Web browsers are extremely complex pieces of software that seem to be getting more complex all the time. Every time new features are added, there are more chances for something to go wrong. That’s good news for crooks and attackers and bad news for people interested in web security. Most security bugs are fundamentally programming bugs.
Fortunately, by understanding the real risks of browsers, it is possible to manage many of their associated risks.
The first web browsers were developed by scientists at CERN for publishing papers about high-energy particle physics. These early browsers could display web pages containing text and links to other pages of text. The pages were created with a WYSIWYG (What-You-See-Is-What-You-Get) editor written for NeXT computers and stored in HTML files.
Mosaic 2.0, the browser created at the National Center for Supercomputing Applications, introduced the ability to display forms and simple widgets, with text fields, push buttons, radio buttons, and pull-down menus. Combined with CGI (Common Gateway Interface), forms and widgets gave web programmers a kind of generic user interface. It was simple: Display a form, have the user fill in some fields, press a button, and display a new form with new fields to be filled in.
There was nothing fundamentally new about the web’s style of computing: IBM computers were doing it in the 1970s on 3270 terminals. Called "block ...