Exploring ASP.NET & Web Development
Google s Browser Security Handbook
By Don Kiely
Google has released a Browser Security Handbook, a great new resource for Web developers and designers who are concerned about security. (And who isn t?)
Written by Google s Michal Zalewski, the handbook is a nice reference to the key security properties of modern Web browsers. It s often hard to find these kinds of details about various browsers, so having them in one place is convenient. This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers, the author says in the introduction. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities. Although all browsers implement roughly the same set of baseline features, there is relatively little standardization or conformance to standards when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems. Ain t that the truth!
The handbook is presented in three parts. The first part, Basic Concepts Behind Web Browsers, covers Web browser technologies as they impact security. There is a mix of history and technical details that is sometimes a bit thick to slog through, but the information is useful to lay a foundation for understanding browser security issues.
The second part, Standard Browser Security Features, is the meat of the document and the longest section by far. It covers a variety of browser properties with a moderate amount of detail about each feature. Most sections don t go into huge depth on any topic, but there is enough there to whet your appetite, as well as links to more information.
The third and final part, Experimental and Legacy Security Mechanisms, is interesting. It covers features implemented in various browsers that other browsers didn t adopt, as well as some experimental technologies that may come out with future versions of browsers. I found it interesting that it covers IE s zone security model and some of its shortcomings. I always found it a bit of a pain to add a site to the trusted zone, which makes the browser more susceptible to cross-site scripting attacks and other vulnerabilities.
There are several sections that cover same-origin policies. I have to admit that there was a lot more to this topic than I ever knew or dreamed of. The handbook explores the topic exhaustively, looking at how the policy applies to the document object model, the XmlHttpRequest object, cookies, and various other browser technologies. The details again get a bit thick here, but are still way better than a typical Internet RFC document! One of the most valuable parts of the handbook is the detail comparisons of various classes of browser features. These tables list whether a particular security-related feature is available in each browser, along with some light details. The tables include IE 6 and 7, Firefox 2 and 3, Safari, Opera, Google Chrome, and Android, with space for IE 8 once it is released.
Frankly, it starts becoming clearer why IE seems to have so many things against it. I m sure Microsoft has plenty of good reasons for doing things the way they do perhaps to enable enterprise features in the browser but it reinforces my use of Firefox as my main browser. For now, anyway. That s not to say that all the other browsers don t have a lot of potential security vulnerabilities. In fact, you can pretty quickly scan the handbook for red and green text in the browser comparison tables. Green means that the particular risks are well understood and the browser authors have taken additional steps to mitigate potential problems. Red calls attention to browser properties that seem particularly tricky or unexpected, and Web sites need to be aware of the risks. Even features of Google s own Chrome browser shows up with red flags far too often, which lends some credibility to the handbook.
By publishing this information, Google is making it more widely and conveniently available to Web developers to help make the Web a safer place (in line with Google s philosophy of do no evil ). It is also a rich resource for those of us who must develop applications that work with a variety of browsers, particularly to make them secure. Unfortunately, like other such resources, it will probably provide a rich source of ideas for hackers and crackers to devise new attacks.
The handbook is a work in process, implemented as a wiki with restricted rights to edit. There are incomplete sections that must be fleshed out, and no doubt flaws will be found over time. And, of course, the security landscape is constantly changing. This isn t a community project (yet), but Google does provide a large suite of test cases you can use to explore browser security. Unfortunately, there isn t yet a printable version, but with just three wiki pages it isn t all that hard to print something. The document is changing so fast in its infancy that there are no immediate plans to provide a printable version.
The project is hosted on Google s Code site, so it has various support features to make it easy to access project resources and report issues. If you create Web sites and care at all about the security of your server, data, and your user s computers, I strongly suggest you check out this great new resource from Google. It s not perfect, but I guarantee it will open your eyes to the threats you face.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
