And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards

Published: 2014-05-06. Last Updated: 2014-05-06 12:24:37 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so.

Autocomplete=Off

This weekend we just had yet another post about people picking bad passwords. The only real way around this problem is a password manager. For a long time, browsers included features to allow you to save passwords. But historically, these features were not liked very well as they tended to protect the password inadequately. But with the number of leaked passwords going up and up, and browser makers feeling more confident about their built in password safe features, some browsers started to ignore this setting. For example recent versions of Chrome and Safari will offer saving your password no matter if the "autocomplete=off" attribute is set or not.

BTW: You may still need to keep your autocomplete=off attribute in your forms to pass the PCI audit. After all, in this case you are not defending against hackers but against auditors and the attribute still works great to fend of auditor questions.

In the end, this means it is up to the user to decide to enable or disable this feature, and what password safe to use. Personally I don't think you can do without a password safe. But some people still think they can remember > 100 random passwords/passphrases. (I am having a hard time with one or two).

Cookie2 Headers

"nobody" ever really used the Cookie2 header. It was supposed to address privacy concerns people had with regular cookies. Cookies set via the Cookie2 header are essentially session cookies. They can not be set "cross domain" and they expire as soon as you close the browser. But that was back in the day when people still considered privacy as something attainable. RFC 6265 officially obsoletes Cookie2 back in 2011. I guess nobody noticed (me neither) because nobody uses it.

URL Bars

Another "good old days" feature of many browsers was URL bars. They are slowly disappearing. The simple reason is that most users (no... you are not "most users" as you are reading this post) have no idea what a URL is or how to decipher it. It all started with mobile browsers who pushed the URL off the screen as soon as possible to save the few mega pixels it would take to render the URL bar. I think it was Internet Explorer 8 where I first noticed that the URL bar got squished into a corner in order to provide more space for the search bar. Google now is tying to make this change more official by only showing the hostname, not the full URL, in recent beta releases of Chrome. The idea here is that the hostname is what matters and the other parts of the URL are usually just used by phishers to confuse the user as to the actual location of the page.

Anything I missed? Not looking for brand new features like HTTP/2.0 but for old features that no longer work in new browsers and are somewhat security related. I may add a couple more items to this post or as a comment as I remember them.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
5 comment(s)
ISC StormCast for Tuesday, May 6th 2014 http://isc.sans.edu/podcastdetail.html?id=3965

Comments


Diary Archives