Book Review - Michal Zalewski's 'The Tangled Web'

This is one of those very upsetting books. I found it very hard to read, not because of any fault of the author or the publisher, but because the content made me uncomfortable. I literally squirmed in my seat and would sigh so often that my wife would worriedly ask "What's wrong?"

What's wrong is that the web is a dangerous place.

Where and how that danger lurks is the subject of this book. Its subtitle is "A Guide to Securing Modern Web Applications" which certainly sounds hopeful:

"Yes, there are dangerous creatures in these woods, but we'll be walking with a crack team of highly trained and well armed guides, so we'll be fine".

However, we will not have ventured very far into the Internet forest before we realize that our "crack team" of web browsers is anything but. Most of them can't seem to tell a squirrel from a poisonous snake. When they do decide to point their weapons at something threatening, we had better duck ourselves, because their aim is atrociously bad. Suspicious looking miscreants appear at the edges of our trail and beckon us to follow them into the dark woods; our guides lay down their weapons and, with beaming grins, trot off never to be seen again!

That's what was making me squirm in my seat and annoy my wife with my long and plaintive sighs and soft moans.

At the same time, I was finding guilty pleasure. I love learning how things work. Even more interesting is how things break, how good intentions sometimes fall in a jumbled heap after the most gentle push. That's what this book is really about: breaking stuff.

Oh, sure, there are "Cheat Sheets" in every chapter that contain succinct advice on how you might avoid being p0wned by the various flaws being discussed, and those are a valuable part of the book. But they are not the fun part. As disquieting and upsetting as the security failures may be, they are also fun to read about. Mixing great fun and raw fear might not seem like a recipe for a good book, but it works here.

You won't have to read far before Richard Stallman's comment about web browsing starts to seem more sensible than paranoid:


I generally do not look at web sites from my own machine, aside from a few sites operated for or by the GNU Project, FSF or me. I fetch web pages from other sites by sending mail to a program that fetches them, much like wget, and then mails them back to me.

From How I do my computing by Richard Stallman.

Michal Zalewski, by the way, is also the author of another of my very favorite security books: Silence on the Wire. If you haven't read that yet, you are denying yourself a real treat.

What Michal does in both books is dive deep. He shows you the history, where it broke, how it broke, why it broke. He tears apart browsers and lays the parts out for close examination. You can find a sample chapter at the book's website, but honestly, if this review has intrigued you that much, you are going to want to read the whole thing, so you might as well just go to Amazon and place your order now.

Fun to read, educational and (if you are actually creating websites) very useful. Even if you are only a consumer of web content, this might help you understand why people like Stallman are so obsessive about security.

By the way: If you will be reading this in the company of someone else, you might warn them in advance about all the sighing and groaning you might be doing. I'm sure they will appreciate that.

  • The Tangled Web: A Guide to Securing Modern Web Applications
  • Michal Zalewski
  • No Starch Press
  • 1593273886


Tony Lawrence 2011/10/11 Rating: 5.0


Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Book Review - Michal Zalewski's 'The Tangled Web'


2 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Sat Nov 12 18:01:57 2011: 10166   donal

gravatar


I assume you get some cut from Amazon for reference sales ( and I'm very happy if you do after going to the effort of reviewing the book). But in that case you should add a Kindle link for those of us who given up on paper back ... Well only if you want our commission too!





Sat Nov 12 19:58:56 2011: 10167   TonyLawrence

gravatar


They don't have a Kindle version yet (actually, they have NO version yet - I read a pre-release PDF).

But, if you follow the Amazon link, you can tell the publisher how foolish they would be not to have a Kindle version - the link to do that is on the left side.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Two years from now, spam will be solved. (Bill Gates, 2004)

Technology is anything that wasn’t around when you were born. (Alan Kay)








This post tagged: