One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites. Today’s bad guys can easily turn a run-of-the-mill phishing spoof: …into a somewhat more convincing version, by obtainingContinue reading “Certified Malice”
Category Archives: security
The Line of Death
When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything he wants, including the UI of the application itself. He can then induce the user to undertake an unsafe action, and a userContinue reading “The Line of Death”
Client Certificates on Android
Recently, this interesting tidbit crossed my Twitter feed: Sure enough, if you visited the site in Chrome, you’d get a baffling prompt. My hometown newspaper shows the same thing: Weird, huh? Client certificates are a way for a browser to supply a certificate to the server to verify the client’s identity (in the typical case,Continue reading “Client Certificates on Android”
HTTPS Only Works If You Use It – Tipster Edition
It’s recently become fashionable for news organizations to build “anonymous tip” sites that permit members of the public to confidentially submit tips about stories of public interest. Unfortunately, would-be tipsters need to take great care when exploring such options, because many organizations aren’t using HTTPS properly to ensure that the user’s traffic to the newsContinue reading “HTTPS Only Works If You Use It – Tipster Edition”
Security UI in Chrome
The combined address box and search bar at the top of the Chrome window is called the omnibox. The icon and optional verbose state text adjacent to that icon are collectively known as the Security Chip: The security chip can render in a number of states, depending on the status of the page: Secure –Continue reading “Security UI in Chrome”
Email Tracking Links are the Worst
Use HTTPS for all inbound links, especially those sent in email.
Cheating Authenticode, Redux
Back in 2014, I explained two techniques that have been used by developers to store information in Authenticode-signed executables without breaking the signature, including information about the EnableCertPaddingCheck registry flag that can be set to break the technique1. Recently, Kevin Jones pointed out that Chrome’s signed installer differs on each download, as you can seeContinue reading “Cheating Authenticode, Redux”
TLS Fallbacks are Dead
Just over 5 years ago, I wrote a blog post titled “Misbehaving HTTPS Servers Impair TLS 1.1 and TLS 1.2.” In that post, I noted that enabling versions 1.1 and 1.2 of the TLS protocol in IE would cause some sites to load more slowly, or fail to load at all. Sites that failed toContinue reading “TLS Fallbacks are Dead”
Non-Secure Clicktrackers–The Fastest Path from A+ to F
HTTPS only works if you use it. Coinbase is an online bitcoin exchange backed by $106M in venture capital investment. They’ve got a strong HTTPS security posture, including the latest ciphers, a 4096bit RSA key, and advanced features like browser-preloaded HSTS and HPKP. SSLLabs grades Coinbase’s HTTPS deployment an A+: This is a well-secured siteContinue reading “Non-Secure Clicktrackers–The Fastest Path from A+ to F”
File Paths in Windows
Handling file-system paths in Windows can have many subtleties, and it’s easy to forget how some of this very intricate system works under the covers. Happily, a .NET developer has started blogging a bit about file paths, presumably as they work to improve .NET’s handling of paths longer than the legacy MAX_PATH limit of 260Continue reading “File Paths in Windows”
text/plain 