SlideShare a Scribd company logo
1 of 48
Download to read offline
The Perilous Future
of Browser Security
Robert Hansen
Director of Product Management
Robert ―RSnake‖ Hansen
 Director of Product Management (Labs)
 International presenter
 Ran ha.ckers.org
 Author
– Website Security for Dummies
– Detecting Malice
– Cross-site scripting attacks

 Hobbies
– Breaking the web so you don’t have to

© WhiteHat Security 2013

2
Let me start by saying…
 I love (most) people who work on browsers.
 When I talk to them they seem:
– Smart
– Honest/Ethical
– And they DO get the problem and understand the solutions

 I mean guys like Dan Veditz (FF), David Ross (Chrome),
Katie Moussouris (IE), etc. no disrespect. They’re
awesome (really–buy them a drink, give them hugs, etc.).
 However, I will argue that they are not allowed to do
their jobs due to how their company’s business models
are structured.
© WhiteHat Security 2013

3
Question: Why are you here?
 I don’t mean here as in this presentation.
 I mean, why are you in security?
– Money?
– Fame/glory?
– Protecting yourself?
– Protecting others?

 Jeremiah and I got into this to protect others and
fix things.
 If you want to have the biggest impact on security,
browsers matter.

© WhiteHat Security 2013

4
Scale of our problem (not to scale)
People using the Internet
(2.4BN)
People who care
about security/privacy
(84-90%* = 2.16BN)

People we know and could
theoretically help directly
(probably millions)
People who use Noscript
(1.9M users = 0.1%)

* http://www.innovationexcellence.com/blog/2013/03/14/when-do-people-care-about-privacy/
© WhiteHat Security 2013

5
―…different people want different

experiences, and are going to choose
their browser based on that preference‖
Chris Blizzard
Director of Web Platform
Mozilla
Security

Functionality
© WhiteHat Security 2013

Usability
7
Shrinking bandwidth: managing competing demands
Monetizing
users

Advertisers

Googl
e

 High
conversion
 Low CPC
 High CTR
 Good ROI

 Higher
ad spend
Fast
Fast
performance
performance

Quality
products

Users
 Privacy
 Security

© WhiteHat Security 2013

Search
quality

8
Yes, Google’s ads compete with advertisers

http://www.stateofsearch.com/wp-content/uploads/2012/01/ad-page-labeled.png
© WhiteHat Security 2013

9
The goal…
You can’t start a project without a goal
Simplest goal possible:

Protect sensitive information.
My personal path to achieve that goal:
Every potential vulnerability should have at least
two measures of defense because we should always
assume at least one vulnerability in every defense
mechanism.

© WhiteHat Security 2013

11
Why can’t you just use Tor Browser?
 The ―Grandpa‖ problem
 Tor Exit nodes are compromised
(100 embassy password issue)
 Grandpa sends sensitive info over HTTP
 Exit node grabs data and steals Grandpa’s retirement

© WhiteHat Security 2013

12
Anonymity vs. Privacy

Action

Anonymity

Explanation

No

Want to submit
a loan app

Privacy
Yes

You must let the loan company know
who you are anyway, so anonymity is
inherently broken.

Want to surf legal Probably not
adult material
Want to be a
dissident
Research
pressure cookers

Yes
Yes

© WhiteHat Security 2013

Yes

Unless your profession/relationships
hinge upon morality, privacy is only
required
Yes
No one can be trusted – even
relatives.
Probably not Someone may take it the wrong way
if you search for something ―bad‖
while your family will ask you first.

