Twitter started to light up a bit tonight with folks who are having problems with signatures; both third-party ISVs: … and even Microsoft’s own SysInternals utilities show1 an error: Developers are surprised to see their workflow suddenly broken and wonder why. The problem is outlined here – the tl;dr is that you must use a SHA256-signedContinue reading “SHA-1 Certificates Blocked By Authenticode”
Author Archives: ericlaw
Authenticode in 2016
Last month, I noticed that my eToken USB code-signing key only supports SHA1 and not SHA256. I began hunting for a replacement that can sign using the stronger hash. Fortunately, I didn’t have to look far—the Yubico YubiKey 4 is $40 and supports SHA256, RSA 4096, and ECC p384. Beyond supporting stronger algorithms, it seems toContinue reading “Authenticode in 2016”
Getting Started with Profile Guided Optimization
For the convenience of the Windows developer community, I periodically compile the Zopfli and Brotli compressors from source, building for Win32 and code-signing the binaries (Interested? Get Zopfli.exe and Brotli.exe). After announcing the latest build on Twitter, I got an interesting question in reply: While I try to use the latest compiler (VS2015 U1), I’veContinue reading “Getting Started with Profile Guided Optimization”
What’s New in Fiddler 4.6.2
TLDR? – Get the newest Fiddler here. It’s been just over two months since the last significant release, and Fiddler 4.6.2.0 (and v2.6.2.0) are now available. As always, the latest build includes a slew of bugfixes and minor tweaks, as well as a number of features described in this post. Default Certificate Generator Changed ChangesContinue reading “What’s New in Fiddler 4.6.2”
2015 in review
The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog. Here’s an excerpt: Madison Square Garden can seat 20,000 people for a concert. This blog was viewed about 69,000 times in 2015. If it were a concert at Madison Square Garden, it would take about 3 sold-out performances for that many peopleContinue reading “2015 in review”
My Next Adventure
Back in 2004, I couldn’t get the tiny IE team interested in fixing caching bugs that were causing my team’s website to break in bizarre and unpredictable ways. I figured I’d hop over there, fix some bugs, and move along. I quickly realized that I was hopelessly in love with browsers in general and securityContinue reading “My Next Adventure”
Segue
My last day at Telerik is December 31st, 2015. More soon… Here’s a copy of my “Last day” blog post for posterity. Fiddler—A Segue by Eric Lawrence December 22, 2015 Productivity, Debugging11 Comments In September 2012, Telerik completed the acquisition of the Fiddler Web Debugger, and I announced that I would join Telerik to upgrade my side project to my full-time job.Continue reading “Segue”
Certificates Matter
Recently, my web host stopped supporting the FrontPage Server Extensions used by Microsoft Expression Web 4 for website publishing (FPSE is now out-of-support). FPSE allowed me to publish to my site over a HTTPS connection, helping keep my password safe and my uploaded files unmodified. Unfortunately, the alternative FTP transport is completely insecure–passwords and dataContinue reading “Certificates Matter”
Security Response Basics
Security response isn’t just about the “sexy” analysis of vulnerabilities, reverse-engineering of malware, and so on… it’s probably mostly about getting the basics right. Every morning, I forward all of the PayPal phishing scams I receive to PhishTank, Netcraft, and Spoof@Paypal. Today, I took a closer look at the response I got to the lastContinue reading “Security Response Basics”
DLL Hijacking Just Won’t Die
The folks that build the NSIS Installer have released updates to mitigate a serious security bug related to DLL loading. (v2.5 and v3.0b3 include the fixes). To make a long and complicated story short, a bad guy who exploits this vulnerability places a malicious DLL into your browser’s Downloads folder, then waits. When you run an installerContinue reading “DLL Hijacking Just Won’t Die”
text/plain 