Category Archives: security

(The Futility of) Keeping Secrets from Yourself

Many interesting problems in software design boil down to “I need my client application to know a secret, but I don’t want the user of that application (or malware) to be able to learn that secret.“ Some examples include: …and likely others. In general, if your design relies on having a client protect a secretContinue reading “(The Futility of) Keeping Secrets from Yourself”

Auth Flows in a Partitioned World

Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages served by the IdP and when the IdP receives a HTTP request from an XmlHttpRequest/fetchContinue reading “Auth Flows in a Partitioned World”

Attack Techniques: Spoofing via UserInfo

I received the following phishing lure by SMS a few days back: The syntax of URLs is complicated, and even tech-savvy users often misinterpret them. In the case of the URL above, the actual site’s hostname is brefjobgfodsebsidbg.com, and the misleading http://www.att.net:911 text is just a phony username:password pair making up the UserInfo component ofContinue reading “Attack Techniques: Spoofing via UserInfo”

Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my

The average phishing site doesn’t live very long– think hours rather than days or weeks. Attackers use a variety of techniques to try to keep ahead of the Defenders who work tirelessly to break their attack chains and protect the public. Defenders have several opportunities to interfere with attackers: Each of these represents a weakContinue reading “Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my”