This page lists only 100 posts at a time. Click the “Load more posts” button at the bottom of the page to load more.
Improving the Microsoft Defender Browser Protection Extension
Earlier this year, I wrote about various extensions available to bolster your browser’s defenses against malicious sites. Today, let’s look at another such extension: the Microsoft Defender Browser Protection extension. I first helped out with extension back in 2018 when…
How do Random Credentials Mysteriously Appear?
One commonly-reported issue to browsers’ security teams sounds like: “Some random person’s passwords started appearing in my browser password manager?!? This must be a security bug of some sort!” This issue has been reported dozens of times, and it’s a…
Detecting When the User is Offline
Can you hear me now? In the web platform, simple tasks are often anything but. Properly detecting whether the user is online/offline has been one of the “Surprisingly hard problems in computing” since, well, forever. Web developers often ask one…
New TLDs: Not Bad, Actually
The Top Level Domain (TLD) is the final label in a fully-qualified domain name: The most common TLD you’ll see is com, but you may be surprised to learn that there are 1479 registered TLDs today. This list can be…
A Beautiful 10K
This morning was my second visit to the Austin Capitol 10K race. Last year’s run represented my first real race, then two months into my new fitness regime, and I only met my third goal (“Finish without getting hurt”) while…
(The Futility of) Keeping Secrets from Yourself
Many interesting problems in software design boil down to “I need my client application to know a secret, but I don’t want the user of that application (or malware) to be able to learn that secret.” Some examples include: …and…
Auth Flows in a Partitioned World
Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages…
Explainer: File Types
On all popular computing systems, all files, at their most basic, are a series of bits (0 or 1), organized into a stream of bytes, each of which uses 8 bits to encode any of 256 possible values. Regardless of…
How Microsoft Edge Updates
When you see the update notifier in Edge (a green or red arrow on the … button): … this means an update is ready for use and you simply need to restart the browser to have it applied. While you’re…
Attack Techniques: Spoofing via UserInfo
I received the following phishing lure by SMS a few days back: The syntax of URLs is complicated, and even tech-savvy users often misinterpret them. In the case of the URL above, the actual site’s hostname is brefjobgfodsebsidbg.com, and the…
Going Electric – Solar
For years now, I’ve wanted to get solar panels for my house in Austin, both because it feels morally responsible and because I’m a geek and powering my house with carbon-free fusion seems neat. Economically, I assume I’ll eventually break…
Improving Native Message Host Reliability on Windows
Last Update: May 24, 2023 —UPDATE— Chrome postponed this change, re-releasing v113 without it :'( Edge also removed the change in v113.0.1774.42. The plan is to eventually turn it on-by-default, so extension authors really should read this post and update…
Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my
The average phishing site doesn’t live very long– think hours rather than days or weeks. Attackers use a variety of techniques to try to keep ahead of the Defenders who work tirelessly to break their attack chains and protect the…
Slow Seaside Half
After my first real-world half marathon in January, I ended up signing up for the 2024 race, but I also quickly decided that I didn’t want to wait a full year to give it another shot. A day or so…
Q: “Remember this Device, Doesn’t?!?”
Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up…
Attack Techniques: Blended Attacks via Telephone
Last month, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. Another approach for conducting an attack…
A New Era: PM -> SWE
tl;dr: As of last week, I am now a Software Engineer at Microsoft. My path to becoming a Program Manager at Microsoft was both unforeseen (by me) and entirely conventional. Until my early teens, my plan was to be this…
A Year of Intention
By February 7th 2022, I hadn’t yet started jogging on my treadmill, but walking, biking, and improved diet got me down about 15 pounds from my peak. A year later, I’ve stabilized around forty pounds below that.
