Presented at
DeepSec 2013 „Secrets, Failures, and Visions“,
Unknown date/time
(Unknown duration).
Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has led to the general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is a highly unfortunate misconception, as the current generation of new Web APIs expose a level of security sophistication unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow for the first time to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices.
In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases.
Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternatives" (spoiler: HTML5 wins).
More specifically, the talk will cover:
# Client-side cross-domain communication:
- CORS (HTML5) vs. JSONP and/or crossdomain.xml
# Client-side persistance
- LocalStorage (HTML5) vs. Cookie-hacks
# In-browser communication
- PostMessage (HTML5) vs.
-- hash-identifier passing and/or
-- window.name setting and/or
-- domain relaxation
# ClickJacking protection
- X-Frames-Options (HTML5) vs. JavaScript framebusters
# Bonus track: The browser's new security capabilities
A quick overview of new browser features that can be used to secure Web sites:
- Content Security Policies
- Sandboxed iFrames
- Strict-transport Security
The session's content is based on the experiences and lessons learned of a international academic research project on modern Web security (WebSand, http://websand.eu) of which the speaker is the technical lead. All given details will be backed with empirical data (when applicable). Furthermore, all discussed technologies can be accompanied with proof-of-concept code or practical demonstrations (if time permits).
Presenters:
Links:
Similar Presentations: