Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases Web Security Book

Posted by CmdrTaco on from the posted-from-my-own-chair dept.

northern squirrel writes "As reported by Security Focus, Google had publicly released their 50-page Browser Security Handbook (under a CC BY license, too). To quote, the document is 'meant to provide developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers,' and features a comparison of security features in Internet Explorer, Firefox, Opera, Safari, and — you guessed it — Chrome. Is it a belated Christmas gift to web developers, or just a reaction to recent bad publicity?"

10 of 49 comments (clear)

  1. HTTP authentication by sakdoctor · · Score: 4, Interesting

    What the hell happened to http authentication anyway? I'm oblivious to the history, but we have basic and digest, both suck so everyone uses cookies instead.
    Why don't we have something more modular where new hashes can be plugged in over time, and maybe negotiate down to md5 for older agents.

    1. Re:HTTP authentication by porneL · · Score: 2, Interesting

      It has been discussed recently on HTML5 WG.

      Browsers' UI for HTTP authentication so far is absolutely awful, and there's no standard mechanism for logging out.

      Although HTTP Digest authentication does offer slighly better security than cookies, HTTP authentication is helpless against any MITM attacks.

      There have been proposals to give HTML forms front-end for HTTP authentication, but they haven't gone anywhere, since there is little to gain (same UI as cookie-based auth, negligible security improvement) and backwards compatibility is poor.

  2. shttp by hey · · Score: 4, Interesting

    The document mentions shttp which I have never heard of before
    http://www.ietf.org/rfc/rfc2660.txt
    I wonder what's its used for.

  3. Open browser engineering issues by fermion · · Score: 3, Interesting
    Just perusing the report, I found this section interesting.

    Relatively unsafe core programming languages
    There is no question that programming in C and C++ requires skill, and that memory management is an issue, and automatic heap allocation and garbage collection is the popular solution to that issue, but there is no silver bullets, and they are always compromises. It seems to me like every is so scared of they tools that they don't even want to learn to use them. They never learn to use an Exacto knife because they never get past those plastic scissors they give you in grade school. At some point one has to take off the training wheels, at least for some projects. For better or worse,the core stuff, the stuff that does the heavy work, has to be written efficiently, and that may mean a human has to code it without over-dependence on the compiler.

    No security compartmentalization
    Again, there are no silver bullets. For instance, the Java sandbox is one solution to a security issue. It is not perfect, and it's imperfections lead to a false sense of security. It is ok for developers to be sloppy because garbage collection and the sandbox will protect the user. Not true. The real issue is that we are running what are essentially single user stand alone apps in multiuser networked contexts, at least in Windows. Of course in *nix there is segregation of processes built from the OS up, which is good. I do believe that such segregation at the user application level has the same benefit. It is a hack to make people feel better. Now, in chrome there is a side benefit that each page is it's own process. We will see how that works out.

    Web technologies are used in browser chrome:
    This seems to counteract what they were saying in the first item. C and C++ leads to coding bugs, but using standard complex libraries leads to unexpected behaviour. This is why we use C and C++, because it is simple enough to understand and carries very little useless overhead. Once we start using more complex libraries, we end up with a few functions we use, much more code we do not use, and many side effects we do not understand. I mean do we write everything in C++, and gain understanding, or use a range of technologies to maximize efficiency? If there are bugs in some high level libraries, all we need to do is fix the bug in library. Is the risk of the library greater than the risk of using a simple language like C?

    The rest of this just seem like subjective opinions of design. In terms of setting, I almost prefer about:config to any of the GUI stuff. The last item about data storage is important, but again is an OS issue. Each application should have a predefined space in the user directory to store files. If any application can store anything to anywhere on the disk, even outside the user directory, that is not a browser issue.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    1. Re:Open browser engineering issues by hey · · Score: 5, Interesting

      But C/C++ is changing. Memory randomization makes many attacks impractical, for example. So you get something as safe as Java but faster.

  4. # Written and maintained by Michal Zalewski lcamt by EddyPearson · · Score: 2, Interesting

    # Written and maintained by Michal Zalewski .

    Couldn't have chosen a better person in my opinion. http://lcamtuf.coredump.cx/

    --
    You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
  5. A modest proposal by Anonymous Coward · · Score: 1, Interesting

    New tagline: Slashdot -- Google news for nerds, Google stuff that matters.

    Yes, this is on topic. However, the article is yet another in a long line of Slashvertisements for Google. Can we all just agree that the IT world does not revolve around Google, and even if it did, that would be a very dangerous thing to promote?

    1. Re:A modest proposal by FlyingGuy · · Score: 3, Interesting

      Well, at some point I could agree with you, but not in this case.

      This document painfully illustrates the truly hosed nature of the web and most browsers in particular from a security POV, chrome included.

      The web in it's current form is one massive kludge piled on top of a pretty good idea.

      The time is long passed due to take what is there, screw backwards compatibility and rebuild it correctly.

      --
      Hey KID! Yeah you, get the fuck off my lawn!
  6. Password Manager Section Entry Correction? by Czmyt · · Score: 2, Interesting

    For the password manager model in MSIE7, didn't they change it from IE6 so that you can click on a user name field and it will display a drop-down list with all of the recorded passwords? In some ways, that made it better than Firefox and the other browsers that automatically fill in recorded fields on page load. In IE6 you did not really need to know the complete user name either, just the first letter of the user name, which was a not as good as how they made it work in IE7.

  7. Re:how many pages? by RockDoctor · · Score: 2, Interesting
    cbiltcliffe suggested that

    The last 10 pages are just full of browser, Flash, PDF and Javascript exploits....

    But I think the 50/60 page difference could easily be because one version was printed on A4 with margins suitable for US-Letter size paper. Which would imply that GoogleHQ are using the US-size paper, and paying the 20% extra because of it. I've recently been having to work in a mixed US and european environment (US-configured software, installed on a Hebrew-US defaulted OS on machines locally-sourced, and printing to locally-sourced printers which use the normal A4 paper. What a fucking mess.

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"