13
Average websites today

© WhiteHat Security 2013

14
What I am personally willing to sacrifice…
Usability
 I don’t personally need anything to be fast. In fact,
speed kills (but I do want to be efficient).
 I don’t need bookmarks, autofill, prefetching,
web slice gallery, etc…
 I don’t need ―whizbang‖ websites, and if I do I’m willing
to do ―work‖ to get them to function as intended
 I don’t care about popups or
warnings as long as they are
useful warnings of possible
irreversible impending danger
© WhiteHat Security 2013

15
Our Enemies
1

Xdomain*?
Solution:
 RequestPolicy
 Noscript (for iframes, JS and objects)
- ABE
 Port blocking
- (both locally egress and at a network level via
BSD pf)
 Removing credentials often/upon logout
 Split horizon DNS (when applicable)

© WhiteHat Security 2013

17
2

Command execution
Solution:
 Noscript & QuickJava
 Removing protocol handlers
(or they must ask for permission)
 Click to play
 Sandboxie (possibly similar to sandbox-exec or jailkit)
 Windows 7 (gold images) – ASLR (go MS!!)
 BSD chrooted jail
(again, possibily similar to sandbox-exec or jailkit)
 Anti-virus
 Geli–similar to ftimes–data integrity
 Application whitelisting and content integrity
monitoring
© WhiteHat Security 2013

18
It’s like an onion…

FreeBSD
building
chrooted jails
wrapping every
VM individually,
wrapping OSs,
wrapping
Sandboxie,
wrapping
Firefox
© WhiteHat Security 2013

19
3

Data exfiltration and privacy
Solution:
 Disabling Aero transparency theme (Windows 7+)
 Removing credentials upon logout
 Disabling anti-phishing and anti-malware support
 RequestPolicy > AdBlock
 Settings require plugin permissions
 BurpProxy + Wireshark + processexplorer
 Firefox built in lack of access to res:// file:// and
Windows variables, but chrome:// and about:// could
be just as deadly…
 Gold image upon reboot removes old Flash cookies,
etc… and has no access to ―sensitive‖ files
 FF is fixed CSS history hack
© WhiteHat Security 2013

20
4

Man in the middle
Solution:
 Internal CA instead of relying on Verisign, etc…
 Gold image to remove temporarily allowed certs
 Stand alone proxy support in Firefox + FoxyProxy
 SSH and/or VPN tunnels (both are preferable)
 Perspectives or sslvis (Just wish it worked!)

Problem! What about burp proxy!?
 Chain Firefox -> Burp -> local SSH tunnel
 Or use a VPN in a VM and wrap all traffic

© WhiteHat Security 2013

21
5

Pretexting/phishing
Anti-phishing lists can’t be trusted
No good solutions, but there are funky solutions:
 OpenDNS’s phish tank
(if you trust them and can use them)
 NoScript + ABE + Request Policy to disable JS in
superbait scenarios and break links to high value
pages (if they don’t break, that’s a problem).
Of course this doesn’t work with email.

 Education!
- I worked on anti-phishing products at eBay, am
a life-member of APWG, am on the advisory
board of phishme.com, etc… so….
- No password re-use minimizes potential impact

© WhiteHat Security 2013

22
Some of my plugins
Noscript
 XSS, clickjacking, ABE

Foxyproxy

Noscript

 FF has stand alone proxy
support (both good and bad)

RequestPolicy
 CSRF, clickjacking, some XSS

QuickJava
 Redundancy

Perspectives

Foxy
Proxy

Quick
Java

Request
Policy

Perspectives

 MitM

© WhiteHat Security 2013

23
Scorched earth approach

© WhiteHat Security 2013

24
What must my
browser look like?
(be afraid…)
Behold: CNN

© WhiteHat Security 2013

26
© WhiteHat Security 2013

27
Ads

“…we couldn't run our system if everything in it were
encrypted because then we wouldn't know which ads to
show you. So this is a system that was designed around
a particular business model.”
– Vince Cerf, Google

“You get the smartest people in the world together,
the best people this industry has to offer, for the sole
purpose of serving up ads?”
– Jeremiah Grossman, WhiteHat Security
© WhiteHat Security 2013

28
People actively dislike advertisers
Percent of adult internet users who say they have used the
internet in ways to avoid being observed or seen by…

© WhiteHat Security 2013

29
Why are ads so bad anyway?
 Often fraudulent
(E.g., Malvertising, virii)

 Waste of time/
bandwidth/page load
 Synonymous
with tracking
 Often very offensive
(E.g.: women/children)
 Obnoxious to the
eyes and ears
© WhiteHat Security 2013

30
Big business drives big data

© WhiteHat Security 2013

31
DNT: number one complaint

IE10 doesn’t respect the spec.