Couch to Half Marathon: Closing My First Year of Running
On February 11th, 2022, I took my first jog on my new treadmill, a single mile at 5mph. I’d been taking three mile walks for a couple weeks before, but that jog just under a year ago was my first…
Defense Techniques: Reporting Phish
While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try…
SlickRun
While I’m best known for creating Fiddler two decades ago, eight years before Fiddler’s debut I started work on what became SlickRun. SlickRun is a floating command line that provides nearly instant access to almost any app or website. Originally…
2022 EOY Fitness Summary
I spent dramatically more time on physical fitness in 2022 than I have at any other point in my life, in preparation for my planned adventure this June. My 2022 statistics from iFit on my incline trainer/treadmill show that I…
Attack Techniques: Priming Attacks on Legitimate Sites
Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure…
Attack Techniques: Phishing via Mailto
Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode…
Attack Techniques: Phishing via Local Files
One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email lure with a HTML file attachment (for me, often with…
ProjectK.commit()
Cruising solo across the Gulf of Mexico last Christmas, I had a lot of time to think. Traveling alone, I could do whatever I wanted, whenever I wanted. And this led me to realize that, while I was about to…
Missed Half
After last month’s races, I decided that I could reduce some of my stress around my first half marathon (Austin 3M at the end of January) by running a slow marathon ahead of time — a Race 0 if you…
TLS Certificate Verification Changes in Edge
Status as of May 2023: When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows…
Mark-of-the-Web: Additional Guidance
I’ve been writing about the Mark-of-the-Web (MotW) security primitive in Windows for decades now, with 2016’s Downloads and MoTW being one of my longer posts that I’ve updated intermittently over the last few years. If you haven’t read that post…
Q4 Races
I finished the first section of Tommy Rivers’ half-marathon training series (in Bolivia) and have moved on to the second section (Japan). I ran two Austin races in November, notching some real-world running experience in preparation for the 3M Half…
Driving Electric
While my 2013 CX-5 is reasonably fuel-efficient (~28mpg in real world driving), this summer I watched in dismay as gas prices spiked. Even when my tank was almost full, watching prices tick up every time I drove past a gas…
Thoughts on Twitter
When some of the hipper PMs on the Internet Explorer team started using a new “microblogging” service called Twitter in the spring of 2007, I just didn’t “get it.” Twitter mostly seemed to be a way to broadcast what you’d…
“Not Secure” Warning for IE Mode
A customer recently wrote to ask whether there was any way to suppress the red “/!\ Not Secure” warning shown in the omnibox when IE Mode loads a HTTPS site containing non-secure images: Notably, this warning isn’t seen when the…
Microsoft Employee’s Guide to Maximizing Donations
Perhaps the most impactful perk for employees of Microsoft is that the company will match charitable donations up to a pretty high annual limit ($15K/year), and will also match volunteering time with a donation at a solid hourly rate up…
Q: Why do tabs sometimes show an orange dot?
Sometimes, you’ll notice that a background tab has an orange dot on it in Edge (or a blue dot in Chrome). If you click on the tab, the dot disappears. Why?The dot indicates that the tab wants “attention” — more…
Capturing Logs for Debugging SmartScreen
The Microsoft Edge browser makes use of a service called Microsoft Defender SmartScreen to help protect users from phishing websites and malicious downloads. The SmartScreen service integrates with a Microsoft threat intelligence service running in the cloud to quickly block…
Cruising Alaska (Alaskan Brews Cruise)
I lived in the Seattle area for nearly 12 years, and one of my regrets is that I never took advantage of any of the Alaskan cruises that conveniently leave from Pier 91 a few miles out of downtown. Getting…
HTTPS Goofs: Forgetting the Bare Domain
As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like. Unfortunately, there’s another common case, whereby the user simply types your bare…
Best Practice: Post-Mortems
I’ve written a bit about working at Google in the past. Google does a lot of things right, and other companies would benefit by following their example. At Google, one of the technical practices that I thought was both essential…
Badware Techniques: Notification Spam
I tried visiting an old colleague’s long-expired blog today, just to see what would happen. I got redirected here: Wat? What is this even talking about? There’s no “Allow” link or button anywhere. The clue is that tiny bell with…
Edge’s Super-Res Image Enhancement
One interesting feature that the Edge team is experimenting with this summer is called “SuperRes” or “Enhance Images.” This feature allows Microsoft Edge to use a Microsoft-built AI/ML service to enhance the quality of images shown within the browser. You…
QuickFix: Trivial Chrome Extensions
Almost a decade before I released the first version of Fiddler, I started work on my first app that survives to this day, SlickRun. SlickRun is a floating command line that can launch any app on your PC, as well…
Passkeys – Syncable WebAuthN credentials
Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security…
