Hacker News new | past | comments | ask | show | jobs | submit login
Cure53: Browser Security Whitepaper (2017) [pdf] (cure53.de)
72 points by mxschumacher on Feb 18, 2018 | hide | past | web | favorite | 7 comments

If you're wondering why Firefox and Safari aren't studied in this report, it's because Cure53 was paid by Google to generate it as part of Google's effort to push back on Internet Explorer Edge.

And just in case folks aren't super familiar with Cure53, they know their stuff. The report largely speaks for itself in conveying their level savvy on browser security. Google didn't hire some corporate consulting firm that would give them a glowing recommendation based on a review by folks not knowledgeable enough to really be able to differentiate between browser security architectures.

P.S. We (GitHub) have engaged Cure53 several times, including an assessment dedicated to Content Security Policy bypasses across various browser implementations. Mario (and team) are incredible to collaborate with.

Sadly no Firefox there:

> The original intention expressed by the authors was to move past the browsers as such, instead splitting the field by engine. In that sense, we sought to shed light on the security properties of Trident represented by MSIE, Edge represented by the corresponding browser with the same name, Gecko represented by Firefox or Firefox ESR13, Blink represented by Chrome, and Webkit represented by Safari. After a series of meetings with the sponsors, the expected scope was clearly delineated to entail research on MSIE, Edge, and Chrome only.

If you enjoy reading this, you should also check out the browser security paper from X41: https://browser-security.x41-dsec.de/X41-Browser-Security-Wh...

(Actually is a book with 94 useful tables and 61 full-colour figures)


Thanks, added.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact