Disclaimer: I’m a big fan of Pandora. I’ve been a listener for a decade or more, and I started paying for an annual subscription even before there was any real incentive to do so, solely because I loved the service and wanted it to succeed. This post isn’t really about Pandora, per-se, but about commonContinue reading “Using HTTPS Properly”
Category Archives: security
Web Developers and Footguns
If you offer web developers footguns, you’d better staff up your local trauma department. In a prior life, I wrote a lot about Same-Origin-Policy, including the basic DENY-READ principle that means that script running in the context of origin A.com cannot read content from B.com. When we built the (ill-fated) XDomainRequest object in IE8, weContinue reading “Web Developers and Footguns”
Leaking Keystrokes
Windows 10’s IE11 continues to send your keystrokes over the internet in plaintext as you type in the address bar, a part of the “Search Suggestions” feature: “But I don’t search from the address bar,” you might say. That may be, but if you fail to type or paste a URL (sans protocol) into theContinue reading “Leaking Keystrokes”
Extended Validation Certificates – The Introduction
In 2005, one of my first projects on the Internet Explorer team was improving the user-experience for HTTPS sites (“SSLUX”). Our first task was to change the certificate error experience from the confusing and misleading modal dialog box: … to something that more clearly conveyed the risk and which more clearly discouraged users from acceptingContinue reading “Extended Validation Certificates – The Introduction”
Authenticode and SHA1–Redux
I tried to install Telerik DevCraft Ultimate, but Windows 8.1 and Windows 10 blocked it: “Unknown Publisher”? Hrm. That’s weird. I know Telerik signs their code and I was pretty sure their code-signing certificate is SHA256, so the new restrictions on SHA1 in code-signing shouldn’t be a problem, right? Sure enough, the code is signed with a SHA256Continue reading “Authenticode and SHA1–Redux”
text/plain 