Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


IE8 / Firefox 3 Browser Security

No description

Christopher Hughes

on 20 April 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of IE8 / Firefox 3 Browser Security

Browser Security of
IE8 and FF3.6 Overview Security... What is it?
Why is it important to the average user?
Is this something I have to worry about? Some numbers... 123 cyber security alerts issued
0 current moderately critical risk
0 current minimally critical risk
0 current non-critical risks
0 current total potential risks
43 days to release patches for 115 holes 384 cyber security alerts issued
1 current moderately critical risk
1 current minimally critical risk
2 current non-critical risks
43 current total potential risks
110 days to release patches for 31 holes Specific Attacks Cross-site Request Forgery Both Internet Explorer and Firefox use the Origin header in order to prevent cross site request forgery attacks.
Document.URL parameter writable in IE. Allows Login CSRF. In addition, it allows a payload to be embed in URL or Referrer object/header and allows for a DoS attack. The Origin Header is similar to the Request Header; it is required and enables the client to send sanitized information about the origin of each request to the server. It does not send path information. Cross-site Scripting CSS Filtering Triggered by source and destination differences
Intercepts POST / GET requests between client and server
Uses heuristics to identify signatures which are used to identify scripts
Scripts are disabled by replacing a neuter character selected from a pool of neuter characters with a replacement character in the script Restricts certain scenarios of scripts executing: contents of <SCRIPT>, javascript URL, and event handling attributes such as onclick
Disallows code from being executed from strings
Prevents loading arbitrary data into documents CSS Vulnerabilities Certain contexts are not currently blocked, such as content injected directly into javascript without breaking out of a string
Injections facilitated by certain HTTP headers are not currently blocked, such as the “Referer” header
Malfunctions with multiple near-by injection points CSS Filtering using regular expressions:
{<sc{r}ipt.*src[whitespace or forward-slash]*=} Functions declared using function operator or functions declared using certain function arguments Clickjacking/Frame Protection Offers an opt-in feature that allows web applications to declare potential click jacking web pages to be non-framable
Uses an HTTP response header called X-FRAME-OPTIONS which restricts how that page may be framed
If X-FRAME-OPTIONS is DENY then it will prevent the page from rendering within a frame
If X-FRAME-OPTIONS is SAMEORIGIN it will block the rendering if the origin of the top level-browsing-context is different than the origin of the content. Firefox's Content Security Policy (CSP) uses a frame-ancestors policy which indicates which sources are valid for <frame> and <iframe> elements
Any site within the frame chain must be in the frame-ancestors list in order to be loaded Internet Explorer allows JavaScript to execute from within Cascading Style Sheets. Firefox does not. In Firefox <STYLE> tags take precendeence over comment blocks but not in Internet Explorer. Internet Explorer allows local HTML files to access unrelated files via DOM but Firefox does not. Both Internet Explorer and Firefox allow full opacity through CSS (decoy underneath) Both Internet Explorer and Firefox allow partly obstructed IFRAMEs to be clickable (decoy on top) Man in the Middle Both Internet Explorer and Firefox allow for mixed HTTP and HTTPS content to be loaded in a APPLET and EMBED tags Internet Explorer recognized 264 root certificate authorities Firefox recognizes only 123 root certificate authorities Social Attacks Misc. Security Per Tab Processes Loosely Coupled Internet Explorer
Separates the main window process (frame process) from the processes hosting the different web applications in different tabs (tab processes)
A frame process can create multiple tab processes, each of which can be of a different integrity level
Use asynchronous Inter-Process Communication to synchronize themselves
Balance number of processes between resource efficiency and stability
Multiple tabs open that show different pages from the same website often placed all into one process Firefox does NOT support per tab processes Phishing Phishing is the use of a site that both falsely impersonates another entity and attempts to trick the user into disclosing personal information.

The Anti-Phishing Working Group (APWG) estimated there were 40,621 unique attacks in August 2009.
These attacks had an average lifespan of 52 hours. Problems defending against Phishing:
Bit vs It: Phishing sites are incredibly easy, and cheap, to produce.
Mobility: Phishing sites have a very short lifespan because they are often rotated to new locations to avoid detection, tracing, and reporting. In order to combat the growing threat of phishing, IE8 and Firefox both implement a reputation system designed to warn users that navigate to a site that is determined suspicious or known to be malicious. SmartScreen® Filter Blacklist, whitelist, asynchronous server-side validation.
If the site is on the whitelist, no further checking.
If it is not on the whitelist, the URL is stripped to its path to remove any personal information and sent to Microsoft's server via HTTPS connection.
Sites are checked for suspicious patterns using in-house private heuristics and telemetry. Firefox Phishing Protection Google Safe Browsing
Local and Server-side blacklists
URLs requested by the user are hashed and checked against a list of hashed 'chunks' of suspicious URLs.
Enhanced Protection Mode: The full URL of any document requested is sent to Google Safe Browsing for validation.
This does not trim the URL to its path, to assure the best possible match.
The URL is encrypted before being sent to protect private data. NSS Labs Report 14-day test using 593 unique URLs of malicious sites
Browsers were tested for:
Zero-hour Protection:
IE8: 52%
FF: 48%
Fifth-day Protection:
IE8: 71%
FF: 66% Hours until malicious site blocked:
Number of malicious sites blocked
Length of time until malicious site was blocked once added to the test data 14-day End Result:
IE8: 83% protection rate
FF: 80% protection rate
Margin of Error: 3.96% IE8 and Firefox were found to be statistically tied. Additional Protections IDN Homograph Attack:
Cyrillic, Greek, Armenian, and Hebrew alphabets have characters that resemble Latin characters and can be used to spoof URLs IE8: Displays any URL using mixed characters in Punycode
FF: Whitelist of TLDs that protect against homograph attacks, else displays in Punycode Password Prompts:
IE8 prevents <EMBED> and <APPLET> tags from prompting users for passwords, FF does not.
IE8 and FF both allow <IMG> tags to prompt users for passwords.

This can can be used for malicious intentions, especially on sites that allow users to upload their own content (i.e. forums). Private Browsing Firefox and Internet Explorer 8 both offer private browsing modes Internet Explorer 8 does not completely clear userData (such as Automatic Crash Recovery Store)
Firefox does not clear saved file history, and persistent storage is saved (window.globalStorage)
Full transcript