"Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware."
"After a few months of back and forth, the first stage of our HTTP Header research is now live on the Shodan website."
Although the Firefox team has an entire page on the mozilla.com website dedicated to the new security features in Firefox 4, they seem to have forgotten to mention HTTP Strict Transport Security (HSTS).
Microsoft says the vulnerability used by researcher Stephen Fewer to exploit Internet Explorer 8 has already been fixed in the RC and RTM versions of Internet Explorer 9.
Research in Motion’s recent decision to add a WebKit browser to BlackBerry has immediately backfired.
Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
Here are a few observations regarding some browsers and their SSL/TLS implementations.
A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win this year’s Pwn2Own hacker challenge.
Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year’s CanSecWest hacker challenge.
It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process.
Modern browsers are incredibly complex beasts, pushed well beyond their intended limits - and in that capacity, broken in more ways than we can imagine. We are only beginning to scratch the surface of all the design problems ahead of us - say, new and unexpected classes of UI vulnerabilities - but even within the bounds of what we understand and know how to fix, some fascinating and very human discourse patterns emerge... and will ultimately shape the future of the web.
" am happy to announce the availability of cross_fuzz - an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market - many of said bugs exploitable - and is still finding more. "
"Exploit code for the vulnerability has been added to the Metasploit tool and a video has been posted to provide a demo of the severity."
"Brian Kennish traded his job at Google for a table at Starbucks, where he works on his privacy software called Disconnect."
Click in to find related links.