Security Stack Sheet #102


Word of the Week

“Native Security Defences for the web ecosystem”

Since the advent of modern web applications, such as email clients or document editors accessible in your browser, developers have been dealing with common web vulnerabilities which may allow user data to fall prey to attackers. While the web platform provides robust isolation for the underlying operating system, the isolation between web applications themselves is a different story. Issues such as XSSCSRF and cross-site leaks have become unfortunate facets of web development, affecting almost every website at some point in time.
These vulnerabilities are unintended consequences of some of the web’s most wonderful characteristics: composability, openness, and ease of development. Simply put, the original vision of the web as a mesh of interconnected documents did not anticipate the creation of a vibrant ecosystem of web applications handling private data for billions of people across the globe. Consequently, the security capabilities of the web platform meant to help developers safeguard their users’ data have evolved slowly and provided only partial protections from common flaws.

Over the past two years, browser makers and security engineers from Google and other companies have collaborated on the design and implementation of several major security features to defend against common web flaws. These mechanisms, which we focus on in this post, protect against injections and offer isolation capabilities, addressing two major, long-standing sources of insecurity on the web

  • Trusted Types
  • Content Security Policy based on script nonces
  • Isolation Capabilities
  • Fetch Metadata Request Headers
  • Cross-Origin Opener Policy

The Future
Creating a strong and vibrant web requires developers to be able to guarantee the safety of their users’ data. Adding security mechanisms to the web platform – building them directly into browsers – is an important step forward for the ecosystem: browsers can help developers understand and control aspects of their sites which affect their security posture. As users update to recent versions of their favourite browsers, they will gain protections from many of the security flaws that have affected web applications in the past.
While the security features described in this post are not a panacea, they offer fundamental building blocks that help developers build secure web applications. We’re excited about the continued deployment of these mechanisms across Google, and we’re looking forward to collaborating with browser makers and the web standards community to improve them in the future.

Update on Cloud Native:

A screenshot of a cell phone  Description automatically generated

The market for cloud IaaS is maturing, but revenue is growing unabated. Gartner projects revenue in the cloud IaaS market to increase to $81.5 billion by 2022, up from $41.4 billion in 2019. But most of the enterprise interest and revenue are currently directed toward two providers: AWS and Microsoft. The market views both AWS and Microsoft as being general-purpose providers capable of supporting a broad range of workloads. Google is making steady progress in terms of enterprise adoption, but it remains in a distant third place in terms of overall annual revenue and interest among Gartner’s enterprise clients. All other vendors in this market are forced to focus on regional dominance or niche workloads given the momentum of AWS and Microsoft, and the scale at which they operate. Examples of regional and niche-focused vendors are Alibaba and Oracle. Alibaba dominates the market for cloud IaaS in China, and Oracle is, naturally, mostly focused on Oracle workloads as it attempts to scale in the process of rebooting its cloud endeavours. Lastly, IBM remains in a precarious position due to being slow to improve its cloud IaaS offerings, which are ultimately not competitive with the market leaders



Word of the Week Special

“Shadow Attacks”

Hiding and Replacing Content in Signed PDFs (July 2020)

In the analogue world, handwritten signatures are typically added at the end of the document. This has one major downside: it is possible to exchange all pages before the signed page with arbitrary content. This exchange is impossible when using digital signatures because digital signatures protect the entire content of a document. So it is assumed that such an attack from the analogue world cannot be transferred to digital signatures




Strong reject – rough peer review

Where is the theorem in this paper? STRONG REJECT.


A person looking at the camera  Description automatically generated

Thanks to Mithun

A screenshot of a cell phone  Description automatically generated


A picture containing flower  Description automatically generated

Thread HERE


Crypto challenge of the week

./ OOO archive | DEF CON CTF
A live, playable archive of DEF CON CTF challenges

OOO logo




  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

The Schrems II Decision

The European Court of Justice has finally issued its decision in Facebook Ireland Ltd. v. Maximillian Schrems — otherwise known as Schrems II.

The result: The US-EU Privacy Shield Framework is invalid.  The Standard Contractual Clauses are valid.  Ultimately, this means that it is still possible to transfer personal data from the EU to the US, but the US no longer enjoys the special arrangement it had with Privacy Shield. The US is now just like any other country


Atlas of Surveillance logo


  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of July 20201 – Freedom from viruses?

“Covid stats”

It is nothing new that Covid-19 forced many organizations around the world to quickly adopt the “work from home” model, which in turn resulted in an increased number of machines offering remote access services and protocols accessible from the internet


Trials of a vaccine and new drug raise hope of beating covid-19


The true true truth


  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • Flash End-of-Life is December 31, 2020
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1


Book of the month


Cipher Newsletter



Comic of the week

All Data Is Wrong - Dilbert by Scott Adams


##Some OWASP stuff first

Leave a Reply

Your email address will not be published.