© WhiteHat Security 2013

32
DNT UI: not compliant

© WhiteHat Security 2013

33
DNT
 Yahoo/Pinterest/Twitter support it, sorta
 When asked, consumers want privacy:
(84%)
http://www.innovationexcellence.com/blog/2013/03/14/when-do-people-care-about-privacy/ (90%)
http://www.neowin.net/news/microsoft-only-47-percent-of-people-try-to-protect-their-privacy-online

 Ad co’s are backing out of compliance

© WhiteHat Security 2013

34
DNT by the numbers: Part I
How many clicks away?
 IE10: ALT, Tools, Internet Options, Advanced, Scroll, Click, OK
(7, however on by default so really, 0)
 FF: Click on Firefox, Options, Privacy, Click, OK (5)

 Chrome: Click on Chrome, Preferences, Scroll, Click ―Show
advanced settings‖, Scroll, Click (6)
 Safari: Click on Safari, Preferences, Privacy, Click, OK (5)

© WhiteHat Security 2013

35
DNT by the numbers: Part II
 It’s not how the spec works – it’s how browsers user it.
Opt out = no signal.

 If we believe the Trueffect numbers:
– IE10: 86.46%* Now sends DNT
– FF: 19.27%* Now sends DNT
– Chrome: 2.85% Now sends DNT

http://blog.trueffect.com/bid/328804/Microsoft-Internet-Explorer-10-and-Trueffect-Changes-To-Do-Not-Track
http://news.softpedia.com/news/17-Percent-of-Firefox-Users-Have-Enabled-Do-Not-Track-351175.shtml

© WhiteHat Security 2013

36
DNT by the numbers: Part III
Which browser
(IE10, Chrome or
Firefox) respects
user wishes more?
Let’s ignore IE10?
That’s good for everyone,
everywhere, IE, FF,
Google, the Advertisers
— everyone except the
consumer. DNT was a
distraction, but a useful
one for (ironically) for
data collection.
© WhiteHat Security 2013

100%
90%
80%
70%

Consumer
preference
IE10

60%
50%

FF

40%
30%

Chrome

20%
10%
0%

37
How does that relate with ad blocking?

http://downloads.pagefair.com/reports/the_rise_of_adblocking.pdf
© WhiteHat Security 2013

38
An ―ad war?‖ Yes.
First there was
annoying ads

ABP became the
most downloaded
add-on at 14.9M
Then Congress got involved???
active users
Then ads companies
pay off ABP

© WhiteHat Security 2013

39
Say WHAAAAT? That’s right, Congress!

http://stanford.edu/~jmayer/content/Pompeo_Mozilla_Letter.pdf

© WhiteHat Security 2013

40
Payoffs? What payoffs?

© WhiteHat Security 2013

41
The battle lines are drawn
 The Ad industry doesn’t believe in 3rd party cookie
blocking because it hurts tracking and therefore revenue.
Remember: $40 billion a year for Googe alone!
 Browser companies do what the industry wants because
they are paid by ads:
Google: 96% of it’s revenues = ads*
Firefox: 98% of it’s revenues = search deals,
of which Google makes up ~80-90%
of those deals*
http://www.investopedia.com/stock-analysis/2012/what-does-google-actually-make-money-from-goog1121.aspx
http://www.computerworld.com/s/article/9220695/Mozilla_relies_on_search_deals_for_98_of_revenues
http://www.pcmag.com/article2/0,2817,2398046,00.asp
© WhiteHat Security 2013

42
Where are ads (probably) heading?
 Logical conclusion is that derivatives of ad blocking
(E.g. Disconnect) will win against most 3rd party
JavaScript ads, sans virus evasion techniques: fast-flux.
 However, advertisers will react by creating locally
hosted/obfuscated ads.
 Companies will increase blackmail tactics to force
viewers to see ads.