Understanding Browser Channels
Microsoft Edge (and upstream Chrome) is available in four different Channels: Stable, Beta, Dev, and Canary. The vast majority of Edge users run on the Stable Channel, but the three pre-Stable channels can be downloaded easily from microsoftedgeinsider.com. You can…
Certificate Revocation in Microsoft Edge
When you visit a HTTPS site, the server must present a certificate, signed by a trusted third-party (a Certificate Authority, aka CA), vouching for the identity of the bearer. The certificate contains an expiration date, and is considered valid until…
New Recipes for 3rd Party Cookies
Last Updated: 13 April 2023 For privacy reasons, the web platform is moving away from supporting 3rd-party cookies, first with lockdowns, and eventually with removal of support in late 2023 the second half of 2024. Background: What Does “3rd-Party” Mean?…
My Next Opportunity
This is the farewell email I sent to my Edge teammates yesterday. IWebBrowser3::BeforeNavigate() When I left the Internet Explorer team in 2012 to work on Fiddler full-time, I did so with a measure of heartbreak, absolutely certain that I would…
Edge URL Schemes
The microsoft-edge: Application Protocol Microsoft Edge implements an Application Protocol with the scheme microsoft-edge: that is designed to launch Microsoft Edge and pass along a web-schemed URL and/or additional arguments. A basic invocation might be as simple as: microsoft-edge:http://example.com/ However,…
End of Q2 Check-in
Back in January, I wrote about my New Years’ Resolutions. I’m now 177 days in, and things are continuing to go well. Health and Finance: A dry January. Exceeded. I went from 2 or 3 drinks a night six times a week…
Captive Portals
When you join a public WiFi network, sometimes you’ll notice that you have to accept “Terms of Use” or provide a password or payment to use the network. Your browser opens or navigates to a page that shows the network’s…
Extending Fiddler’s ImageView
Fiddler’s ImageView Inspector offers a lot of powerful functionality for inspecting images and discovering ways to shrink an image’s byte-weight without impacting its quality. Less well-known is the fact that the ImageView Inspector is very extensible, such that you can…
“Batteries-Included” vs “Bloated”
Fundamentals are invisible. Features are controversial. One of the few common complaints against Microsoft Edge is that “It’s bloated– there’s too much stuff in it!” A big philosophical question for designers of popular software concerns whether the product should include…
Chromium Startup
This morning, a Microsoft Edge customer contacted support to ask how they could launch a URL in a browser window at a particular size. I responded that they could simply use the –window-size=”800,600″ command line argument. The customer quickly complained…
Microsoft Edge Tips and Tricks
Last Updated: June 3, 2022. The intent of this post is to capture a list of non-obvious features of the browser that might be useful to you. Q: How do I find the tab playing audio? It’s cool that Microsoft…
Losing your cookies
“My browser lost its cookies” has long been one of the most longstanding Support complaints in the history of browsers. Unfortunately, the reason that it has been such a longstanding issue is that it’s not the result of a single…
Thoughts on Impact
In this post, I talk a lot about Microsoft, but it’s not only applicable to Microsoft. It’s once again “Connect Season” at Microsoft, a biannual-ish period when Microsoft employees are tasked with filling out a document about their core priorities,…
Unexpectedly HTTPS?
While I’m a firm believer that every site should be using HTTPS, sadly, not every site is yet doing so. Looking at Chrome data, today around 92% of navigations are HTTPS: …and the pages loaded account for around 95% of…
Chromium Internals: PAK Files
Web browsers are made up of much more than the native code (mostly compiled C++) that makes up their .exe and .dll files. A significant portion of the browser’s functionality (and bulk) is what we’d call “resources”, which include things…
Real-World Running
Yesterday, I ran my first 10K in “the real world”, my first real world run in a long time. Almost eleven years ago I ran a 5K, and 3.5 years ago I ran a non-competitive 5 miler on Thanksgiving. I…
End of Q1 Check-in
tl;dr: On track. Back in January, I wrote about my New Years’ Resolutions. I’m now 90 days in, and things are continuing to go well. Health and Finance: A dry January. Exceeded. I stopped drinking alcohol on any sort of regular basis;…
Chromium’s DNS Cache
From the mailbag: Q: How long does Chromium cache hostnames? I know a user can clear the hostname cache using the Clear host cache button on about://net-internals/#dns, but how long it will take for the cache to be removed if…
The “Magical” Back Button
From the mailbag: Eric, when I am on bing.com in Edge or Chrome and I type https://portal.microsoft.com in the address bar, I go through some authentication redirections and end up on the Office website. If I then click the browser’s…
Edge/Chrome Policy Registry Entries
One of the more common problems reported by Enterprises is that certain Edge/Chrome policies do not seem to work properly when the values are written to the registry. For instance, when using the about:policy page to examine the browser’s view…
Smarter Defaults by Paying Attention
As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions of varying levels of importance: should a particular API be available? Should a resource load be permitted? Should script be allowed to…
