security and privacy on the web in 2016
TRANSCRIPT
![Page 2: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/2.jpg)
Security and Privacyfor users, sysadmins and developers
![Page 3: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/3.jpg)
security
![Page 4: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/4.jpg)
securityfor users
![Page 5: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/5.jpg)
Safe Browsing
![Page 6: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/6.jpg)
![Page 7: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/7.jpg)
pre-downloaded URL hash prefixes
![Page 8: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/8.jpg)
pre-downloaded URL hash prefixes
list updated every 30 minutes
![Page 9: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/9.jpg)
pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
![Page 10: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/10.jpg)
pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
separate cookie jar
![Page 11: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/11.jpg)
pre-downloaded URL hash prefixes
list updated every 30 minutes
server completions on prefix hit (with noise entries)
separate cookie jar
list entries expire after 45 minutes
![Page 12: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/12.jpg)
about:config
browser.safebrowsing.enabled (phishing)browser.safebrowsing.malware.enabled (malware)
![Page 13: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/13.jpg)
Download Protection
![Page 14: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/14.jpg)
![Page 15: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/15.jpg)
is it on the pre-downloaded list of dangerous hosts?
![Page 16: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/16.jpg)
is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
![Page 17: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/17.jpg)
is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
is it an executable file (.exe, .com, .pif, .dmg, etc.)?
![Page 18: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/18.jpg)
is it on the pre-downloaded list of dangerous hosts?
is it signed by a known good software provider?
is it an executable file (.exe, .com, .pif, .dmg, etc.)?
what does the apprep server think about it?
![Page 19: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/19.jpg)
about:config
browser.safebrowsing.downloads.remote.enabled
browser.safebrowsing.downloads.remote.block_potentially_unwantedbrowser.safebrowsing.downloads.remote.block_uncommon
![Page 20: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/20.jpg)
https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
![Page 21: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/21.jpg)
securityfor developers
![Page 22: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/22.jpg)
Content Security Policyaka CSP
mechanism for preventing XSS
![Page 23: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/23.jpg)
telling the browser what externalcontent is allowed to load
![Page 24: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/24.jpg)
Hi y'all<script>alert('p0wned');</script>!
Tweet!
What's on your mind?
![Page 25: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/25.jpg)
without CSP
![Page 26: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/26.jpg)
Hi y'all!John Doe - just moments ago
p0wnedOk
![Page 27: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/27.jpg)
with CSP
![Page 28: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/28.jpg)
Hi y'all!John Doe - just moments ago
![Page 29: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/29.jpg)
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
![Page 30: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/30.jpg)
script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcfont-src
connect-src
![Page 31: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/31.jpg)
Strict Transport Securityaka HSTS
mechanism for preventingHTTPS to HTTP downgrades
![Page 32: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/32.jpg)
telling the browser that your siteshould never be reached over HTTP
![Page 33: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/33.jpg)
![Page 34: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/34.jpg)
GET bank.com 301→
GET https://bank.com 200→
no HSTS, no sslstrip
![Page 35: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/35.jpg)
GET bank.com → 200
no HSTS, with sslstrip
![Page 36: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/36.jpg)
what does HSTS look like?
![Page 37: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/37.jpg)
$ curl -i https://bank.comHTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000...
![Page 38: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/38.jpg)
with HSTS, with sslstrip
GET https://bank.com 200→
![Page 39: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/39.jpg)
no HTTP traffic forsslstrip to tamper with
![Page 40: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/40.jpg)
![Page 41: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/41.jpg)
![Page 42: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/42.jpg)
![Page 43: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/43.jpg)
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
![Page 44: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/44.jpg)
what would happen if thatserver were compromised?
![Page 45: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/45.jpg)
![Page 46: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/46.jpg)
Bad Things™
steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies
![Page 47: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/47.jpg)
simple solution
![Page 48: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/48.jpg)
instead of this:
<scriptsrc=”https://ajax.googleapis.com...”>
![Page 49: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/49.jpg)
<script
src=”https://ajax.googleapis.com...”
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
do this:
![Page 50: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/50.jpg)
guarantee:script won't changeor it'll be blocked
![Page 51: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/51.jpg)
securityfor sysadmins
![Page 52: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/52.jpg)
HTTPS
![Page 53: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/53.jpg)
if you're not using it, now is the time to start :)
![Page 55: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/55.jpg)
![Page 56: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/56.jpg)
mass surveillance ofall Internet traffic
is no longer theoretical
![Page 57: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/57.jpg)
strong encryption ofall Internet traffic
is no longer optional
![Page 58: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/58.jpg)
“If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.”
