I was incredibly skeptical from the headline. It read to me like “team builds near-useless browser that is probably a bit harder to hack than an unpatched Windows box.” But it’s actually an interesting architecture. I like their early consideration of plugin issue. Rather than banning plugins, sandboxing them till they can’t do anything, or bemoaning that plugin writers will probably be stupid and break security but it won’t be the browser’s fault, these guys actually seem to have considered how to compartmentalize such that the plugin can be compromised without losing the farm. That’s a good security lesson for us all. It’s not about making sure nothing bad ever happens or banning everything that could ever let something bad happen. It’s about making sure that when bad things do happen (and they will), that the damage is contained to the piece that was compromised. And to this feature, wow:

The UIUI team has also designed a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.

That’s a team that “gets it.” You will get hacked. Designing for what you do after you get hacked is a sign of great security thinking.</span></span>