The Microsoft Edge browser, Edge Legacy, and Internet Explorer all offer a convenient mechanism for users to unmask their typing as they edit a password field: Clicking the little eye icon disables the masking dots so that users can see the characters they’re typing: This feature can be very useful for those of us whoContinue reading “Revealing Passwords”
Category Archives: security
Web Proxy Auto Discovery (WPAD)
Back in the mid-aughts, Adam G., a colleague on the IE team, used the email signature “IE Networking Team – Without us, you’d be browsing your hard drive.” And while I’m sure it was meant to be a bit tongue-in-cheek, it’s really true– without a working network stack, web browsers aren’t nearly as useful. BackgroundContinue reading “Web Proxy Auto Discovery (WPAD)”
Same Origin Policy & CORS
I wrote some foundational web platform explanation posts back in my IEBlog days and they keep getting lost. So I’m linking them here. Same Origin Policy, the security policy which determines whether one site may interact with content from another site, and what limits apply, is one such foundational concept that is core to understandingContinue reading “Same Origin Policy & CORS”
Browser Basics: User Gestures
The Web Platform offers a great deal of power, and unfortunately evil websites go to great lengths to abuse it. One of the weakest (but simplest to implement) protections against such abuse is to block actions that were not preceded by a “User Gesture.” Such gestures (sometimes more precisely called User Activations) include a varietyContinue reading “Browser Basics: User Gestures”
Client Certificate Authentication
While most HTTPS sites only authenticate the server (using a certificate sent by the website), HTTPS also supports a mutual authentication mode, whereby the client supplies a certificate that authenticates the visiting user’s identity. Such a certificate might be stored on a SmartCard, or used as a part of an OS identity feature like WindowsContinue reading “Client Certificate Authentication”
Browser Password Managers: Threat Models
All major browsers have a built-in password manager. So we should use them, right? I Do Should You? The easy answer is “Yes, use your browser’s password manager!“ The more nuanced answer begins: “Tell me about your threat model?” As when evaluating almost any security feature, my threat model might not match your threat model,Continue reading “Browser Password Managers: Threat Models”
Security Zones in Edge (and Chrome)
Last updated: 25 March 2025 Browsers As Decision Makers As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? ShouldContinue reading “Security Zones in Edge (and Chrome)”
Retiring Internet Explorer
Prelude In late 2004, I was the Program Manager for Microsoft’s clipart website, delivering a million pieces of clipart to Microsoft Office customers every day. It was great fun. But there was a problem– our “Clip of the Day” feature, meant to spotlight a new and topical piece of clipart every day, wasn’t changing asContinue reading “Retiring Internet Explorer”
Disabling TLS/1.0 and TLS/1.1 in the new Edge Browser
UPDATE: Timelines in this post were updated in March 2020, October 2020, April 2021, and October 2021 to reflect the best available information. HTTPS traffic is encrypted and protected from snooping and modification by an underlying protocol called Transport Layer Security (TLS). Disabling outdated versions of the TLS security protocol will help move the webContinue reading “Disabling TLS/1.0 and TLS/1.1 in the new Edge Browser”
Thoughts on DNS-over-HTTPS
Updated November 30, 2020 with new information about DoH in Edge, ECH, and HTTPSSVC records, and January 25, 2021 with a few remarks about Edge’s implementation. Type https://example.com in your web browser’s address bar and hit enter. What happens? Before connecting to the example.com server, your browser must convert “example.com” to the network address atContinue reading “Thoughts on DNS-over-HTTPS”
text/plain 