One commonly-reported issue to browsers’ security teams sounds like: “Some random person’s passwords started appearing in my browser password manager?!? This must be a security bug of some sort!” This issue has been reported dozens of times, and it’s a reflection of a perhaps-surprising behavior of browser login and sync. So, what’s happening? Background EvenContinue reading “How do Random Credentials Mysteriously Appear?”
Author Archives: ericlaw
Detecting When the User is Offline
Can you hear me now? In the web platform, simple tasks are often anything but. Properly detecting whether the user is online/offline has been one of the “Surprisingly hard problems in computing” since, well, forever. Web developers often ask one question (“Is this browser online?”) but when you dig into it, they’re really trying toContinue reading “Detecting When the User is Offline”
New TLDs: Not Bad, Actually
The Top Level Domain (TLD) is the final label in a fully-qualified domain name: The most common TLD you’ll see is com, but you may be surprised to learn that there are 1479 registered TLDs today. This list can be subdivided into categories: Some TLD owners will rent domain names under the TLD to anyContinue reading “New TLDs: Not Bad, Actually”
A Beautiful 10K
This morning was my second visit to the Austin Capitol 10K race. Last year’s run represented my first real race, then two months into my new fitness regime, and I only met my third goal (“Finish without getting hurt“) while missing the first two (“Run the whole way“, and “Finish in 56 minutes“). Last year,Continue reading “A Beautiful 10K”
(The Futility of) Keeping Secrets from Yourself
Many interesting problems in software design boil down to “I need my client application to know a secret, but I don’t want the user of that application (or malware) to be able to learn that secret.“ Some examples include: …and likely others. In general, if your design relies on having a client protect a secretContinue reading “(The Futility of) Keeping Secrets from Yourself”
Auth Flows in a Partitioned World
Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages served by the IdP and when the IdP receives a HTTP request from an XmlHttpRequest/fetchContinue reading “Auth Flows in a Partitioned World”
Explainer: File Types
On all popular computing systems, all files, at their most basic, are a series of bits (0 or 1), organized into a stream of bytes, each of which uses 8 bits to encode any of 256 possible values. Regardless of the type of the file, you can use a hex editor to view (or modify)Continue reading “Explainer: File Types”
How Microsoft Edge Updates
When you see the update notifier in Edge (a green or red arrow on the … button): … this means an update is ready for use and you simply need to restart the browser to have it applied. While you’re in this state, if you open Edge’s application folder, you’ll see the new version sittingContinue reading “How Microsoft Edge Updates”
Attack Techniques: Spoofing via UserInfo
I received the following phishing lure by SMS a few days back: The syntax of URLs is complicated, and even tech-savvy users often misinterpret them. In the case of the URL above, the actual site’s hostname is brefjobgfodsebsidbg.com, and the misleading http://www.att.net:911 text is just a phony username:password pair making up the UserInfo component ofContinue reading “Attack Techniques: Spoofing via UserInfo”
Going Electric – Solar
For years now, I’ve wanted to get solar panels for my house in Austin, both because it feels morally responsible and because I’m a geek and powering my house with carbon-free fusion seems neat. Economically, I assume I’ll eventually break even with solar power, but probably not for a long time– my house isn’t largeContinue reading “Going Electric – Solar”
text/plain 