Google Browser Security Handbook - An Overview
By Angsuman Chakraborty, Gaea News NetworkThursday, January 1, 2009
Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities
That is what Google’s Michael Zalewski, who also worked on Chrome, Ratproxy and numerous other web security tools had to say while publishing Google Browser Security Handbook. This book is completely free and is licensed under the very liberal Creative Commons License that allows the distribution and modification, provided the original author is mentioned. Browser security has been an ongoing problem over the years. This book is well- documented and targeted towards web developers, browser engineers and information security researchers.
Basic Overview
The BSH gives a basic insight into HTML, HTTP, Javascript and the construction of URL’s. In addition, it explains web browser security features, for example, how they handle cookies and deal with websites that use components from different servers. I have read it and found it extremely useful in some cases. They have particularly worked upon the concept of clickjacking, which gives an attacker the ability to trick a user into clicking where the attacker wants on a site.Another very interesting part is the comparisons of different browsers, such as IE7, Mozilla 2, 3, Google Chrome, Apple Safari and etc, with respect to features.
Served by 8 other developers in this particular project Michael Zalewski has done a thorough work. You should give it a look too.
The book
The book is comprised of three main parts.
- Part 1: Basic concepts behind web browsers
This part deals with URLs, True URL, Pseudo URL, HTTP, HTML, CSS encodings, DOM, javascripts etc.
Read more - Part 2: Standard browser security features
This is perhaps the most important part of the book as it talks about network related vulnerabilities, 3rd party cookie issues, disrupting javascripts, other DOM XML related points.
Read more - Part 3: Experimental and legacy security mechanisms
This part mainly discusses about HTTP authentications, Microsoft Internet Explorer models and filtering issues, Mozilla Firefox and its security techniques. Again, the open browser engineering systems have got a separate chapter which is interesting if you want to know in depth.
Read more
Conclusion
This is a very good idea to share such a detailed handbook on security issues which have never been discussed thoroughly till now. But in many cases, Google Chrome has been shown an unworthy competitor to Mozilla Firefox. I wonder why is that. What is Google’s idea behind de-projecting a product of theirs. Is it too honest to feel otherwise? Anyway, I shouldn’t read between the lines that much. But what about you?
Tags: Cases, Google, Google Browser Handbook, Google browser security handbook