OSNews:

OSNews: http://www.osnews.com/story/21793/Gazelle_Applying_Operating_System_Concepts_to_the_Browser Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Thu, 26 Nov 2009 11:51:48 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Cool. http://osnews.com/thread?372172 http://osnews.com/thread?372172 Now when the browser is having problems drawing a page, it'll show the Blue Screen of Death, and I'll have to reboot. Tue, 07 Jul 2009 23:32:00 GMT donotreply@osnews.com (gehersh) Comments not sure .. http://osnews.com/thread?372181 http://osnews.com/thread?372181 not sure basing your security on domains is the right idea .. there is no real reason that abc.com is different from def.com ... its just a DNS domain name and that doesn't mean they are different or the same originator. this isn't that revolutionary.

its a bit like a Windows anti-virus application treating files differently depending on their drive letter (C:, D:, etc). in reality it doesn't mean anything. they could even be on the same drive!

they'd be better off sorting out buffer overflows and more bread and butter security weaknesses ...Edited 2009-07-08 00:34 UTC Wed, 08 Jul 2009 00:32:00 GMT donotreply@osnews.com (project_2501) Comments RE: Cool. http://osnews.com/thread?372182 http://osnews.com/thread?372182 How is that a new thing?

I'd call this a BSOD. Wouldn't you agree?

http://img219.imageshack.us/img219/144/bsod.png Wed, 08 Jul 2009 00:36:00 GMT donotreply@osnews.com (drstorm) Comments RE: not sure .. http://osnews.com/thread?372196 http://osnews.com/thread?372196 That's not what people generally exploit on the web. It's far more common to see these Cross-Site Scripting attacks against the design of the web applications than against the browser code.

It's the same reason why people go after applications running on Windows much more than after the OS itself: it's a lot easier and likely just as lucrative. Wed, 08 Jul 2009 03:12:00 GMT donotreply@osnews.com (PlatformAgnostic) Comments A solution for a problem no one cares about http://osnews.com/thread?372205 http://osnews.com/thread?372205 Maybe it is that this will be practical/needed in the future as the web heads for a more application-like platform, but really, is anyone concerned at all about the problems Gazelle is trying to address? Wed, 08 Jul 2009 04:57:00 GMT donotreply@osnews.com (elmimmo) Comments RE[2]: Cool. http://osnews.com/thread?372210 http://osnews.com/thread?372210 Well, you see, it's not really blue...

Wed, 08 Jul 2009 06:11:00 GMT donotreply@osnews.com (l3v1) Comments RE[3]: Cool. http://osnews.com/thread?372242 http://osnews.com/thread?372242 Well, it is kinda... blueish.
And it's definitely a screen of Death. Just look at the icon. It's dead.

Wed, 08 Jul 2009 10:12:00 GMT donotreply@osnews.com (drstorm) Comments RE: not sure .. http://osnews.com/thread?372356 http://osnews.com/thread?372356 One very common and insidious (has happened with google and amazon, among others) attack is Cross Site Request Forgeries (or CSRF)

The idea is this: you go to your bank, and check the "keep me signed in" checkbox (which any bank worth their salt would NOT have, but this is an example). That site puts an authentication cookie in your browser. Next time you go to the site, it checks the cookie, and doesn't bother asking for username/password, but just forwards you a long to the next screen.

Now, I have a site (or use an XSS attack against a site you use), and I do an AJAX request that mimics a form submission to transfer money to my account. The site receives the request, checks for authentication, since it is the browser making the request it finds the cookie, and just lets it through.

These kinds of exploits are very difficult to avoid, the only thing you can really do is generate an authentication tolken on every page, and then checking for it on the next request from that session. Wed, 08 Jul 2009 21:42:00 GMT donotreply@osnews.com (google_ninja) Comments RE: A solution for a problem no one cares about http://osnews.com/thread?372357 http://osnews.com/thread?372357 Yes, pretty much everyone is. The browser is an application that executes arbitrary code off the internet, and that millions of people enter sensitive information into. Wed, 08 Jul 2009 21:47:00 GMT donotreply@osnews.com (google_ninja) Comments Neat http://osnews.com/thread?372358 http://osnews.com/thread?372358 This sort of reminds me of a microkernel OS archetecture. Wed, 08 Jul 2009 21:48:00 GMT donotreply@osnews.com (google_ninja) Comments RE: A solution for a problem no one cares about http://osnews.com/thread?373046 http://osnews.com/thread?373046

Maybe it is that this will be practical/needed in the future as the web heads for a more application-like platform, but really, is anyone concerned at all about the problems Gazelle is trying to address?

Very much so. Never mind "in the future" - the web is already well on the way to an application-like platform, and has been for several years. And if you look through recent Firefox release notes, you'll notice that a substantial proportion of the bugs fixed in the 3.0.x series were security bugs of this kind. Sun, 12 Jul 2009 22:49:00 GMT donotreply@osnews.com (Delgarde) Comments