Brandon Sterne, Security Program Manager at Mozilla, recently published a proposal for a set of browser security features. The proposal, SSP or Site Security Policy, aims to allow browser vendors a chance to do more to protect users from XSS and CSRF threats. Currently SSP is open for comments, and is only available as an add-on for Firefox.
SSP on task to become a great method of client side security. (IMG:J.Anderson)
Sterne has the weight of an entire security community behind him. Already discussions are taking place over his proposal, and Jeremiah Grossman, a security guru himself and CTO of WhiteHat Security, is excited by the process to see an evolution of a new layer of security. “OK gang, this is one of those rare moments where feedback from community will directly influence a security feature that’ll make a real difference,” Grossman said in his blog post encouraging discussion.
So what is SSP? In short, it is a method of protection for client-side attacks. “Browser vendors can do more to protect users from client-side attacks involving websites that are vulnerable to the classes of attacks mentioned above. This document proposes a mechanism that enables websites to define Site Security Policy which browsers can choose to enforce, restricting the capabilities of web content that make these attacks possible,” the proposal outline explains.
Adding, “Real world security, however, is usually provided in layers and Site Security Policy intends to be only one layer. Even the hypothetical vulnerability-free website can benefit from Site Security Policy. Though the site may be free of vulnerabilities today, a new vulnerability may be introduced tomorrow which could remain fully mitigated by Site Security Policy until it is detected and fixed properly.”
SSP works, for now, on two layers of defense; CSRF (Cross Site Request Forgery) attacks, and XSS (Cross Site Scripting) attacks. These are two of the more common methods of attack, but perfect for SSP as it is geared for client side protection. Both CSRF and XSS deal with exploiting the client and end user in the overall attack, and are often hard to protect against, and there is only just recently a movement in browser development to deal with this issue.
“Even in the limited exposure Site Security Policy has been given, we have received positive feeback from various websites who want to utilize it. These sites think the proposal is a good start, but have ideas for additional functionality that would make the framework maximally useful…,” the proposal explains in the preface.
SSP is experimental; it would be hard pressed to be called anything but that. There is no idea if, or when, this would ever appear in Firefox, not without community support and communication. If you want to get involved, you can download SSP for Firefox as an add-on and join the community discussions. There is a demo page to show you the add-on in action.
More info: http://people.mozilla.com/~bsterne/site-security-policy/index.html
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)