Google’s Browser Security Handbook

Exploring ASP.NET & Web Development

Google s Browser Security Handbook

By Don Kiely

Google has released a BrowserSecurity Handbook, a great new resource for Web developers anddesigners who are concerned about security. (And who isn t?)

Written by Google s Michal Zalewski, the handbook is anice reference to the key security properties of modern Web browsers. It s oftenhard to find these kinds of details about various browsers, so having them inone place is convenient. This document is meant to provide web application developers,browser engineers, and information security researchers with a one-stopreference to key security properties of contemporary web browsers, the authorsays in the introduction. Insufficient understanding of these often poorly-documentedcharacteristics is a major contributing factor to the prevalence of severalclasses of security vulnerabilities. Although all browsers implement roughlythe same set of baseline features, there is relatively little standardization or conformance to standards when it comes to many of the less apparentimplementation details. Furthermore, vendors routinely introduce proprietarytweaks or improvements that may interfere with existing features in non-obviousways, and seldom provide a detailed discussion of potential problems. Ain tthat the truth!

The handbook is presented in three parts. The first part, BasicConcepts Behind Web Browsers, covers Web browser technologies as they impactsecurity. There is a mix of history and technical details that is sometimes abit thick to slog through, but the information is useful to lay a foundationfor understanding browser security issues.

The second part, Standard Browser Security Features, isthe meat of the document and the longest section by far. It covers a variety ofbrowser properties with a moderate amount of detail about each feature. Mostsections don t go into huge depth on any topic, but there is enough there towhet your appetite, as well as links to more information.

The third and final part, Experimental and Legacy SecurityMechanisms, is interesting. It covers features implemented in various browsers thatother browsers didn t adopt, as well as some experimental technologies that maycome out with future versions of browsers. I found it interesting that itcovers IE s zone security model and some of its shortcomings. I always found ita bit of a pain to add a site to the trusted zone, which makes the browser moresusceptible to cross-site scripting attacks and other vulnerabilities.

There are several sections that cover same-originpolicies. I have to admit that there was a lot more to this topic than I everknew or dreamed of. The handbook explores the topic exhaustively, looking athow the policy applies to the document object model, the XmlHttpRequest object,cookies, and various other browser technologies. The details again get a bitthick here, but are still way better than a typical Internet RFC document! Oneof the most valuable parts of the handbook is the detail comparisons of variousclasses of browser features. These tables list whether a particularsecurity-related feature is available in each browser, along with some lightdetails. The tables include IE 6 and 7, Firefox 2 and 3, Safari, Opera, GoogleChrome, and Android, with space for IE 8 once it is released.

Frankly, it starts becoming clearer why IE seems to haveso many things against it. I m sure Microsoft has plenty of good reasons fordoing things the way they do perhaps to enable enterprise features in thebrowser but it reinforces my use of Firefox as my main browser. For now,anyway. That s not to say that all the other browsers don t have a lot ofpotential security vulnerabilities. In fact, you can pretty quickly scan thehandbook for red and green text in the browser comparison tables. Green meansthat the particular risks are well understood and the browser authors havetaken additional steps to mitigate potential problems. Red calls attention tobrowser properties that seem particularly tricky or unexpected, and Web sitesneed to be aware of the risks. Even features of Google s own Chrome browsershows up with red flags far too often, which lends some credibility to thehandbook.

By publishing this information, Google is making it morewidely and conveniently available to Web developers to help make the Web asafer place (in line with Google s philosophy of do no evil ). It is also arich resource for those of us who must develop applications that work with avariety of browsers, particularly to make them secure. Unfortunately, likeother such resources, it will probably provide a rich source of ideas forhackers and crackers to devise new attacks.

The handbook is a work in process, implemented as a wikiwith restricted rights to edit. There are incomplete sections that must befleshed out, and no doubt flaws will be found over time. And, of course, thesecurity landscape is constantly changing. This isn t a community project(yet), but Google does provide a large suite of test cases you can use toexplore browser security. Unfortunately, there isn t yet a printable version,but with just three wiki pages it isn t all that hard to print something. Thedocument is changing so fast in its infancy that there are no immediate plansto provide a printable version.

The project is hosted on Google s Code site, so it hasvarious support features to make it easy to access project resources and reportissues. If you create Web sites and care at all about the security of yourserver, data, and your user s computers, I strongly suggest you check out thisgreat new resource from Google. It s not perfect, but I guarantee it will openyour eyes to the threats you face.

Don Kiely, MVP,MCSD, is a senior technology consultant, building custom applications as wellas providing business and technology consulting services. His development workinvolves tools such as SQL Server, Visual Basic, C#, ASP.NET,and Microsoft Office. He writes regularly for several trade journals, andtrains developers in database and .NETtechnologies. You can reach Don at mailto:[email protected]and read his blog at http://www.sqljunkies.com/weblog/donkiely/.