Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.
This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.
We will show attacks which work against users in the older insecure browsers and how they are rendered ineffective against the new breed of browsers which understand the new set of secure headers. We will also make a strong case for upgrading all internet users from older insecure browsers to the newer versions.
The talk will include talking points security folks can use in their discussions internally to make a point about upgrading to new and secure browsers.
7th–8th October 2011