This page lists only 100 posts at a time. Click the “Load more posts” button at the bottom of the page to load more.
ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox
Recently, many Microsoft employees taking training courses have reported problems accessing documents linked to in those courses in Chrome and Edge. In Edge, the screen looks like this: But the problem isn’t limited to Microsoft’s internal training platform, and can…
Mouse Gestures in Edge
Over twenty years ago, the Opera browser got me hooked on mouse gestures, a way for you to perform common browser actions quickly. After I joined the IE team in 2004, I fell in love with a browser extension written…
Going Electric – Solar 1 Year Later
In March of 2023, I had an 8kw solar array installed and I was finally permitted to turn it on starting April 21, 2023. My pessimistic/optimistic assumption that my buying an expensive solar array was going to be the trigger…
Browser Security Bugs that Aren’t: JavaScript in PDF
A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) message displayed: Support for JavaScript…
A Slow 10K
I “ran” the Capitol 10K for a third time on Sunday. It did not go well, but not for any of the reasons I worried about. The rain stopped hours before the race, and the course wasn’t wet. My knees…
Attacker Techniques: Gesture Jacking
A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in…
pushState and URL Blocking
The Web Platform offers a handy API called pushState that allows a website’s JavaScript to change the URL displayed in the address bar to another URL within the same origin without sending a network request and loading a new page.…
Browser Extensions: Powerful and Potentially Dangerous
Regular readers of my blogs know that I love browser extensions. Extensions can make using your browser more convenient, fun, and secure. Unfortunately, extensions can also break web apps in bizarre or amusing ways, dramatically slow your browser performance, leak…
Second Seaside Half
I ran my second Galveston Half Marathon on Sunday, February 25th. The course was identical to last year’s race, starting at Stewart beach heading north before looping back down to the Pleasure Pier before returning to the start/finish line on…
The Importance of Feedback Loops
This morning, I found myself once again thinking about the critical importance of feedback loops. I thought about obvious examples where small bad things can so easily grow into large bad things: – A minor breach can lead to complete…
Cloaking, Detonation, and Client-side Phishing Detection
Today, most browsers integrate security services that attempt to protect users from phishing attacks: for Microsoft’s Edge, the service is Defender SmartScreen, and for Chrome, Firefox, and many derivatives, it’s Google’s Safe Browsing. URL Reputation services do what you’d expect…
x22i Treadmill Review
I love my treadmill, but two years in, I cannot recommend it. On New Year’s Day 2022 I bought a NordicTrack x22i Incline Trainer (a treadmill that supports 40% incline and 6% decline) with the aim of getting in shape…
How Downloads Work
I delivered a one hour session on the internals of file downloads in web browsers at THAT Conference 2024. The slides are here and a MP3 of the talk is available. If you’d prefer to read, much of the content…
A Cold and Slow 3M Half
My second run of the 3M Half Marathon was Sunday January 21, 2024. My first half-marathon last year was cold (starting at 38F), but this year’s was slated to be even colder (33F) and I was nervous. For dinner on…
The Blind Doorkeeper Problem, or, Why Enclaves are Tricky
When trying to protect a secret on a client device, there are many strategies, but most of them are doomed. However, as a long-standing problem, many security experts have tried to chip away at its edges over the years. Over…
Coding at Google
I wrote this a few years back, but I’ve had occasion to cite it yet again when explaining why engineering at Google was awesome. To avoid it getting eaten by the bitbucket, I’m publishing it here. Background: From January 2016…
Fall 2023 Races
While I’ve been running less, I haven’t completely fallen out of the habit, and I still find spending an hour on the treadmill to be the simplest way to feel better for the rest of the day. Real-world racing remains…
Defense Techniques: Blocking Protocol Handlers
Application Protocols represent a compelling attack vector because they’re the most reliable and cross-browser compatible way to escape a browser’s sandbox, and they work in many contexts (Office apps, some PDFs handlers, some chat/messaging clients, etc). Some protocol handlers are…
Attack Techniques: Steganography
Attackers are incentivized to cloak their attacks to avoid detection, keep attack chains alive longer, and make investigations more complicated. One type of cloaking involves steganography, whereby an attacker embeds hidden data inside an otherwise innocuous file. For instance, an…
Troubleshooting Edge (or Chrome) Broken UI
