The book comprises three parts. From the table of contents, it seems that Part 1, “Anatomy of the Web,” discusses things everyone knows about: uniform resource locators (URLs) (chapter 2), hypertext transfer protocol (HTTP) (chapter 3), Hypertext Markup Language (HTML) (chapter 4), cascading style sheets (CSS) (chapter 5), scripts (chapter 6), non-HTML document formats (chapter 7), and plug-ins (chapter 8). This couldn’t be more wrong. In fact, the author goes into detailed cases of each particular technology and explains very thoroughly what it involves to become vulnerable from their respective inadequacies.

The other two parts discuss how to secure browsers against the threats covered in Part 1 and some predictions for the future. The book contains a lot of critically important information related to browser security, covering nearly everything the reader could think of and much, much more. It shows signs of a years-long, in-depth study of the subject, and will stay current for quite a few years.

What is really in this book that may catch your attention? Here are a few examples. Have you ever thought about the security consequences of having an extra slash in a URL’s domain address? Have you really studied how security would be impacted by the different ways HTML parsers may treat strange syntax in tags as simple as <img>? What is the true execution order of client-side scripts? These questions are on top of regular worries, such as the potential damage a plug-in can cause. The author poses questions, most of which you would never think of asking, and answers them brilliantly.

However, I’d like to point out some flaws--mostly nontechnical--that may annoy the reader. First, it surprised me a bit that the discussion of the history of the Web did not mention anything about the most deserving community--those who actually invented it: high-energy physicists. It was at the European Organization for Nuclear Research (CERN) in Geneva where Tim Berners-Lee worked in the perfect environment to promulgate his ideas. It was the physicists who needed a platform to connect to their experiments, such as the future large hadron collider (LHC), from anywhere in the world. Otherwise, the Web may have never been invented. What may be the first account of these attempts--a memo by Berners-Lee and Robert Cailliau--is actually published on the Internet [1].

Although not discussing the Web’s origins may be a minor issue, I would bring to the reader’s attention something a bit more serious. Each chapter ends with a “Security Engineering Cheat Sheet,” which summarizes the major issues discussed in the chapter and how to deal with them. While the idea of having a refresher after swallowing that many pages of text is excellent, I would dispute the use of the term “security engineering.” This is because there is no such thing as security engineering. To state it briefly: before there can be engineering, there must be some sort of respective science that sets the framework and forms the grounds for a corresponding engineering discipline. It will be a long time before the science of security is developed [2]. So, to me, it’s just “security techniques,” even though “security engineering” is a better marketing term.

Overall, notwithstanding my mild criticism--I’m an academic who must have a perfect product in order to give a perfect grade--let me stress once again that this book can make history as a thorough study of Internet vulnerabilities and what, if anything, we can do about them. It summarizes an incredible amount of research. I have not seen any funded academic work that reaches the same level of detail when discussing potential and real vulnerabilities of the Internet and how to cure them.

As a final note: even though I share the author’s last name, there is no actual relation--that is, beyond the possibility that some common ancestors might have passed on a love of numbers.