tl;dr: I made a Chrome Extension that finds security vulnerabilities.It’s now available for Firefox too! To secure web connections, TLS-enabling servers is only half the battle; the other half is ensuring that TLS is used everywhere. Unfortunately, many HTTPS sites today include insecure references that provide an network-based attacker the opportunity to break into theContinue reading “Seek and Destroy Non-Secure References Using the moarTLS Analyzer”
Yearly Archives: 2016
Using HTTPS Properly
Disclaimer: I’m a big fan of Pandora. I’ve been a listener for a decade or more, and I started paying for an annual subscription even before there was any real incentive to do so, solely because I loved the service and wanted it to succeed. This post isn’t really about Pandora, per-se, but about commonContinue reading “Using HTTPS Properly”
On Daylight Savings Time
In Fiddler, the Caching tab will attempt to calculate the cache freshness lifetime for responses that lack an explicit Expires or Cache-Control: max-age directive. The standard suggests clients use (0.1 * (DateTime.Now – Last-Modified)) as a heuristic freshness lifetime. An alert Fiddler user noticed that the values he was seeing were slightly off what he expected: sometimes the valuesContinue reading “On Daylight Savings Time”
Out-of-Memory is (Usually) a Lie
The most common exception logged by Fiddler telemetry is OutOfMemoryException. Yesterday, a Facebook friend lamented: “How does firefox have out of memory errors so often while only taking up 1.2 of my 8 gigs of ram?” This morning, a Python script running on my machine as a part of the Chromium build process failed with aContinue reading “Out-of-Memory is (Usually) a Lie”
Things I’ve Learned in my first weeks on Chrome
This is a stub post which will be updated periodically. It would be impossible to summarize how much I’ve learned in the last six weeks working at Google, but it’s easy to throw together some references to the most interesting and accessible things I’ve learned. So that’s this post. Developing Chrome Searching the code isContinue reading “Things I’ve Learned in my first weeks on Chrome”
Web Developers and Footguns
If you offer web developers footguns, you’d better staff up your local trauma department. In a prior life, I wrote a lot about Same-Origin-Policy, including the basic DENY-READ principle that means that script running in the context of origin A.com cannot read content from B.com. When we built the (ill-fated) XDomainRequest object in IE8, weContinue reading “Web Developers and Footguns”
Leaking Keystrokes
Windows 10’s IE11 continues to send your keystrokes over the internet in plaintext as you type in the address bar, a part of the “Search Suggestions” feature: “But I don’t search from the address bar,” you might say. That may be, but if you fail to type or paste a URL (sans protocol) into theContinue reading “Leaking Keystrokes”
Extended Validation Certificates – The Introduction
In 2005, one of my first projects on the Internet Explorer team was improving the user-experience for HTTPS sites (“SSLUX”). Our first task was to change the certificate error experience from the confusing and misleading modal dialog box: … to something that more clearly conveyed the risk and which more clearly discouraged users from acceptingContinue reading “Extended Validation Certificates – The Introduction”
Life in Austin
The following are some random notes about moving to Austin; previously, I’d spent 11 years in Redmond, Washington working for Microsoft. I grew up mostly in Maryland, except for a three year stint in Michigan. I’m sharing my thoughts here mostly to avoid retyping them each time a friend says they’re thinking about moving toContinue reading “Life in Austin”
Authenticode and SHA1–Redux
I tried to install Telerik DevCraft Ultimate, but Windows 8.1 and Windows 10 blocked it: “Unknown Publisher”? Hrm. That’s weird. I know Telerik signs their code and I was pretty sure their code-signing certificate is SHA256, so the new restrictions on SHA1 in code-signing shouldn’t be a problem, right? Sure enough, the code is signed with a SHA256Continue reading “Authenticode and SHA1–Redux”
text/plain 