Archive for the ‘Web Security’ Category

New rev of Strict Transport Security (STS) Specification

Wednesday, December 23rd, 2009

Details are over here..

=JeffH sez check it out :)

Browser Security Handbook

Monday, December 14th, 2009

The Browser Security Handbook, brought to us by Michal Zalewski (of Google) is a quite useful document (droll understatement). It documents various security facets of the leading web browsers and provides succinct tabular comparisons of behaviors. It is available here..

Browser Security Handbook (BSH)

Michal has also created various test scripts and their source code is available from this page:

http ://

The BSH is created and maintained on the Google Code wiki, and thus isn’t available if you’re offline (like on a plane). The wiki doesn’t provide for a clean download with link fixups and all, so I turned to wget and use the below command to cache a local copy (I’m on Ubuntu GNU/Linux)..

wget -E -H -p --convert-links -nH -nd -N -P/PATH/TO/WHERE/YOU/WANT/IT/TO/LOCALLY/LIVE

I alias the above gnarly command line to the simple “getbrowsersec” command name (via my .cshrc file), and so whenever I’m online and want to ensure I’ve got the latest revision, I just type “getbrowsersec” and I’m all set. If you live in the Windows world, I’m not sure how you’d do the above natively. I’d install Cygwin, and then one has wget, and can just use the above command.