Improving the Microsoft Defender Browser Protection Extension

Earlier this year, I wrote about various extensions available to bolster your browser’s defenses against malicious sites. Today, let’s look at another such extension: the Microsoft Defender Browser Protection extension. I first helped out with extension back in 2018 when I was an engineer on the Chrome Security team, and this spring, I was taskedContinue reading “Improving the Microsoft Defender Browser Protection Extension”

Detecting When the User is Offline

Can you hear me now? In the web platform, simple tasks are often anything but. Properly detecting whether the user is online/offline has been one of the “Surprisingly hard problems in computing” since, well, forever. Web developers often ask one question (“Is this browser online?”) but when you dig into it, they’re really trying toContinue reading “Detecting When the User is Offline”

New TLDs: Not Bad, Actually

The Top Level Domain (TLD) is the final label in a fully-qualified domain name: The most common TLD you’ll see is com, but you may be surprised to learn that there are 1479 registered TLDs today. This list can be subdivided into categories: Some TLD owners will rent domain names under the TLD to anyContinue reading “New TLDs: Not Bad, Actually”

Auth Flows in a Partitioned World

Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages served by the IdP and when the IdP receives a HTTP request from an XmlHttpRequest/fetchContinue reading “Auth Flows in a Partitioned World”

Attack Techniques: Spoofing via UserInfo

I received the following phishing lure by SMS a few days back: The syntax of URLs is complicated, and even tech-savvy users often misinterpret them. In the case of the URL above, the actual site’s hostname is, and the misleading text is just a phony username:password pair making up the UserInfo component ofContinue reading “Attack Techniques: Spoofing via UserInfo”

Improving Native Message Host Reliability on Windows

Last Update: May 24, 2023 —UPDATE— Chrome postponed this change, re-releasing v113 without it :'( Edge also removed the change in v113.0.1774.42. The plan is to eventually turn it on-by-default, so extension authors really should read this post and update their extensions if needed. The feature was relanded inside Chrome Canary version 115.0.5789.0. It’s off-by-default,Continue reading “Improving Native Message Host Reliability on Windows”

Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my

The average phishing site doesn’t live very long– think hours rather than days or weeks. Attackers use a variety of techniques to try to keep ahead of the Defenders who work tirelessly to break their attack chains and protect the public. Defenders have several opportunities to interfere with attackers: Each of these represents a weakContinue reading “Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my”

Q: “Remember this Device, Doesn’t?!?”

Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up with that? A: Unfortunately, there’s no easy answer here. There is no browser standard forContinue reading “Q: “Remember this Device, Doesn’t?!?””

Attack Techniques: Blended Attacks via Telephone

Last month, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. Another approach for conducting an attack like this is to send a lure which demands that the victim complete the attackContinue reading “Attack Techniques: Blended Attacks via Telephone”