Last time, we looked at how to troubleshoot browser crashes. However, not all browser problems result in the tab or browser crashing entirely. In some cases, the problem is that some part of the browser UI doesn’t render correctly. This most…
Troubleshooting Edge (or Chrome) Browser Crashes
In the modern browser world, there are two types of crashes: browser crashes and renderer crashes. In a browser crash, the entire browser window with all of its tabs simply vanishes, either on startup, or at some point afterward. The…
Driving Electric – One Year In
One year ago, I brought home a new 2023 Nissan Leaf. I didn’t really need a car, but changing rules around tax credits meant that I pretty much had to buy the Leaf last fall if I wanted to save…
Protecting Auth Tokens
Authenticating to websites in browsers is complicated. There are numerous different approaches: Each of these authentication mechanisms has different user-experience effects and security properties. Sometimes, multiple systems are used at once, with, for example, a Web Forms login being bolstered…
ServiceWorkers vs. Network Filtering
In a recent post, I explored how the design of network security features impact the tradeoffs of the system. In that post, I noted that integrating a URL check directly into the browser provides the security check with the best…
Security: The Impact of Time
Two years ago, I wrote a long post about the importance of time, and how practical time machines can help reduce emergencies into more mundane workitems. Today, we revisit the same topic, with a focus on the Security impact of…
Beware: URLs are Pointers to Mutable Entities
Folks often like to think of URLs as an entity that can be evaluated: “Is it harmless, or is it malicious?” In particular, vendors of security products tend to lump URLs in with other IoCs (indicators of compromise) like the…
Email Etiquette: Avoid BCC’ing large distribution lists
While Microsoft corporate culture has evolved over the years, and the last twenty years have seen the introduction of new mass communication mechanisms like Yammer and Teams, we remain an email heavy company. Many product teams have related “Selfhost” or…
Fiddler Web Debugger Turns 20
Twenty years ago (!!?!) was the first official release of Fiddler. I still run Fiddler for some task or another almost every working day. I still run my version (Fiddler Classic) although some of the newer tools in the Fiddler…
Security Tradeoffs: Privacy
In a recent post, I explored some of the tradeoffs engineers must make when evaluating the security properties of a given design. In this post, we explore an interesting tradeoff between Security and Privacy in the analysis of web traffic.…
Security: Tradeoffs
Absolute security is simple– put your PC in a well-guarded vault, and never power it on. But that’s not what PCs are built for, and good luck finding a job that would pay you for such advice. Security Engineering (like…
Web Platform Weirdness: Babies and Bathwater
When moving from other development platforms to the web, developers often have a hard time understanding why the web platform seems so … clunky. In part, that’s because the platform is pretty old at this point (>25 years as an…
Web Weirdness: Probing Localhost
If you closely watch the Network tab in the Chromium Developer Tools when you try to log into Fidelity Investments, you might notice something that looks a bit weird. JavaScript on the page attempts to create WebSocket connections to a…
Attack Techniques: Fullscreen Abuse
It’s extremely difficult to prevent attacks when there are no trustworthy pixels on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the HTML5 Fullscreen API can…
The Challenge of IP Reputation
When protecting clients and servers against network-based threats, it’s tempting to consider the peer’s network address when deciding whether that peer is trustworthy. Unfortunately, while IP addresses can be a valuable signal, attempts to treat traffic as trustworthy or untrustworthy…
Defensive Techniques: Application Guard
Earlier this year, I mentioned that I load every phishing URL I’m sent to see what it does and whether it tries to use any interesting new techniques. While Edge’s “Enhanced Security Mode” reduces the risks of 0-day attacks against…
Kilimanjaro – To Exit Gate & Home
Saturday, July 8, 2023; Day 9 and Sunday, July 9, 2023; Home After another night of decent sleep, we turn on the light at 4:45am. It’s a cozy 50F in the tent. Our coffee should arrive in 15 minutes, and…
Kilimanjaro – Descent to Mweka
Friday, July 7, 2023; Day 8 Last night’s sleep was the best to date, even with high winds and noisy groups traipsing by after 1am. Exhaustion is the best sleep aid, I suppose. :) The tent is again just under…
Kilimanjaro – To Summit
Thursday, July 6, 2023; Day 7 It’s been noisy throughout the night as teams of hikers from Barafu pass through after midnight. They seem to make no effort toward keeping quiet, and there’s singing and shouts as they pass. Our…
Kilimanjaro – To Kosovo/Respicius Camp
Wednesday, July 5, 2023; Day 6 I slept okay last night with long periods awake, turning a story over in my mind, the details of which I’ve since forgotten. At 5:50am I sat up when I heard the coffee crew…