 Regulation. DNT via FTC. Consumers win, sorta.
Google attacks Ad blockers.

© WhiteHat Security 2013

43
Where are ads (probably) heading?
 What? Google attacking ad blockers?
―No wayyyyy…‖ I can hear you saying….

 ―4.4 Prohibited Actions. You agree that you will
not engage in any activity with the Market, including
the development or distribution of Products, that
interferes with, disrupts, damages, or accesses in an
unauthorized manner the devices, servers, networks,
or other properties or services of any third party
including, but not limited to, Android users, Google
or any mobile network operator…‖

© WhiteHat Security 2013

44
What’s the ―so what?‖
 So yes, DNT may be a waste of time and as a result,
IAB and advertisers ignore it. Numbers-wise it’s still
great.
 So let’s build technical controls to opt for what the
consumer actually wants, not what the advertisers want.
 Do-Not-Track < Can-Not-Track
 Once the advertisers learn how to behave we can
reconsider this approach.

© WhiteHat Security 2013

45
What should we do?
 Don’t recommend my setup to the masses –
we need something better!

 Socialize that most browser vendors probably want to do
the right thing, but their $40BN/year business models
(and fear of lawsuits) prohibit it.
 Start tackling the problems one at a time:
higher security and privacy to feature ratio.

 Always side with the consumer, they are our families
and they should always win. It’s ethical and good
for our Internet.
© WhiteHat Security 2013

46
What is WhiteHat doing?
 WhiteHat is in a unique position of zero conflict
of interest with privacy/security.

 We don’t believe in ―Do-Not-Track‖, we continue to
embrace ―Can-Not-Track‖
 Aviator will add in additional security and privacy
features.

© WhiteHat Security 2013

47
Thank You.
Robert Hansen
Director of Product Management
@RSnake

More Related Content

Similar to Appsec usa roberthansen

Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end usersNetWatcher
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World SafetyProtecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World SafetyAEGILITY
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsNowSecure
 
Webinar Security: Apps of Steel transcription
Webinar Security:  Apps of Steel transcriptionWebinar Security:  Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Creating Systems Without Considering The Users
Creating Systems Without Considering The UsersCreating Systems Without Considering The Users
Creating Systems Without Considering The UsersSarah Davis
 

Similar to Appsec usa roberthansen (20)

Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Internet Security Overview
Internet Security OverviewInternet Security Overview
Internet Security Overview
 
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World SafetyProtecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World Safety
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Security On The Internet Essay
Security On The Internet EssaySecurity On The Internet Essay
Security On The Internet Essay
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2
 
Webinar Security: Apps of Steel transcription
Webinar Security:  Apps of Steel transcriptionWebinar Security:  Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Creating Systems Without Considering The Users
Creating Systems Without Considering The UsersCreating Systems Without Considering The Users
Creating Systems Without Considering The Users
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
 

More from drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiudrewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)drewz lin
 

