Category Archives: security

Downloads and the Mark-of-the-Web

Last update: October 28, 2025 Background To help protect the user and their device, Windows and its applications will often treat files originating from the Internet more cautiously than files generated locally. The Windows Security Zones determination process is most directly implemented by the MapURLToZone API; that API accepts a URL or a file pathContinue reading “Downloads and the Mark-of-the-Web”

Seek and Destroy Non-Secure References Using the moarTLS Analyzer

tl;dr: I made a Chrome Extension that finds security vulnerabilities.It’s now available for Firefox too! To secure web connections, TLS-enabling servers is only half the battle; the other half is ensuring that TLS is used everywhere. Unfortunately, many HTTPS sites today include insecure references that provide an network-based attacker the opportunity to break into theContinue reading “Seek and Destroy Non-Secure References Using the moarTLS Analyzer”

Web Developers and Footguns

If you offer web developers footguns, you’d better staff up your local trauma department. In a prior life, I wrote a lot about Same-Origin-Policy, including the basic DENY-READ principle that means that script running in the context of origin A.com cannot read content from B.com. When we built the (ill-fated) XDomainRequest object in IE8, weContinue reading “Web Developers and Footguns”