Review: The Tangled Web

I came across this book when looking for a more practical follow-up to Applied Cryptography. (Being a web developer, my interests are focused around Internet security.) I believe Amazon recommended it to me, and I was convinced by the pedigree of the publisher (No Starch Press) and the credentials of the author (Daniel Zalewski).

Zalewski seemed to anticipate my concerns specifically, and addressed them in his introduction:

In any case, through the remainder of the book, I will shy away from attempts to establish or reuse any of the aforementioned grand philosophical frameworks and settle for a healthy does of anti-intellectualism instead. I will review the exposed surface of modern browsers, discuss how to use the available tools safely, which bits of the Web are commonly misunderstood, and how to control collateral damage when things go boom.

And that is, pretty much, the best take on security engineering that I can think of.

Historical Background

The book begins with an account of the development of the Internet through the lens of browser vendors. Despite being familiar with the story of the browser wars and et cetera, Zalewski maintains a focus on the technological effects of the conflict. He presents a fascinating and disheartening account of how early mistakes and in-fighting contributed to problems that have become endemic.

I plan on sharing the section, “A Brief History of the Web” with non-technical friends who want to know more about the web as a platform.

This topic is returned to throughout the book when the author explains the origin of various technologies.

Today

As should be expected, the book’s main focus is the world wide web as it functions today. I felt this to be a relatively complete tour of all the facets of modern web applications. It begins with a very thorough coverage of the seeminly-mundane task of URL parsing. This is a foreboding introduction to the rest of the book: if something that would seem this straightforward is actually quite complicated, the reader has to wonder what is in store for all the nuanced tasks performed by the browser. By the end, the author is discussing the implications of denial-of-service attacks on the browser along with concerns surrounding window creation.

It was refreshing to get a new perspective on Web platform. Zalewski makes a number of editorial asides that confirm many of my privately-held suspicions (i.e. why do extenal stylesheets get included with a link tag instead of a style tag with a src attribute, a la script?) and also challenge strange behaviors that I had previously taken for granted (i.e. why is the cookie API namespaced under the document object?).

Very often, the author points out that certain browser behaviors are dangerous and immediately suggests ways to prevent exploits. In many cases, the security implications of the exploit are not described (apparently left as an excersize to the reader). It took effort to pause and piece together how some of these things were dangerous, and I rarely did so. The cognitive leap that recognizes “bizarre behavior” as “malicious exploit” is a fundamental skill for security engineering, and it’s unclear whether the author expects these details to be self-evident, or if they were omitted for brevity. After all, you don’t necessarily have to understand how a security hole might be exploited in order to patch it… but it helps a lot! I think elaboration on more of these exploits (possibly given a distinct visual treatment) would have been very instructive for readers seeking to develop their security reasoning abilities.

The Future

Zalewski ends this text with an analysis of upcoming browser features. These are inherently exciting to me because they may have a significant effect on how I reason about web security in the future.

As might be expected from his take on modern-day browser functionality, the author is quite hard on proposed improvements. Critical coverage is probably even more important for developing technology than it is for existing technology. I say this because little editorial content exists on the web for behavior that is still being drafted. The most visible resource for these topics are the specification drafts themselves, and as one might expect, they tend to be pretty one-sided.

(I have to admit that my own coverage of the upcoming Content-Security Policy is woefully lacking of constructive critisism. This is largely due to the fact that I relied heavily on the specification itself to learn about the technology, skewing my perspective. Zalewski’s discussion of its shortcomings was of particular interest to me.)

Mailing lists are probably the place to go for balanced discourse on these topics, but I’ve never found them to be particularly discoverable or usable. That observation is more of an inditement of my personal shortcomings as a professional, but I think this section would have benefitted from some information on the relevant mailing lists.

Conclusion

The book finishes on a slightly introspective note, questioning the true significance of these security holes, and if we aren’t focusing too much attention on the wrong things. (As it happens, Zalewski’s musings on the importance of trust in society as it relates to security make for an extremely fitting segue into the next book on my reading list: “Liars and Outliars” by Bruce Schneier.)

All in all, I found this book to be extremely fascinating and thorough. Because I was reading it casually, it remains to be seen how much I was able to internalize for my day-to-day work. Regardless, it will be living on my desk for the foreseeable future, all full of earmarks.