Professional Documents
Culture Documents
Enigma16 Slides Heiderich
Enigma16 Slides Heiderich
1 of 45
Here is Alice.
She wants to write an encrypted message.
And send it to Bob.
�
This is my company
2 of 45
Here is Bob.
He wants to be able to read what Alice has to write.
About NASCAR.
�
That's nothing to be ashamed about.
But still privacy-relevant for many!
We do really
3 of 45 good pentests
Both Bob and Alice
want to exchange encrypted mails
with each other.
� ✉️ �
But I guess you
know that already
4 of 45
Bob and Alice both use, let's call it... “ElectronMail”.
�⚡️ ✉️ ⚡️�
You probably know
what I am referring to.
5 of 45
“ElectronMail” is great.
�🔑⚡️ ✉️ ⚡️🔑�
6 of 45
Unless that person is really good at mathematics
7 of 45
“ElectronMail” chose a very smart approach.
�🔐�
8 of 45
The next day, both Bob and Alice
receive an encrypted mail from Mallory.
�💣👱💣�
9 of 45
Mallory not only gets access to all mails Bob and Alice have
exchanged in the past...
�👱�
10 of 45
Mallory isn't overly great at mathematics.
⚛✖ 👱
11 of 45
Mallory is pretty good at HTML and JavaScript.
👱 �✔ There. Cyber.
I said it.
12 of 45
Mallory made use of a classic Cross-Site Scripting attack
and smuggled executable client-side code
into the message she sent out.
�☣👱☣�
13 of 45 Remember, when folks said “XSS is lame”?
Pepperidge Farm remembers!
It was harder for Mallory
to do that kind of thing in the past.
� 👮� �
14 of 45
But with encryption in the browser, those days are over.
The server can no longer see,
if there is anything bad in the mail body.
� 👮� �
15 of 45
Damn you, encryption!
�👱�
16 of 45
Damn you, encryption!
�👱�
17 of 45
Let's isolate our initial problem.
�👮 � 👮�
18 of 45
And browsers surely give us the right tools for that, correct?
�👮 � 👮�
19 of 45
Well, sadly, they do not.
�👮 � 👮�
20 of 45
You will now jump up and start screaming.
😠😩 😡😱 😤😠
That's Mike West!
21 of 45
But the more you look at those features,
the more you realize that they come close to solving our problem
😐😐 😐😐 😤😐
Trust me, I am a Doctor.
I have butter on my bread
22 of 45
Just because of that.
We are missing something that does,
what the servers did in the past.
😶😶 😶😶 😐😶
23 of 45
Well, we kinda do. It's called toStaticHTML()
and it does exactly that.
😍😉 😌😒️ 😐😋
24 of 45
Mike is not amused.
But it's only available in MSIE.
😶😶 😶😶 😐😶
25 of 45
So, I created it.
Throw out the bad, leave in the good. Return a sane result.
😶😶 😶😶 😐😶
26 of 45
The browser DOM and it's really messy properties were one of
the biggest problem here.
😶😶 😶😶 😐😶
27 of 45
But we believe to have them solved
and haven't received a bypass in months.
😍😌 😇😒️ 😐😍
28 of 45
Many websites already use DOMPurify and are happy with it.
They had the same problem and guess how even they solved it.
That's right, DOMPurify.
😍😍 😇😒️ 😐😍
29 of 45 There's several 100M users
protected by our library by now
So. Is our problem already solved?
😍😌 😇😒️ 😐😍
30 of 45
Am I the savior of souls, the bringer of security, the knight in
shining armor, slaying the XSS dragon?
😇 🔨�
😐😐 😐😒️ 😐😐
31 of 45
Hell no!
Because now we have a well working library. But that gives us a
trust problem. You have to trust me!
😲😲 😲😲 😨😲
32 of 45
What if I turn rogue?
And release an update with a back-door?
�👿�
😨😭 😱😡 😨😨
33 of 45
I have been writing XSS exploits for the last ten years.
👿
34 of 45
😨😨 😨😨 😨😨
Of course I would never do that. Right?
👿
😅😅 😅😅 😅😅
35 of 45
Riiight?
👿
😨😨 😨😨 😨😨
36 of 45
Or would I?
“God I LOVE Money!
Mmmmmmmoney! Aaah..”
��� 👿
😨😨 😨😨 😨😨
37 of 45
And now what.
38 of 45
👷🔓👮
We need a specification and implement DOMPurify
inside browsers!
🙌💡🙌
39 of 45
We need to specify what DOMPurify does and implement it
Inside the browsers' core.
👷💡👮
40 of 45
Now, you might point at me with your finger and ask
- why don't you write the specification then?
😐😐 😐😠 😐😐
41 of 45
Why don't YOU write the specification!
We already did the hard work, identified the problem,
proposed solutions...
42 of 45
😲😲 😲😲 😲😲
Now, it's not just my but OUR turn.
😲😃 😉😋 😉😍
43 of 45
Let's make all the “ElectronMails” and other tools much safer
and implement XSS protection where it belongs.
44 of 45
😃😃 😃😃 😉😃
And that concludes my presentation.
😍😍 😘😍 😍😍
45 of 45