Category Archives: security

Security Tradeoffs: Privacy

In a recent post, I explored some of the tradeoffs engineers must make when evaluating the security properties of a given design. In this post, we explore an interesting tradeoff between Security and Privacy in the analysis of web traffic. Many different security features and products attempt to protect web browsers from malicious sites byContinue reading “Security Tradeoffs: Privacy”

Security: Tradeoffs

Absolute security is simple– put your PC in a well-guarded vault, and never power it on. But that’s not what PCs are built for, and good luck finding a job that would pay you for such advice. Security Engineering (like all engineering) is a story of tradeoffs. Tradeoffs commonly take place across multiple dimensions: AsContinue reading “Security: Tradeoffs”

Web Platform Weirdness: Babies and Bathwater

When moving from other development platforms to the web, developers often have a hard time understanding why the web platform seems so … clunky. In part, that’s because the platform is pretty old at this point (>25 years as an app platform), partly because changes in form factors and paradigms (particular mobile) have introduced newContinue reading “Web Platform Weirdness: Babies and Bathwater”

Web Weirdness: Probing Localhost

If you closely watch the Network tab in the Chromium Developer Tools when you try to log into Fidelity Investments, you might notice something that looks a bit weird. JavaScript on the page attempts to create WebSocket connections to a bunch of local ports on the IPv4 localhost address (127.0.0.1): So, what are those portsContinue reading “Web Weirdness: Probing Localhost”

Attack Techniques: Fullscreen Abuse

It’s extremely difficult to prevent attacks when there are no trustworthy pixels on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the HTML5 Fullscreen API can deliver this power to an attacker. Today (and for over a decade now), an attackingContinue reading “Attack Techniques: Fullscreen Abuse”