Slashdot Mirror
Google Releases Web Security Book
northern squirrel writes "As reported by Security Focus, Google had publicly released their 50-page Browser Security Handbook (under a CC BY license, too). To quote, the document is 'meant to provide developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers,' and features a comparison of security features in Internet Explorer, Firefox, Opera, Safari, and — you guessed it — Chrome. Is it a belated Christmas gift to web developers, or just a reaction to recent bad publicity?"
Will be a book about basic HTML authoring; the importance of setting text color when they set the background color, making pages work without javascript where there's no requirement for it. Like I said, the basics.
Perhaps then (no disrespect intended to Zalewski) I'll take google branded advice seriously.
Because it's major browser, on a minority desktop environment, on an irrelevant (to the desktop) OS. They didn't mention Net+, Cyberdog, or QNX Voyager either.
Do you even lift?
These aren't the 'roids you're looking for.
There is no question that programming in C and C++ requires skill, and that memory management is an issue, and automatic heap allocation and garbage collection is the popular solution to that issue, but there is no silver bullets, and they are always compromises. It seems to me like every is so scared of they tools that they don't even want to learn to use them. They never learn to use an Exacto knife because they never get past those plastic scissors they give you in grade school. At some point one has to take off the training wheels, at least for some projects. For better or worse,the core stuff, the stuff that does the heavy work, has to be written efficiently, and that may mean a human has to code it without over-dependence on the compiler.
Well, let's think about it from the point of view of a regular old user of software and applications, rather than from the viewpoint of chest thumping uber-geeks that insist you're a pussy if you don't use a low level programming language like C or C++.
Would you prefer software that's as fast and lean as possible, but may have a bunch of vulnerabilities (via stack smashing, buffer overruns, etc.)? Then you may prefer applications written in C and C++ and other low level but high danger programming languages.
Or would you prefer software that's slower and fatter, thus requiring more hardware to get equivalent performance, but with less vulnerabilities because whole classes of exploits are now extremely unlikely? Then you may prefer applications written in higher level languages such as Java, Python, and JavaScript.
I posit that most users would be better off spending the extra $20 on hardware to run software written in higher level and safer programming languages.
Again, there are no silver bullets. For instance, the Java sandbox is one solution to a security issue. It is not perfect, and it's imperfections lead to a false sense of security. It is ok for developers to be sloppy because garbage collection and the sandbox will protect the user. Not true. The real issue is that we are running what are essentially single user stand alone apps in multiuser networked contexts, at least in Windows. Of course in *nix there is segregation of processes built from the OS up, which is good. I do believe that such segregation at the user application level has the same benefit. It is a hack to make people feel better. Now, in chrome there is a side benefit that each page is it's own process. We will see how that works out.
Yeah, you hear about stack smashing and buffer overrun exploits in Java programs all the time. Not.
This seems to counteract what they were saying in the first item. C and C++ leads to coding bugs, but using standard complex libraries leads to unexpected behaviour. This is why we use C and C++, because it is simple enough to understand and carries very little useless overhead. Once we start using more complex libraries, we end up with a few functions we use, much more code we do not use, and many side effects we do not understand. I mean do we write everything in C++, and gain understanding, or use a range of technologies to maximize efficiency? If there are bugs in some high level libraries, all we need to do is fix the bug in library. Is the risk of the library greater than the risk of using a simple language like C?
I've been programming in C for 20 something years now. Just because the language is simple does not mean programming in the language is simple.
When you (as the developer) can't even count on primitive types being the same size all over, it makes writing portable software a huge pain in the ass. It's easy to constantly stumble into undefined behavior, and the compiler won't even warn you.
C and C++ are very, very good at some things, like implementing low level routines where top performance is critical, and low level access to the hardware is required. But for many other programming tasks, they have become completely impractical.
People who actually made the web sites didn't like it because 1) you can't log out, 2) you can't style it to look vaguely related to your site (say, if it's loading in a background tab), 3) it's modal.
Flamebait, really?
Come on, Slashdot. It was meant to give readers a chuckle, while pointing out that excessive use of acronyms that won't be immediately familiar to most readers is a bit silly.
Somebody got out of the wrong side of the bed this morning, didn't they?
How would a new web work, what would it look like? We have very powerful governmental and corporate interests outstanding that would force more of a totally censored and locked down web then what we have now is my best guess. I mean it is sucky now in that regard, but there's still an element of random anarchy there, but any "new" web would probably be rather strict big brotherish, IMO, with a ton of features and software being made illegal or restricted, anything that would facilitate "IP piracy" for example. It might technically work better or be more efficient in moving packets around, but I am afraid it would lose the free wheeling aspects that have made it so popular. But..I don't know either, just guessing, how would you change it and to what? What needs to be dumped, and what needs to be changed or added, do you have any specifics, browsers or otherwise?