No Starch Press, November 2011, 320 pp., $49.95

In a recent survey by Veracode in December 2011 found that more than 80 percent of approximately 10,000 web applications examined failed security testing. This data shows that web applications provide a fertile ground for hackers to launch their malware. Obviously web developers still have some work to do to make their applications secure. The Tangled Web by Michal Zalewski is targeted toward web application developers and security professionals that have a solid understanding of the web and browser operations at an operational level. The author will go into fairly technical details assuming that the reader has the necessary skills to understand the technology discussed.

After an introductory chapter outlining some security fundamentals, the book is split into three parts. The first part covers browser and web technologies. Specific attention is paid to vulnerabilities and how they became to be part of the infrastructure. The second part covers browser security and highlights some of the ways to mitigate the inherent holes in the current technology. The final portion covers some of the new vulnerabilities that are expected to come in the near future. With a couple of exceptions, most chapters are concluded with a security engineering cheat sheet. This gives a summary of the topics covered in the chapter and serves as a guide to implementing some of the technology discussed. It provides a useful quick reference to the books contents after the reader has completed their read through and can be used as a design aid on future projects.

Part One goes into some depth on the various technologies used by browsers, both their inherent operating infrastructure and the services used over the web. Attention is paid to areas of the technology that are open to exploitation. In many cases the author outlines how some of the weaknesses came into being and provides a good view into the difficulty of building this technology. Part One is broken down into chapters that cover the different pieces of the browser function. Both internal processes, HTML and CSS parsing for example, are covered plus external processes, HTML and URL parsing, are reviewed. Two chapters cover additional programming capabilities of the browser i.e. JavaScript and plug-ins.  Throughout this section many examples are given on how the vulnerabilities can be exploited. This gives the reader a better understanding on how a hacker would go about using these weaknesses. In some cases a chapter has a limited discussion of the topic due its wide complexity. The author does include references to other works that cover the topic in greater detail and then focuses on key areas that are relevant to web security.

The first five chapters of Part Two concentrates on browser security mechanisms that attempt to prevent rogue content from interfering with valid, legitimate, content displayed with in the browser. These chapters cover how content isolation is maintained within the operation of the browser. The concepts discussed in part one are used to show how the browser security achieves this. Content from user input and downloaded data are included in this review. Furthermore the impact of scripting and plug-in functionality is discussed in depth to allow the reader to understand how this can impact the overall security of a web application. There are many references to works where researchers have shown example of exploits based on the vulnerabilities in the browser and associated functions. The latter two chapters in this section cover dealing with rogue scripts and extrinsic site privileges.  In general Part Two provides a comprehensive overview of many security flaws in the browser. There are comparisons between the major browsers and how their operation differs with respect to the exploits. Additionally there are also recommendations on how to understand and overcome them.

Part Three looks at some of the changes that may come to fruition in the future. The first chapter covers new and upcoming security standards. They are intended to mitigate some of the problems that plague browsers today. These include, cross domain requests (including a discussion of Cross-Origin Resource Sharing CORS), content security policy CSP, sandboxed frames, strict transport security, private browsing modes, in-browser HTML sanitizers and XSS Filtering. In each case a summary of the goal of the security measure and its current status is given. The second chapter covers new browser developments and how they may impact security. Several new or planned API sets are examined for their intent and current implementation. The final chapter is a synopsis of common web vulnerabilities and how they are defined. Common, simple definitions are used for the various vulnerabilities – e.g. Cross Site Scripting (XSS). For each there is a short description with a reference to the details section of the book.

There is a pivotal statement in Chapter 16 “the dream of inventing a brand-new browser security model is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web.” This book walks the reader through the inner workings of popular browsers with a focus on showing the weaknesses that are embedded in their very construction. The author does take time to explain how these came about and the attempts to fix them. In part 2 he also gives examples on how to develop web applications so you can navigate around these deficiencies. The security engineering cheat sheets give an easy way to develop a strategy to apply basic security concepts to web application development. The book provides an invaluable reference for anyone working with, testing or deploying web applications.

Picking a browser is like choosing a home repair store. You develop a habit of using one and stop thinking about the alternatives. Chrome is definitely a faster browser than Firefox in our use, delivering a payoff in the “time is money” formula. If you browse a lot, Chrome could be an upgrade. (Safari’s performance is much closer to Chrome’s)

But Chrome’s got some steps to catch up in other areas. In the Mac version we downloaded this week, some Web sites aren’t working completely. Our TypePad account editor (where we publish the 3000 NewsWire blog) won’t let us resize graphics for posts in Chrome. The editing features at the Constant Contact email site also won’t perform with Chrome for the Mac, either.

This puts Chrome in a category with the iPad: very fast and slick for consumption of information. Not so good for creating messages and more. As for the death of Firefox, that obituary shouldn’t be written yet. 350 million users won’t expire overnight.

The Firefox obit is based on the browser’s development resources, according to Infoworld’s writers. Firefox has said it will be releasing fewer interim security fixes in the future. Infoworld predicts that Chrome users will see more fix releases since it’s more open.

Security is important, even crucial to some kinds of business. And attacks through your browser are becoming commonplace now. But Chrome has no more defenses for scripting attacks than Firefox today. These are the hardest to engineer against. I wouldn’t hold the Firefox security against it at the moment.

Incredible Start Page

Chrome’s got a wide array of extensions available. One of the more interesting is the Incredible Start Page, billed as “A new, customizable start page for Chrome. Easily find your favorite bookmarks and closed tabs. Take notes as you browse.” This is the sort of customization that Firefox won’t have, it appears. Whether you find everything that you’re already using in Firefox, or your extensions for Safari, remains as an exercise. We’ve gotten the Xmarks bookmark synchronizer installed on Chrome — a good first step in making a browser transition.

In short, the iPad’s browser will be Safari and probably nothing else, since Apple wants to control this aspect of the iPad experience. But this Safari demo shows how the iPad can be a powerful research tool for gathering information from those Web business resources which don’t have a dedicated iPad app yet. The advantage to using this rather than a MacBook lies in the ability to share your results by just passing the iPad around — something cumbersome with a laptop, or even a netbook.

(Above video courtesy of appadvice.com.)