
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Relaxing same-origin• document.domain property
• siteA.foo.com and siteB.foo.com can become ‘foo.com’ and communicate
• JSONP
• HTML5: CORS
• HTML5: postMessage()
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Core issues
• No fine-grained security model
• ‘Same origin’ policy is the master for the foreseeable future
• Some APIs prompt the user for permission
• Users are becoming overwhelmed
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
API Recommendations• CORS
• For intranet/extranet data-sharing, use specific domains - not
“Access-Control-Allow-Origin: *”
• [Web, DOM, Local] Storage
• Use encryption, if available
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
API Recommendations
• IndexedDB
• Use encryption, if available
• Offline Apps
• Geolocation API
• Intranet/Extranet: Use sparingly
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
API Recommendations
• Downloadable fonts:
• Intranet/Extranet: Don’t use them
• Cross-window messaging (‘postMessage’)
• Intranet/Extranet: Use sparingly
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
API Recommendations
• Filesystem APIs
• Intranet/Extranet: Don’t use them
• Device APIs
• Intranet/Extranet: Use sparingly
• x-frame-options HTTP header
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Future
• W3C has begun work on the “Content Security Policy”
• Fine-grained, cross API, security mechanism
• Currently a candidate recommendation
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Organizational policies• Use different browsers (or browser
profiles) for tasks requiring different levels of security
• IE for work, FF for play / personal
• Use work machine / browser only for work
• Use own device for personal
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Conclusion• Browsers are becoming more powerful
• Users will upgrade
• Users will find ways around your attempts to prevent them from upgrading
• As with much of IT security, the real solution lies in education and organizational policy
Thursday, May 16, 13
William J. Edney Technical Pursuit Inc.
Questions?
• Thanks!
Thursday, May 16, 13
