Building the moarTLS Analyzer

I’m passionate about building tools that help developers and testers discover, analyze, and fix problems with their sites. Some of the first code I ever released was a set of trivial JavaScript-based browser extensions for IE5. I later used the more powerful COM-based extensibility model to hack together some add-ons that would log ActiveX controlsContinue reading “Building the moarTLS Analyzer”

On Daylight Savings Time

In Fiddler, the Caching tab will attempt to calculate the cache freshness lifetime for responses that lack an explicit Expires or Cache-Control: max-age directive. The standard suggests clients use (0.1 * (DateTime.Now – Last-Modified)) as a heuristic freshness lifetime. An alert Fiddler user noticed that the values he was seeing were slightly off what he expected: sometimes the valuesContinue reading “On Daylight Savings Time”

Things I’ve Learned in my first weeks on Chrome

This is a stub post which will be updated periodically. It would be impossible to summarize how much I’ve learned in the last six weeks working at Google, but it’s easy to throw together some references to the most interesting and accessible things I’ve learned. So that’s this post. Developing Chrome Searching the code isContinue reading “Things I’ve Learned in my first weeks on Chrome”

Web Developers and Footguns

If you offer web developers footguns, you’d better staff up your local trauma department. In a prior life, I wrote a lot about Same-Origin-Policy, including the basic DENY-READ principle that means that script running in the context of origin A.com cannot read content from B.com. When we built the (ill-fated) XDomainRequest object in IE8, weContinue reading “Web Developers and Footguns”

Extended Validation Certificates – The Introduction

In 2005, one of my first projects on the Internet Explorer team was improving the user-experience for HTTPS sites (“SSLUX”). Our first task was to change the certificate error experience from the confusing and misleading modal dialog box: … to something that more clearly conveyed the risk and which more clearly discouraged users from acceptingContinue reading “Extended Validation Certificates – The Introduction”

Automatically Evaluating Compressibility

Fiddler’s Transformer tab has long been a simple way to examine the use of HTTP compression of web assets, especially as new compression engines (like Zopfli) and compression formats (like Brotli) arose. However, the one-Session-at-a-time design of the Transformer tab means it is cumbersome to use to evaluate the compressibility of an entire page orContinue reading “Automatically Evaluating Compressibility”

The Sad State of HAR

Spring 2017 Update: Some of these issues have been fixed. The HTTP Archive Format (HAR) was designed to allow tools to exchange network traffic using a standard format; this format is akin to Fiddler’s Session Archive Zip format but is supported natively by browser developer tools. Unlike SAZ files, it is not compressed by default,Continue reading “The Sad State of HAR”