A couple of days ago I finally upgraded userscripts.org to Rails 2.0.
After I fixed all the broken routes it created (the way named routes are created was tweaked slightly) and replacing old-school pagination with Err's Will Paginate, everything seems to be working. Given that many useful rails plugins only work in Rails 2, I've wanted to upgrade for a long time.
This is nice, but built-in CSRF protection is what made the upgrade a must. I've woken up many nights with detailed nightmares of attackers doing all sorts of evil starting from a CSRF attack...
Sites with clean/guessable urls make both XSS and CSRF easier, since the attacker can easily generate the urls they want to attack. URL paths like /account/delete, /status/update, /script/create, ... are easy targets if you don't have adequate protection.
Interestingly, even gmail is not immune to messing up and exposing CSRF vulnerabilities. The attacker used a CSRF attack to add a filter to forward mail. The attacker was then able to steal the victim's domain name, since many services (including domain name registrars) use email to verify requests.
While that attack was a targeted attack, mass attacks are possible. Create or steal some interesting content (link bait) for social sites (Digg, Delicious, Reddit, ...), then attempt to add a filter that sends any email with the words password, account, ... having it send them to a unique account. This crowd largely uses gmail, so it is only a matter of time until your attack yields useful information. Using the iframe trick to hide the referrer would help disguise the attacker....
Google has fixed this flaw.
A Case For Custom Browsers
I have several friends who use several web browsers for different purposes. For instance, Britt likes to use Flock for browsing and social stuff while using Firefox for development work (a common pattern since Firebug makes Firefox painful to browse with). Additionally mac people can use Mailplane, which is a gmail only web browser (with lots of cool customizations such as drag and drop attaching of files, ability to grab screenshots, ...; in general it makes gmail feel like a well integrated desktop app.)
I've thought that using different browsers for different use cases makes sense for a long time, but hadn't thought about it in terms of security. Using different browsers can make you more secure by limiting your exposure.
I use gmail via HTTPS only, which is a pain since google tries to send you to the HTTP url. My entire life lives in my gmail. I couldn't imagine loosing my account. I've thought I was doing a decent job at protecting myself... If there are future gmail holes, even if I only visit gmail via HTTPS, I am still vulnerable. All but one of the cookies for mail.google.com are valid for non-HTTPS even if you only visited HTTPS - hence visiting evil.com allows it to do a form post to gmail's http address :(
By using Mailplane (or other single-site web browsers), your cookies/sessions cannot be hijacked. Given how important my gmail account is, it might not be silly to never log into gmail from my regular web browsers.
And then there's Flash
Services that store session information in Flash (via "flash cookies" - technically "shared objects", which are not stored by the browser but by flash) present a slight wrinkle. Flash cookies are shared between all browsers (on OSX and linux, not sure about windows/ie since it might do plugins differently). While many financial institutions use systems that utilize flash cookies, I'm not aware of any vulnerabilities caused or worsened by flash sharing shared objects between browsers.
