Protecting your site and your clients
Site Security Policy
Site Security Policy is an interesting approach that is still in the formative stages . The idea is that a web server hosts a file that specifies how a client should interact with the server, thus preventing unsafe interactions such as cross-site scripting (XSS) attacks or cross-site request forgery attacks. On the client side, there is either built-in support for this standard, or a plugin – available for Firefox – that allows the client to download and parse the policy file before interacting with the web server.
One interesting side effect to this approach is the possibility of having web proxies such as Squid support the standard, in effect protecting all the web clients behind them from potentially unsafe actions at sites that choose to support the Site Security Policy standard.
Web security has no simple solution: No matter how hard we try, the bad guys will either run hostile web servers or compromise other web servers. On the client side, things are basically a disaster. If you are running Linux, however, chances are quite low that you will be targeted, and chances are good that you keep your software up to date because almost all distributions update automatically by default, thus putting you ahead of the game!
By plugging the holes as they are identified and by applying additional security measures – such as NoScript and ModSecurity – you can improve the chances of "healthy" servers and clients staying that way.
Ultimately, this reduces the time and energy you have to spend on repetitive cleanup, which is something everybody wants, anyway.
- NoScript plugin for Firefox: http://noscript.net/
- ModSecurity for Apache: http://www.modsecurity.org/
- Site Security Policy: http://people.mozilla.com/~bsterne/site-security-policy/
Buy this article as PDF
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.