Things I’ve Learned in my first weeks on Chrome

This is a stub post which will be updated periodically. It would be impossible to summarize how much I’ve learned in the last six weeks working at Google, but it’s easy to throw together some references to the most interesting and accessible things I’ve learned. So that’s this post. Developing Chrome Searching the code isContinue reading “Things I’ve Learned in my first weeks on Chrome”

SHA-1 Certificates Blocked By Authenticode

Twitter started to light up a bit tonight with folks who are having problems with signatures; both third-party ISVs: … and even Microsoft’s own SysInternals utilities show1 an error: Developers are surprised to see their workflow suddenly broken and wonder why. The problem is outlined here – the tl;dr is that you must use a SHA256-signedContinue reading “SHA-1 Certificates Blocked By Authenticode”

Authenticode in 2016

Last month, I noticed that my eToken USB code-signing key only supports SHA1 and not SHA256. I began hunting for a replacement that can sign using the stronger hash. Fortunately, I didn’t have to look far—the Yubico YubiKey 4 is $40 and supports SHA256, RSA 4096, and ECC p384. Beyond supporting stronger algorithms, it seems toContinue reading “Authenticode in 2016”

Getting Started with Profile Guided Optimization

For the convenience of the Windows developer community, I periodically compile the Zopfli and Brotli compressors from source, building for Win32 and code-signing the binaries (Interested? Get Zopfli.exe and Brotli.exe). After announcing the latest build on Twitter, I got an interesting question in reply: While I try to use the latest compiler (VS2015 U1), I’veContinue reading “Getting Started with Profile Guided Optimization”

Fiddler Certificate Generators

Fiddler and FiddlerCore offer three different choices for generating interception certificates: MakeCert CertEnroll Bouncy Castle If you’re so inclined, you can even write your own certificate generator (say, by wrapping OpenSSL) and expose it to Fiddler using the ICertificateProvider3 interface. On Windows, Fiddler includes the MakeCert and CertEnroll certificate generators by default; you can downloadContinue reading “Fiddler Certificate Generators”

Tuning MemoryStream

By day, I build the Fiddler Web Debugger. I’ve recently started integrating telemetry collection into the application for automated exception reporting and to collect information about the user’s environment to ensure that Fiddler testing environments match real-world usage. The data is fascinating (and I’ll probably blog more about it later), but one data point inContinue reading “Tuning MemoryStream”

Stupid (useful) Windows Shell Tricks

RunAsUser Back in the Windows Vista timeframe, the existing RunAs verb for ShellExecute was changed. Instead of prompting the user to run the target as a different user (e.g. the experience you get when you Shift-Right-Click on an app) it instead would treat the call as “Run the target as an Elevated Administrator”. Well, whatContinue reading “Stupid (useful) Windows Shell Tricks”

HTTP Caching Public Service Announcement

There are many interesting thing to say about HTTP caching. I’ve blogged about them a lot in the past. Today’s public service announcement to clear up two extremely common misconceptions: 1. The no-cache directive does not mean “do not cache” (even though IE versions prior to IE10 implemented it that way). What it really meansContinue reading “HTTP Caching Public Service Announcement”