The Trouble with Magic

“Magic” is great… except when it isn’t. Software Design is largely about tradeoffs, and one of the more interesting tradeoffs is between user experience and predictability. This has come up repeatedly throughout my career and in two independent contexts yesterday that I’ll describe in this post. Developer Magic I’m working on a tiny UX changeContinue reading “The Trouble with Magic”

Certified Malice

One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites. Today’s bad guys can easily turn a run-of-the-mill phishing spoof: …into a somewhat more convincing version, by obtainingContinue reading “Certified Malice”

The Line of Death

When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything he wants, including the UI of the application itself. He can then induce the user to undertake an unsafe action, and a userContinue reading “The Line of Death”

Client Certificates on Android

Recently, this interesting tidbit crossed my Twitter feed: Sure enough, if you visited the site in Chrome, you’d get a baffling prompt. My hometown newspaper shows the same thing: Weird, huh? Client certificates are a way for a browser to supply a certificate to the server to verify the client’s identity (in the typical case,Continue reading “Client Certificates on Android”

HTTPS Only Works If You Use It – Tipster Edition

It’s recently become fashionable for news organizations to build “anonymous tip” sites that permit members of the public to confidentially submit tips about stories of public interest. Unfortunately, would-be tipsters need to take great care when exploring such options, because many organizations aren’t using HTTPS properly to ensure that the user’s traffic to the newsContinue reading “HTTPS Only Works If You Use It – Tipster Edition”

Security UI in Chrome

The combined address box and search bar at the top of the Chrome window is called the omnibox. The icon and optional verbose state text adjacent to that icon are collectively known as the Security Chip: The security chip can render in a number of states, depending on the status of the page: Secure –Continue reading “Security UI in Chrome”

Cheating Authenticode, Redux

Back in 2014, I explained two techniques that have been used by developers to store information in Authenticode-signed executables without breaking the signature. Recently, Kevin Jones pointed out that Chrome’s signed installer differs on each download, as you can see in this file comparison of two copies of the Chrome installer, one downloaded from IEContinue reading “Cheating Authenticode, Redux”

Non-Secure Clicktrackers–The Fastest Path from A+ to F

HTTPS only works if you use it. Coinbase is an online bitcoin exchange backed by $106M in venture capital investment. They’ve got a strong HTTPS security posture, including the latest ciphers, a 4096bit RSA key, and advanced features like browser-preloaded HSTS and HPKP. SSLLabs grades Coinbase’s HTTPS deployment an A+: This is a well-secured siteContinue reading “Non-Secure Clicktrackers–The Fastest Path from A+ to F”