Mid-February Checkin
tl;dr: On track. Back in January, I wrote about my New Years’ Resolutions. I’m now 45 days in, and things are going pretty well. Health and Finance: A dry January. Dry January has turned into dry February. Beyond idle thoughts…
MHTML in Chromium
The MHTML file format (aka “Webpage, single file”) allows a single file to contain the multiple resources that are used to load a webpage (script, css, images, etc). Edge (Chromium) has an option to use the format when saving the…
Adding Protocol Schemes to Chromium
Previously, I’ve written a lot about Application Protocols, which are a simple and popular common mechanism for browsers to send a short string of data out to an external application for handling. For instance, mailto is a common example of…
Debugging Compatibility in Edge
Background By moving from our old codebase to Chromium, the Microsoft Edge team significantly modernized our codebase and improved our compatibility with websites. As we now share the vast majority of our web platform code with the market-leading browser, it’s…
Recognizing Edge Windows
Yesterday, we had a customer reach out to us for help on an issue they’d encountered while writing code to interact with Microsoft Edge windows. Their script enumerated every window in the system, looking for those with Microsoft Edge in…
Trim Your Whitespace
Leading and trailing whitespace are generally invisible. Humans are bad at dealing with things they can’t see. If your system accepts textual codes, or any other human-generated or human-mediated input, you should trim whitespace, whether it’s leading, trailing, or inline…
Debug Native Messaging
Prelude Last month, an Enterprise customer reached out to report that a 3rd-party browser extension they use wasn’t working properly. Investigation of the extension revealed that the browser extension relied upon a NativeMessaging Host (NMH) companion that runs outside of…
Lock down web browsing using Kiosk Mode
Browsers get used in many different environments. Today, I take a look at scenarios where there’s either no interactive user (digital signage) or a potentially malicious user (internet kiosks). Digital Signage (fullscreen) Requirements In the Digital Signage scenario, there’s a…
getaddrinfo(2022)
New Years’ Resolutions aren’t really my jam. Over the years, I usually idly ponder some vague notion (usually “get in better shape”) in late December, and mostly forget about it by the second week of January or so. This year,…
Edge Command Line Arguments
Microsoft Edge offers broad variety of configuration options via Group Policy (for Enterprises), the edge://settings page, the edge://flags page (mostly experimental options), and finally via command-line arguments that are passed to the msedge.exe executable. This list of sources is roughly…
Cruising Solo
For Christmas 2020, I was home alone. The highlight of my day was discovering that Jack in the Box was open. I enjoyed my Christmas cheeseburger dinner at a picnic table in a park down the street. Unexpectedly, my Christmas…
Microsoft Edge’s Many Processes
Chromium-based browsers like Microsoft Edge use a multi-process architecture for reliability and security reasons. tl;dr For reliability, Process isolation means that if one process crashes, the entire browser need not go down. For example, if a page on leaky.com has…
Great Bug Reports via “Recreate My Problem” in Microsoft Edge
When you encounter a problem in Microsoft Edge, you can let the team know about it using the … Menu > Help and Feedback > Send Feedback command. Clicking this menu item will open Edge’s feedback wizard, which provides tons…
View-Source
Chromium offers two ways for an end-user to view the source code of a web page: 1) the Developer Tools, and 2) The longstanding view-source viewer. Of these, the Developer Tools have received almost all of the attention over the…
Spooky: Enhancing Dark Mode in Chromium
I am not really a fan of Dark Mode — I like my screens bright and shiny. But it’s October, and it’s sometimes fun to make things dark and spooky. Some users of my Show Browser Version extension wanted it…
MoarTLS: Non-Secure Download Blocking
With little fanfare, an important security change has arrived on the web. Now, all major browsers (except Safari) block non-secure downloads from a secure page. Browser VersionBehaviorEdge 94+Block with right-click “Keep” buttonChrome 94Block SilentlyFirefox 93Block with “Allow download” buttonBrave 1.30.89Block…
Accessibility (UIA) Troubleshooting
Chromium-based browsers offer a number of accessibility-related features. When you visit about:accessibility, you can see more about the state of these features (similarly, you can find the states in about:histograms/Accessibility.ModeFlag). You can enable features via the Accessibility page, or pass…
Practical Time Machines
Many “emergency” situations in our modern world would’ve been easy to fix had they been foreseen in advance. If only we’d known what was going to happen, the badness could’ve easily been prevented. Unfortunately, when problems are discovered only “as…
Determining OS Platform Version
In general, you should not care what Operating System visitors are using to visit your website. If you attempt to be clever, you will often get it wrong and cause problems that are an annoyance for users and a hassle…
Inspecting Certificates in Edge
Curious about how to see a website’s HTTPS certificate in Microsoft Edge? You’ve got two options: A companion post to 2017’s post Inspecting Certificates in Chrome.