More from drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 

Recently uploaded

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 

Recently uploaded (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 

Appsec usa roberthansen

  • 1. The Perilous Future of Browser Security Robert Hansen Director of Product Management
  • 2. Robert ―RSnake‖ Hansen  Director of Product Management (Labs)  International presenter  Ran ha.ckers.org  Author – Website Security for Dummies – Detecting Malice – Cross-site scripting attacks  Hobbies – Breaking the web so you don’t have to © WhiteHat Security 2013 2
  • 3. Let me start by saying…  I love (most) people who work on browsers.  When I talk to them they seem: – Smart – Honest/Ethical – And they DO get the problem and understand the solutions  I mean guys like Dan Veditz (FF), David Ross (Chrome), Katie Moussouris (IE), etc. no disrespect. They’re awesome (really–buy them a drink, give them hugs, etc.).  However, I will argue that they are not allowed to do their jobs due to how their company’s business models are structured. © WhiteHat Security 2013 3
  • 4. Question: Why are you here?  I don’t mean here as in this presentation.  I mean, why are you in security? – Money? – Fame/glory? – Protecting yourself? – Protecting others?  Jeremiah and I got into this to protect others and fix things.  If you want to have the biggest impact on security, browsers matter. © WhiteHat Security 2013 4
  • 5. Scale of our problem (not to scale) People using the Internet (2.4BN) People who care about security/privacy (84-90%* = 2.16BN) People we know and could theoretically help directly (probably millions) People who use Noscript (1.9M users = 0.1%) * http://www.innovationexcellence.com/blog/2013/03/14/when-do-people-care-about-privacy/ © WhiteHat Security 2013 5
  • 6. ―…different people want different experiences, and are going to choose their browser based on that preference‖ Chris Blizzard Director of Web Platform Mozilla
  • 8. Shrinking bandwidth: managing competing demands Monetizing users Advertisers Googl e  High conversion  Low CPC  High CTR  Good ROI  Higher ad spend Fast Fast performance performance Quality products Users  Privacy  Security © WhiteHat Security 2013 Search quality 8
  • 9. Yes, Google’s ads compete with advertisers http://www.stateofsearch.com/wp-content/uploads/2012/01/ad-page-labeled.png © WhiteHat Security 2013 9
  • 11. You can’t start a project without a goal Simplest goal possible: Protect sensitive information. My personal path to achieve that goal: Every potential vulnerability should have at least two measures of defense because we should always assume at least one vulnerability in every defense mechanism. © WhiteHat Security 2013 11
  • 12. Why can’t you just use Tor Browser?  The ―Grandpa‖ problem  Tor Exit nodes are compromised (100 embassy password issue)  Grandpa sends sensitive info over HTTP  Exit node grabs data and steals Grandpa’s retirement © WhiteHat Security 2013 12
  • 13. Anonymity vs. Privacy Action Anonymity Explanation No Want to submit a loan app Privacy Yes You must let the loan company know who you are anyway, so anonymity is inherently broken. Want to surf legal Probably not adult material Want to be a dissident Research pressure cookers Yes Yes © WhiteHat Security 2013 Yes Unless your profession/relationships hinge upon morality, privacy is only required Yes No one can be trusted – even relatives. Probably not Someone may take it the wrong way if you search for something ―bad‖ while your family will ask you first. 13
  • 14. Average websites today © WhiteHat Security 2013 14
  • 15. What I am personally willing to sacrifice… Usability  I don’t personally need anything to be fast. In fact, speed kills (but I do want to be efficient).  I don’t need bookmarks, autofill, prefetching, web slice gallery, etc…  I don’t need ―whizbang‖ websites, and if I do I’m willing to do ―work‖ to get them to function as intended  I don’t care about popups or warnings as long as they are useful warnings of possible irreversible impending danger © WhiteHat Security 2013 15
  • 17. 1 Xdomain*? Solution:  RequestPolicy  Noscript (for iframes, JS and objects) - ABE  Port blocking - (both locally egress and at a network level via BSD pf)  Removing credentials often/upon logout  Split horizon DNS (when applicable) © WhiteHat Security 2013 17
