
Cure53: Browser Security Whitepaper (2017) [pdf] - mxschumacher
https://cure53.de/browser-security-whitepaper.pdf
======
tptacek
If you're wondering why Firefox and Safari aren't studied in this report, it's
because Cure53 was paid by Google to generate it as part of Google's effort to
push back on Internet Explorer Edge.

~~~
ptoomey3
And just in case folks aren't super familiar with Cure53, they know their
stuff. The report largely speaks for itself in conveying their level savvy on
browser security. Google didn't hire some corporate consulting firm that would
give them a glowing recommendation based on a review by folks not
knowledgeable enough to really be able to differentiate between browser
security architectures.

P.S. We (GitHub) have engaged Cure53 several times, including an assessment
dedicated to Content Security Policy bypasses across various browser
implementations. Mario (and team) are incredible to collaborate with.

------
d33
Sadly no Firefox there:

> The original intention expressed by the authors was to move past the
> browsers as such, instead splitting the field by engine. In that sense, we
> sought to shed light on the security properties of Trident represented by
> MSIE, Edge represented by the corresponding browser with the same name,
> Gecko represented by Firefox or Firefox ESR13, Blink represented by Chrome,
> and Webkit represented by Safari. After a series of meetings with the
> sponsors, the expected scope was clearly delineated to entail research on
> MSIE, Edge, and Chrome only.

------
crumbshot
If you enjoy reading this, you should also check out the browser security
paper from X41: [https://browser-security.x41-dsec.de/X41-Browser-Security-
Wh...](https://browser-security.x41-dsec.de/X41-Browser-Security-White-
Paper.pdf)

------
blattimwind
(Actually is a book with 94 useful tables and 61 full-colour figures)

------
lousken
(2017)

~~~
dang
Thanks, added.