Kilimanjaro – Up Barranco Wall to Karanga Camp
Tuesday, July 4, 2023; Day 5 I slept okay last night, with no real nasal congestion unlike the night before, and the camp quieted down eventually. I had a few 1+ hour stretches of sleep. I jotted in my journal…
Kilimanjaro – To Lava Tower and Barranco Camp
Monday, July 3, 2023; Day 4 I didn’t feel quite as cold last night, and I got a solid amount of sleep. I had two mild-but-elaborate nightmares though, both featuring my ex. Ugh. I was a little congested, which is…
Kilimanjaro – To Shira 2 Camp
Sunday, July 2, 2023; Day 3 I slept somewhat more comfortably in the night — my sleeping pad, inflated by our porters before we got to Shira 1, was not overfilled and provided a bit more comfort than it had…
Kilimanjaro – To Shira 1 Camp
Saturday, July 1, 2023; Day 2 It was an uncomfortable night– the sleeping bag and my body temperature were comfy, but the ground was so, so hard. I felt like I didn’t sleep much at all. More than the body…
Kilimanjaro – Trailhead to Forest Camp
Friday, June 30, 2023; Day 1 Ndarakwai provided the best night’s sleep of the trip yet, with the combination of the cool breeze through the hut pairing beautifully with the cozy blanket on the comfy bunk. After sleeping at 9p,…
Kilimanjaro – Meet the Team; To Ndarakwai Lodge
Thursday, June 29, 2023; Day 0 Another night of rough sleep, but I got two solid blocks from 10:30p-1a and 4a-7:45a. I took a quick shower before heading to our last breakfast at the hotel. There was no omelette chef…
Kilimanjaro – Mini Safari
Wednesday June 28, 2023; Day -1 I again spent long periods awake overnight, this time starting around 2am. When we got up somewhere around 8 in the morning, we had another nice breakfast on the hotel’s patio dining room, again…
SmartScreen Application Reputation, with Pictures
Last Update: April 29, 2024 I’ve previously explained how Chromium-based browsers assign a “danger level” based on the type of the file, as determined from its extension. Depending on the Danger Level, the browser may warn the user before a…
Divorce – 18 Months In
I got separated in March 2020 and finally divorced in January 2022. It was a long time in coming, but it wasn’t awesome. In hindsight, I disassociated a bit, spreading the pain out over time rather than feeling it all…
Kilimanjaro – Coffee Tour
I woke up at 8am after a rough night’s sleep, awake for at least an hour around 3:30am, full of worries and nostalgia. Eight seemed a bit too early so I reset my watch’s alarm for 8:15, but either I…
Attack Techniques: QR Codes
As outlined in earlier posts in this series, attackers know that security software can detect their phishing lures and block users from even seeing the lure if it contains a known-phishing URL. For example, both Windows Live and Gmail block…
Enforcing SmartScreen with Policy
Microsoft Defender SmartScreen provides protection against the most common forms of attack: phishing and malware. SmartScreen support is built-in to Microsoft Edge and the Windows 8+ shell. The SmartScreen web service also powers the Microsoft Defender Browser Protection extension for…
Attack Techniques: SMS Gift Card Scams
Last week, I had the chance to fly to Redmond to meet my new teammates on the Protection team in Microsoft Defender. I also had the chance to catch up with a few old friends from the Edge team, one…
Kilimanjaro – Getting There
My kids and I flew from Austin to Maryland on Friday, June 23rd, and spent a day getting them settled in with their grandparents as I finished collecting a few last-minute essentials for the adventure. My brother and I had…
Kilimanjaro – Journal
Following two previously-posted entries: …this is an index post with links to the day-by-day journal of my Kilimanjaro trip. I’ve split the posts up by day because the idea of summarizing the entire trip in a single post feels like…
Kilimanjaro – Gear
This is the second post in my Kilimanjaro series. The index is here. When I was initially thinking about signing up for a trek up Kilimanjaro, I had two major areas to think about: my fitness, and all of the…
Kilimanjaro – Overview
Writing about my Kilimanjaro trek will not be easy: How can I do justice in describing what was: … all at the same time? Nevertheless, I’ve been back for a few weeks now and I’m compelled to put fingers to…
Browser SSO / Automatic Signin
Last Update: 8 March 2024 Over the years, I’ve written a bunch about authentication in browsers, and today I aim to shed some light on another authentication feature that is not super-well understood: Browser SSO. Recently, a user expressed surprise…
Improving the Microsoft Defender Browser Protection Extension
Earlier this year, I wrote about various extensions available to bolster your browser’s defenses against malicious sites. Today, let’s look at another such extension: the Microsoft Defender Browser Protection extension. I first helped out with extension back in 2018 when…
How do Random Credentials Mysteriously Appear?