  • 18. 2 Command execution Solution:  Noscript & QuickJava  Removing protocol handlers (or they must ask for permission)  Click to play  Sandboxie (possibly similar to sandbox-exec or jailkit)  Windows 7 (gold images) – ASLR (go MS!!)  BSD chrooted jail (again, possibily similar to sandbox-exec or jailkit)  Anti-virus  Geli–similar to ftimes–data integrity  Application whitelisting and content integrity monitoring © WhiteHat Security 2013 18
  • 19. It’s like an onion… FreeBSD building chrooted jails wrapping every VM individually, wrapping OSs, wrapping Sandboxie, wrapping Firefox © WhiteHat Security 2013 19
  • 20. 3 Data exfiltration and privacy Solution:  Disabling Aero transparency theme (Windows 7+)  Removing credentials upon logout  Disabling anti-phishing and anti-malware support  RequestPolicy > AdBlock  Settings require plugin permissions  BurpProxy + Wireshark + processexplorer  Firefox built in lack of access to res:// file:// and Windows variables, but chrome:// and about:// could be just as deadly…  Gold image upon reboot removes old Flash cookies, etc… and has no access to ―sensitive‖ files  FF is fixed CSS history hack © WhiteHat Security 2013 20
  • 21. 4 Man in the middle Solution:  Internal CA instead of relying on Verisign, etc…  Gold image to remove temporarily allowed certs  Stand alone proxy support in Firefox + FoxyProxy  SSH and/or VPN tunnels (both are preferable)  Perspectives or sslvis (Just wish it worked!) Problem! What about burp proxy!?  Chain Firefox -> Burp -> local SSH tunnel  Or use a VPN in a VM and wrap all traffic © WhiteHat Security 2013 21
  • 22. 5 Pretexting/phishing Anti-phishing lists can’t be trusted No good solutions, but there are funky solutions:  OpenDNS’s phish tank (if you trust them and can use them)  NoScript + ABE + Request Policy to disable JS in superbait scenarios and break links to high value pages (if they don’t break, that’s a problem). Of course this doesn’t work with email.  Education! - I worked on anti-phishing products at eBay, am a life-member of APWG, am on the advisory board of phishme.com, etc… so…. - No password re-use minimizes potential impact © WhiteHat Security 2013 22
  • 23. Some of my plugins Noscript  XSS, clickjacking, ABE Foxyproxy Noscript  FF has stand alone proxy support (both good and bad) RequestPolicy  CSRF, clickjacking, some XSS QuickJava  Redundancy Perspectives Foxy Proxy Quick Java Request Policy Perspectives  MitM © WhiteHat Security 2013 23
  • 24. Scorched earth approach © WhiteHat Security 2013 24
  • 25. What must my browser look like? (be afraid…)
  • 26. Behold: CNN © WhiteHat Security 2013 26
  • 28. Ads “…we couldn't run our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model.” – Vince Cerf, Google “You get the smartest people in the world together, the best people this industry has to offer, for the sole purpose of serving up ads?” – Jeremiah Grossman, WhiteHat Security © WhiteHat Security 2013 28
  • 29. People actively dislike advertisers Percent of adult internet users who say they have used the internet in ways to avoid being observed or seen by… © WhiteHat Security 2013 29
  • 30. Why are ads so bad anyway?  Often fraudulent (E.g., Malvertising, virii)  Waste of time/ bandwidth/page load  Synonymous with tracking  Often very offensive (E.g.: women/children)  Obnoxious to the eyes and ears © WhiteHat Security 2013 30
  • 31. Big business drives big data © WhiteHat Security 2013 31
  • 32. DNT: number one complaint IE10 doesn’t respect the spec. © WhiteHat Security 2013 32
  • 33. DNT UI: not compliant © WhiteHat Security 2013 33
  • 34. DNT  Yahoo/Pinterest/Twitter support it, sorta  When asked, consumers want privacy: (84%) http://www.innovationexcellence.com/blog/2013/03/14/when-do-people-care-about-privacy/ (90%) http://www.neowin.net/news/microsoft-only-47-percent-of-people-try-to-protect-their-privacy-online  Ad co’s are backing out of compliance © WhiteHat Security 2013 34
  • 35. DNT by the numbers: Part I How many clicks away?  IE10: ALT, Tools, Internet Options, Advanced, Scroll, Click, OK (7, however on by default so really, 0)  FF: Click on Firefox, Options, Privacy, Click, OK (5)  Chrome: Click on Chrome, Preferences, Scroll, Click ―Show advanced settings‖, Scroll, Click (6)  Safari: Click on Safari, Preferences, Privacy, Click, OK (5) © WhiteHat Security 2013 35
