Securing the Web Platform

Опубликовано 6 сентября 2016, 18:43

Browsers are rapidly improving as a platform for compelling, interactive applications. Unfortunately, the Web security model is still not fully understood. Despite the impressive performance gains of browser vendors, the Web cannot succeed without a secure foundation. This talk will cover my recent efforts to observe, analyze, and improve browser security. Existing security policies were designed in an era where Web users only interacted with one principal at a time, but modern browsers often have many tabs open simultaneously, and these tabs often contain third-party content from multiple sources. By articulating threat models that capture these multi-principal interactions, my research has revealed attacks on a variety of browser features, such as frame navigation, cross-document communication, and HTTPS. I'll discuss how I worked with browser and plug-in vendors to address these attacks and deploy industry-wide solutions.