ericlaw

ServiceWorkers vs. Network Filtering

In a recent post, I explored how the design of network security features impact the tradeoffs of the system. In that post, I noted that integrating a URL check directly into the browser provides the security check with the best context, because it allows the client to see the full URL being checked and ifContinue reading “ServiceWorkers vs. Network Filtering”

Security: The Impact of Time

Two years ago, I wrote a long post about the importance of time, and how practical time machines can help reduce emergencies into more mundane workitems. Today, we revisit the same topic, with a focus on the Security impact of time. Races In many ways, the story of modern security is a story about races,Continue reading “Security: The Impact of Time”

Beware: URLs are Pointers to Mutable Entities

Folks often like to think of URLs as an entity that can be evaluated: “Is it harmless, or is it malicious?” In particular, vendors of security products tend to lump URLs in with other IoCs (indicators of compromise) like the hash of a known-malicious file, a malicious/compromised digital certificate, or a known-malicious IP address. Unfortunately,Continue reading “Beware: URLs are Pointers to Mutable Entities”

Email Etiquette: Avoid BCC’ing large distribution lists

While Microsoft corporate culture has evolved over the years, and the last twenty years have seen the introduction of new mass communication mechanisms like Yammer and Teams, we remain an email heavy company. Many product teams have related “Selfhost” or “Discussions” aliases (aka “Discussion Lists” or DLs) to which thousands of employees subscribe so theyContinue reading “Email Etiquette: Avoid BCC’ing large distribution lists”

Fiddler Web Debugger Turns 20

Twenty years ago (!!?!) was the first official release of Fiddler. I still run Fiddler for some task or another almost every working day. I still run my version (Fiddler Classic) although some of the newer tools in the Fiddler Universe are compelling for non-Windows platforms. I presented some slides in a birthday celebration thatContinue reading “Fiddler Web Debugger Turns 20”

Security Tradeoffs: Privacy

In a recent post, I explored some of the tradeoffs engineers must make when evaluating the security properties of a given design. In this post, we explore an interesting tradeoff between Security and Privacy in the analysis of web traffic. Many different security features and products attempt to protect web browsers from malicious sites byContinue reading “Security Tradeoffs: Privacy”

Security: Tradeoffs

Absolute security is simple– put your PC in a well-guarded vault, and never power it on. But that’s not what PCs are built for, and good luck finding a job that would pay you for such advice. Security Engineering (like all engineering) is a story of tradeoffs. Tradeoffs commonly take place across multiple dimensions: AsContinue reading “Security: Tradeoffs”

Web Platform Weirdness: Babies and Bathwater

When moving from other development platforms to the web, developers often have a hard time understanding why the web platform seems so … clunky. In part, that’s because the platform is pretty old at this point (>25 years as an app platform), partly because changes in form factors and paradigms (particular mobile) have introduced newContinue reading “Web Platform Weirdness: Babies and Bathwater”

Web Weirdness: Probing Localhost

If you closely watch the Network tab in the Chromium Developer Tools when you try to log into Fidelity Investments, you might notice something that looks a bit weird. JavaScript on the page attempts to create WebSocket connections to a bunch of local ports on the IPv4 localhost address (127.0.0.1): So, what are those portsContinue reading “Web Weirdness: Probing Localhost”

Attack Techniques: Fullscreen Abuse

It’s extremely difficult to prevent attacks when there are no trustworthy pixels on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the HTML5 Fullscreen API can deliver this power to an attacker. Today (and for over a decade now), an attackingContinue reading “Attack Techniques: Fullscreen Abuse”