Just before announcing that Chrome was taken out of beta last week, Google released a browser security handbook for Web developers that details the key security features of the main Web browsers.
Released under a Creative Commons 3.0 license, the document provides a comprehensive comparison of security features of the commonly used browsers; IE (version 6 and 7), Firefox (version 2 and 3), Safari, Opera, Chrome and the lesser known Android embedded browser.
Wanting to give the Web world a one-stop reference to security issues in browsers, author Michal Zalewski writes “Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.”
Browser security has been an ongoing problem over the years and was the first subject discussed during the browser wars panel at the Add-on conference last week. Earlier this year, Robert Hansen and Jeremiah Grossman uncovered an attack known as clickjacking, which gives an attacker the ability to trick a user into clicking where the attacker wants on a site. A good overview can be found on the Computerworld site, which has a clickjacking FAQ:
“In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.”
Clickjacking is one of the issues covered in the security handbook which is divided into three sections:
- Basic concepts behind Web browsers with reviews of core standards and technologies behind current browsers and their security properties
- Standard browser security features details explicit security mechanisms and restrictions
- Experimental and legacy security mechanisms discusses security mechanisms that have either fallen into disuse or never caught on, as well as those yet to prove their worth.
The document appears to be an ongoing project; you can find more details here.