One commonly-reported issue to browsers’ security teams sounds like: “Some random person’s passwords started appearing in my browser password manager?!? This must be a security bug of some sort!” This issue has been reported dozens of times, and it’s a…
Detecting When the User is Offline
Can you hear me now? In the web platform, simple tasks are often anything but. Properly detecting whether the user is online/offline has been one of the “Surprisingly hard problems in computing” since, well, forever. Web developers often ask one…
New TLDs: Not Bad, Actually
The Top Level Domain (TLD) is the final label in a fully-qualified domain name: The most common TLD you’ll see is com, but you may be surprised to learn that there are 1479 registered TLDs today. This list can be…
A Beautiful 10K
This morning was my second visit to the Austin Capitol 10K race. Last year’s run represented my first real race, then two months into my new fitness regime, and I only met my third goal (“Finish without getting hurt”) while…
(The Futility of) Keeping Secrets from Yourself
Many interesting problems in software design boil down to “I need my client application to know a secret, but I don’t want the user of that application (or malware) to be able to learn that secret.” Some examples include: …and…
Auth Flows in a Partitioned World
Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages…
Explainer: File Types
On all popular computing systems, all files, at their most basic, are a series of bits (0 or 1), organized into a stream of bytes, each of which uses 8 bits to encode any of 256 possible values. Regardless of…
How Microsoft Edge Updates
By default, Edge will update in the background automatically while you’re not using it. Open Microsoft Edge and you’ll be using the latest version. However, if Edge is already running and an update becomes available, an update notifier icon will…
Attack Techniques: Spoofing via UserInfo
I received the following phishing lure by SMS a few days back: The syntax of URLs is complicated, and even tech-savvy users often misinterpret them. In the case of the URL above, the actual site’s hostname is brefjobgfodsebsidbg.com, and the…
Going Electric – Solar
For years now, I’ve wanted to get solar panels for my house in Austin, both because it feels morally responsible and because I’m a geek and powering my house with carbon-free fusion seems neat. Economically, I assume I’ll eventually break…
Improving Native Message Host Reliability on Windows
Last Update: Nov 28, 2023 Update: This change was checked into Chromium 113 before being backed out. The plan is to eventually turn it on-by-default, so extension authors really should read this post and update their extensions if needed. The…
Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my
The average phishing site doesn’t live very long– think hours rather than days or weeks. Attackers use a variety of techniques to try to keep ahead of the Defenders who work tirelessly to break their attack chains and protect the…
Slow Seaside Half
After my first real-world half marathon in January, I ended up signing up for the 2024 race, but I also quickly decided that I didn’t want to wait a full year to give it another shot. A day or so…
Q: “Remember this Device, Doesn’t?!?”
Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up…
Attack Techniques: Blended Attacks via Telephone
Last month, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. Another approach for conducting an attack…
A New Era: PM -> SWE
tl;dr: As of last week, I am now a Software Engineer at Microsoft. My path to becoming a Program Manager at Microsoft was both unforeseen (by me) and entirely conventional. Until my early teens, my plan was to be this…
A Year of Intention
By February 7th 2022, I hadn’t yet started jogging on my treadmill, but walking, biking, and improved diet got me down about 15 pounds from my peak. A year later, I’ve stabilized around forty pounds below that.