-Bruce Schneier
![Page 62: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/62.jpg)
$ apt-get install letsencrypt
$ letsencrypt example.com
![Page 63: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/63.jpg)
automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires
![Page 64: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/64.jpg)
automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires
![Page 65: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/65.jpg)
automatically prove domain ownership
download a free-as-in-beer certificate
monitor and renew it before it expires
![Page 66: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/66.jpg)
HTTPS is not enough
you need to do it properly
![Page 67: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/67.jpg)
RC4
![Page 68: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/68.jpg)
SHA-1
RC4
![Page 69: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/69.jpg)
SHA-11024-bit certificates
RC4
![Page 70: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/70.jpg)
SHA-11024-bit certificates
RC4 weak DH parameters
![Page 75: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/75.jpg)
https://people.mozilla.org/~fmarier/mixed-content.html
<html><head> <script src="http://people.mozilla.org/~fmarier/mixed-content.js"> </script></head><body> <img src="http://fmarier.org/img/francois_marier.jpg"></body></html>
![Page 76: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/76.jpg)
![Page 77: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/77.jpg)
turn on full mixed-content blocking in development
![Page 78: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/78.jpg)
privacy
![Page 79: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/79.jpg)
privacyfor users
![Page 80: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/80.jpg)
![Page 81: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/81.jpg)
![Page 82: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/82.jpg)
![Page 83: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/83.jpg)
![Page 84: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/84.jpg)
about:config
network.cookie.lifetimePolicy = 3network.cookie.lifetime.days = 5network.cookie.thirdparty.sessionOnly = true
![Page 85: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/85.jpg)
https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
![Page 86: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/86.jpg)
Tracking Protection
![Page 87: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/87.jpg)
![Page 88: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/88.jpg)
based on Safe Browsing
pre-downloaded list of full hashes
(no server lookups)
![Page 89: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/89.jpg)
1. is this resource coming from a third-party server?
2. is it on Disconnect's list of trackers?
3. is it actually a third-party or does it belong to the same org?
![Page 90: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/90.jpg)
Q: What does it do?
A: It blocks network loads!
![Page 91: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/91.jpg)
No cookiesNo fingerprintingNo wasted bandwidthNo performance hit
![Page 92: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/92.jpg)
about:config
privacy.trackingprotection.pbmode.enabled
![Page 93: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/93.jpg)
about:config
privacy.trackingprotection.enabled
![Page 94: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/94.jpg)
https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
![Page 95: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/95.jpg)
privacyfor developers
![Page 97: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/97.jpg)
![Page 98: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/98.jpg)
http://example.com/search?q=serious+medical+condition
Click here for the cheapest
insurance around!
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
![Page 100: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/100.jpg)
No ReferrerNo Referrer When DowngradeOrigin OnlyOrigin When Cross OriginUnsafe URL
![Page 101: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/101.jpg)
No ReferrerNo Referrer When DowngradeOrigin OnlyOrigin When Cross OriginUnsafe URL
![Page 102: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/102.jpg)
No ReferrerNo Referrer When DowngradeOrigin OnlyOrigin When Cross OriginUnsafe URL
![Page 103: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/103.jpg)
No ReferrerNo Referrer When DowngradeOrigin OnlyOrigin When Cross OriginUnsafe URL
![Page 104: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/104.jpg)
No ReferrerNo Referrer When DowngradeOrigin OnlyOrigin When Cross OriginUnsafe URL
![Page 105: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/105.jpg)
Referrer-Policy: origin
<meta name="referrer" content="origin">
<a href="http://example.com" referrer="origin">
![Page 106: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/106.jpg)
Referrer-Policy: origin
<meta name="referrer" content="origin">
<a href="http://example.com" referrer="origin">
![Page 107: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/107.jpg)
Referrer-Policy: origin
<meta name="referrer" content="origin">
<a href="http://example.com" referrerPolicy="origin">
![Page 108: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/108.jpg)
recommendationsfor users
![Page 109: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/109.jpg)
network.cookie.lifetimePolicy = 3
network.cookie.lifetime.days = 5
network.cookie.thirdparty.sessionOnly = true
network.http.referer.spoofSource = true
privacy.trackingprotection.enabled = true
security.pki.sha1_enforcement_level = 2
security.ssl.errorReporting.automatic = true
Install the EFF's HTTPS Everywhere add-on
![Page 111: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/111.jpg)
recommendationsfor developers
![Page 112: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/112.jpg)
Use SRI for your external scripts
Set a more restrictive Referrer policy
Consider enabling CSP
Watch out for mixed content
Test your site with Tracking Protection
![Page 113: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/113.jpg)
recommendationsfor sysadmins
![Page 114: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/114.jpg)
Enable HTTPS and HSTS on all your sites
Use our recommended TLS config
Test your site periodically using SSL Labs
![Page 115: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/115.jpg)
Questions?
feedback:
[email protected]@w3.org
© 2016 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.
![Page 116: Security and Privacy on the Web in 2016](https://reader034.vdocuments.site/reader034/viewer/2022042907/587c49491a28abc62c8b45bb/html5/thumbnails/116.jpg)
photo credits:
cookie: https://secure.flickr.com/photos/jamisonjudd/4810986199/
explosion: https://www.flickr.com/photos/-cavin-/2313239884/
snowden: https://www.flickr.com/photos/gageskidmore/16526354372