  • 36. DNT by the numbers: Part II  It’s not how the spec works – it’s how browsers user it. Opt out = no signal.  If we believe the Trueffect numbers: – IE10: 86.46%* Now sends DNT – FF: 19.27%* Now sends DNT – Chrome: 2.85% Now sends DNT http://blog.trueffect.com/bid/328804/Microsoft-Internet-Explorer-10-and-Trueffect-Changes-To-Do-Not-Track http://news.softpedia.com/news/17-Percent-of-Firefox-Users-Have-Enabled-Do-Not-Track-351175.shtml © WhiteHat Security 2013 36
  • 37. DNT by the numbers: Part III Which browser (IE10, Chrome or Firefox) respects user wishes more? Let’s ignore IE10? That’s good for everyone, everywhere, IE, FF, Google, the Advertisers — everyone except the consumer. DNT was a distraction, but a useful one for (ironically) for data collection. © WhiteHat Security 2013 100% 90% 80% 70% Consumer preference IE10 60% 50% FF 40% 30% Chrome 20% 10% 0% 37
  • 38. How does that relate with ad blocking? http://downloads.pagefair.com/reports/the_rise_of_adblocking.pdf © WhiteHat Security 2013 38
  • 39. An ―ad war?‖ Yes. First there was annoying ads ABP became the most downloaded add-on at 14.9M Then Congress got involved??? active users Then ads companies pay off ABP © WhiteHat Security 2013 39
  • 40. Say WHAAAAT? That’s right, Congress! http://stanford.edu/~jmayer/content/Pompeo_Mozilla_Letter.pdf © WhiteHat Security 2013 40
  • 41. Payoffs? What payoffs? © WhiteHat Security 2013 41
  • 42. The battle lines are drawn  The Ad industry doesn’t believe in 3rd party cookie blocking because it hurts tracking and therefore revenue. Remember: $40 billion a year for Googe alone!  Browser companies do what the industry wants because they are paid by ads: Google: 96% of it’s revenues = ads* Firefox: 98% of it’s revenues = search deals, of which Google makes up ~80-90% of those deals* http://www.investopedia.com/stock-analysis/2012/what-does-google-actually-make-money-from-goog1121.aspx http://www.computerworld.com/s/article/9220695/Mozilla_relies_on_search_deals_for_98_of_revenues http://www.pcmag.com/article2/0,2817,2398046,00.asp © WhiteHat Security 2013 42
  • 43. Where are ads (probably) heading?  Logical conclusion is that derivatives of ad blocking (E.g. Disconnect) will win against most 3rd party JavaScript ads, sans virus evasion techniques: fast-flux.  However, advertisers will react by creating locally hosted/obfuscated ads.  Companies will increase blackmail tactics to force viewers to see ads.  Regulation. DNT via FTC. Consumers win, sorta. Google attacks Ad blockers. © WhiteHat Security 2013 43
  • 44. Where are ads (probably) heading?  What? Google attacking ad blockers? ―No wayyyyy…‖ I can hear you saying….  ―4.4 Prohibited Actions. You agree that you will not engage in any activity with the Market, including the development or distribution of Products, that interferes with, disrupts, damages, or accesses in an unauthorized manner the devices, servers, networks, or other properties or services of any third party including, but not limited to, Android users, Google or any mobile network operator…‖ © WhiteHat Security 2013 44
  • 45. What’s the ―so what?‖  So yes, DNT may be a waste of time and as a result, IAB and advertisers ignore it. Numbers-wise it’s still great.  So let’s build technical controls to opt for what the consumer actually wants, not what the advertisers want.  Do-Not-Track < Can-Not-Track  Once the advertisers learn how to behave we can reconsider this approach. © WhiteHat Security 2013 45
  • 46. What should we do?  Don’t recommend my setup to the masses – we need something better!  Socialize that most browser vendors probably want to do the right thing, but their $40BN/year business models (and fear of lawsuits) prohibit it.  Start tackling the problems one at a time: higher security and privacy to feature ratio.  Always side with the consumer, they are our families and they should always win. It’s ethical and good for our Internet. © WhiteHat Security 2013 46
  • 47. What is WhiteHat doing?  WhiteHat is in a unique position of zero conflict of interest with privacy/security.  We don’t believe in ―Do-Not-Track‖, we continue to embrace ―Can-Not-Track‖  Aviator will add in additional security and privacy features. © WhiteHat Security 2013 47
  • 48. Thank You. Robert Hansen Director of Product Management @RSnake