Couch to Half Marathon: Closing My First Year of Running
On February 11th, 2022, I took my first jog on my new treadmill, a single mile at 5mph. I’d been taking three mile walks for a couple weeks before, but that jog just under a year ago was my first…
Defense Techniques: Reporting Phish
While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try…
SlickRun
While I’m best known for creating Fiddler two decades ago, eight years before Fiddler’s debut I started work on what became SlickRun. SlickRun is a floating command line that provides nearly instant access to almost any app or website. Originally…
2022 EOY Fitness Summary
I spent dramatically more time on physical fitness in 2022 than I have at any other point in my life, in preparation for my planned adventure this June. My 2022 statistics from iFit on my incline trainer/treadmill show that I…
Attack Techniques: Priming Attacks on Legitimate Sites
Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure…
Attack Techniques: Phishing via Mailto
Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode…
Attack Techniques: Phishing via Local Files
One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email lure with a HTML file attachment (for me, often with…
ProjectK.commit()
Cruising solo across the Gulf of Mexico last Christmas, I had a lot of time to think. Traveling alone, I could do whatever I wanted, whenever I wanted. And this led me to realize that, while I was about to…
Missed Half
After last month’s races, I decided that I could reduce some of my stress around my first half marathon (Austin 3M at the end of January) by running a slow marathon ahead of time — a Race 0 if you…
TLS Certificate Verification Changes in Edge
Last Updated August 21 2023: When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows…
Mark-of-the-Web: Additional Guidance
I’ve been writing about the Mark-of-the-Web (MotW) security primitive in Windows for decades now, with 2016’s Downloads and MoTW being one of my longer posts that I’ve updated intermittently over the last few years. If you haven’t read that post…
Q4 2022 Races
I finished the first section of Tommy Rivers’ half-marathon training series (in Bolivia) and have moved on to the second section (Japan). I ran two Austin races in November, notching some real-world running experience in preparation for the 3M Half…
Driving Electric
While my 2013 CX-5 is reasonably fuel-efficient (~28mpg in real world driving), this summer I watched in dismay as gas prices spiked. Even when my tank was almost full, watching prices tick up every time I drove past a gas…
Thoughts on Twitter
When some of the hipper PMs on the Internet Explorer team started using a new “microblogging” service called Twitter in the spring of 2007, I just didn’t “get it.” Twitter mostly seemed to be a way to broadcast what you’d…
“Not Secure” Warning for IE Mode
A customer recently wrote to ask whether there was any way to suppress the red “/!\ Not Secure” warning shown in the omnibox when IE Mode loads a HTTPS site containing non-secure images: Notably, this warning isn’t seen when the…
Microsoft Employee’s Guide to Maximizing Donations
Perhaps the most impactful perk for employees of Microsoft is that the company will match charitable donations up to a pretty high annual limit ($15K/year), and will also match volunteering time with a donation at a solid hourly rate up…
Q: Why do tabs sometimes show an orange dot?
Sometimes, you’ll notice that a background tab has an orange dot on it in Edge (or a blue dot in Chrome). If you click on the tab, the dot disappears. Why? The dot indicates that the tab wants “attention” –…
Capturing Logs for Debugging SmartScreen
The Microsoft Edge browser makes use of a service called Microsoft Defender SmartScreen to help protect users from phishing websites and malicious downloads. The SmartScreen service integrates with a Microsoft threat intelligence service running in the cloud to quickly block…
Cruising Alaska (Alaskan Brews Cruise)
I lived in the Seattle area for nearly 12 years, and one of my regrets is that I never took advantage of any of the Alaskan cruises that conveniently leave from Pier 91 a few miles out of downtown. Getting…
HTTPS Goofs: Forgetting the Bare Domain
As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like. Unfortunately, there’s another common case, whereby the user simply types your bare…
Best Practice: Post-Mortems
I’ve written a bit about working at Google in the past. Google does a lot of things right, and other companies would benefit by following their example. At Google, one of the technical practices that I thought was both essential…
Attack Techniques: Notification Spam
I tried visiting an old colleague’s long-expired blog today, just to see what would happen. I got redirected here: Wat? What is this even talking about? There’s no “Allow” link or button anywhere. The clue is that tiny bell with…
Edge’s Super-Res Image Enhancement
One interesting feature that the Edge team is experimenting with this summer is called “SuperRes” or “Enhance Images.” This feature allows Microsoft Edge to use a Microsoft-built AI/ML service to enhance the quality of images shown within the browser. You…
QuickFix: Trivial Chrome Extensions
Almost a decade before I released the first version of Fiddler, I started work on my first app that survives to this day, SlickRun. SlickRun is a floating command line that can launch any app on your PC, as well…
Passkeys – Syncable WebAuthN credentials
Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security…
Loading…
Something went wrong. Please refresh the page and/or try again.
text/plain 