Every few weeks for the last six or so years, I see someone complain on Twitter or in forums that the entire Internet seems to think they’re running an old version of IE. For instance, an IE11 user on Windows 8.1 might see the following warning on Facebook: These warnings typically occur when the browserContinue reading “Help–The Whole Web Thinks I’m Using IE7!!!”
Category Archives: security
Brotli
2022 Update: Brotli is requested by 94% of browsers, offers great performance, and works amazingly well on Web Assembly code. If you’re still using GZIP today, you should update! Regular readers of my blog know how much I love Zopfli, Google’s compression engine that often shrinks output by 5% or better when compared to theContinue reading “Brotli”
Stupid (useful) Windows Shell Tricks
RunAsUser Back in the Windows Vista timeframe, the existing RunAs verb for ShellExecute was changed. Instead of prompting the user to run the target as a different user (e.g. the experience you get when you Shift-Right-Click on an app) it instead would treat the call as “Run the target as an Elevated Administrator”. Well, whatContinue reading “Stupid (useful) Windows Shell Tricks”
An A+ HTTPS site for $20
Building a HTTPS-secured website is easier than it’s ever been.
HTTPS Only Works If You Use It
It should be obvious, but everyone seems to be making the same mistake. HTTPS only works if you use it. Everywhere. If you don’t use HTTPS everywhere, a bad guy can intercept an insecure request and prevent the user from reaching your secure site. HSTS is a good start to mitigating the threat of accidentallyContinue reading “HTTPS Only Works If You Use It”
Testing HTTPS In Native APPs
Over on Twitter, Paul asks how to verify that a native application is using TLS. For a PC, it’s pretty simple, just run Fiddler and watch the traffic. If you see any HTTP requests (other than those labeled “Tunnel to”, indicating a HTTP tunnel used for HTTPS traffic) from the Process of interest, that trafficContinue reading “Testing HTTPS In Native APPs”
Content Blocking: Unintended Consequences
Our company uses a web firewall device called IronPort to attempt to block unwanted network traffic; it blocks access to known phish and malware domains, and, more annoyingly, domains thought to be related to gaming or “questionable” topics (e.g. politics). Whatever. Today the IT department pushed a new rule set which blocks some requests to domains likeContinue reading “Content Blocking: Unintended Consequences”
Unsecure Content
Chrome has landed their change that allows you to mark unsecure (HTTP) content as insecure or dubious. Visit chrome://flags/#mark-non-secure-as to set the toggle. You can choose to mark as Dubious: …or as Non-Secure: The expectation is that eventually one of these modes will be the default for sites that are transferred over insecure protocols likeContinue reading “Unsecure Content”
Browser Benchmarks
Back in December, I predicted that Microsoft wouldn’t release the Project Spartan beta until it bested all of its competitors on the major benchmarks: SunSpider, Kraken, and Octane. I was wrong—the first beta was released with only minor script performance improvements. That changed with build 10061 of Windows 10, and Spartan now does beat everyoneContinue reading “Browser Benchmarks”
Security UI
Over a decade ago, Windows started checking the signature of downloaded executables. When invoked, Attachment Execute Services’ (AES) UI displays the publisher’s information for signed executables; unsigned executables instead show a security prompt with a red shield and a bolded warning that the publisher of the file is unknown: In contrast, signed executables show aContinue reading “Security UI”
text/plain 