Leaky Abstractions
In the late 1990s, the Windows Shell and Internet Explorer teams introduced a bunch of brilliant and intricate designs that allowed extension of the shell and the browser to handle scenarios beyond what those built by Microsoft itself. For instance,…
Offline NetLog Viewing
A while back, I explained how you can use Telerik Fiddler or the Catapult NetLog Viewer to analyze a network log captured from Microsoft Edge, Google Chrome, or another Chromium or Electron-based application. While Fiddler is a native app that…
Download Blocking by File Type
Last Updated: 6 April 2023 I’ve previously gushed about the magic of the File Type Policies component — a mechanism that allows files to be classified by their level of “dangerousness”, such that harmless files (e.g. .txt files) can be…
Per-Site Permissions in Edge
Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a…
Specifying Per-Site Policy with Chromium’s URL Filter Format
Chromium-based browsers like Microsoft Edge make very limited use of Windows Security Zones. Instead, most permissions and features that offer administrators per-site configuration via policy rely on lists of rules in the URL Filter Format. Filters are expressed in a…
Web Proxy Authentication
Last year, I wrote about how the new Microsoft Edge’s adoption of the Chromium stack changed proxy determination away from the Windows Service (WinHTTP Proxy Service) to similar but not identical code in Chromium. This change mostly goes unnoticed, but…
window.close() Restrictions
Sometimes, Web Developers are surprised to find that the window.close() API doesn’t always close the browser window. When looking at the Developer Tools console, they’ll see a message like: Scripts may close only the windows that were opened by them.…
Sandboxing vs. Elevated Browsing (As Administrator)
The Web Browser is the most security-critical application on most users’ systems– it accepts untrusted input from servers anywhere in the world, parses that input using dozens to hundreds of parsers, and renders the result locally as fast as it…
Objectively, the best cat
On March 15, 2009 we put my cat Jill (Jillian, Jilly, Jilly Bean, Jillkin) to sleep at an emergency vet. We didn’t know for sure why her kidneys failed, but it was sudden and unexpected. At times Jill could be grumpy…
Simply Making Simple Fixes Simple for Chromium
Google recently introduced a cool web-based editing tool for Chromium source code, a very stripped down version of the Willy Wonka tooling Googlers get to use for non-Chromium projects. I’ve used this tool to submit two trivial change lists (CLs,…
Client Certificates and Logout
Last Updated May 16, 2022 Back in May 2020, I wrote about Client Certificate Authentication, a mechanism that allows websites to strongly validate the identity of their visitors using certificates presented by the visitor’s browser. One significant limitation for client…
Web “Sessions” in Private Mode
I’ve written about Private Browsing Mode a lot previously, and I’ve written a bit about the behavior of “Session restore” previously, but one topic I haven’t covered is how “Sessions” work while in Private mode. Session Sharing Historically, one of…
Images Keeping You Awake?
A Microsoft Edge user recently complained that her screensaver was no longer activating after the expected delay, and she thought that this might be related to her browser. It was, in a way. To troubleshoot issues where your PC’s screensaver…
Debugging Browsers – Tools and Techniques
Last update: March 29, 2021 Earlier this year, I shared a post on how you can become an expert on web browsers from the comfort of your desk… or anywhere else you have an internet connection. In that post, I…
Local Data Encryption in Chromium
Back in February, I wrote about browser password managers and mentioned that it’s important to understand the threat model when deciding how to implement features and their security protections. Generally speaking, “keeping secrets from yourself” is a fool’s errand, so…
Web Debugging: Watching Element Changes
Recently, I was debugging a regression where I wanted to watch change’s in an element’s property at runtime. Specifically, I wanted to watch the URL change when I select different colors in Tesla’s customizer. By using the Inspect Element tool,…
Loading…
Something went wrong. Please refresh the page and/or try again.
text/plain 