Tag Archives: browsers

Beware: URLs are Pointers to Mutable Entities

Folks often like to think of URLs as an entity that can be evaluated: “Is it harmless, or is it malicious?” In particular, vendors of security products tend to lump URLs in with other IoCs (indicators of compromise) like the hash of a known-malicious file, a malicious/compromised digital certificate, or a known-malicious IP address. Unfortunately,Continue reading “Beware: URLs are Pointers to Mutable Entities”

Security Tradeoffs: Privacy

In a recent post, I explored some of the tradeoffs engineers must make when evaluating the security properties of a given design. In this post, we explore an interesting tradeoff between Security and Privacy in the analysis of web traffic. Many different security features and products attempt to protect web browsers from malicious sites byContinue reading “Security Tradeoffs: Privacy”

Security: Tradeoffs

Absolute security is simple– put your PC in a well-guarded vault, and never power it on. But that’s not what PCs are built for, and good luck finding a job that would pay you for such advice. Security Engineering (like all engineering) is a story of tradeoffs. Tradeoffs commonly take place across multiple dimensions: AsContinue reading “Security: Tradeoffs”

SmartScreen Application Reputation, with Pictures

Last Update: Sept 3, 2025 I’ve previously explained how Chromium-based browsers assign a “danger level” based on the type of the file, as determined from its extension. Depending on the Danger Level, the browser may warn the user before a file download begins in order to confirm that the user really wanted a potentially-dangerous file.Continue reading “SmartScreen Application Reputation, with Pictures”

Improving the Microsoft Defender Browser Protection Extension

Earlier this year, I wrote about various extensions available to bolster your browser’s defenses against malicious sites. Today, let’s look at another such extension: the Microsoft Defender Browser Protection extension. I first helped out with extension back in 2018 when I was an engineer on the Chrome Security team, and this spring, I was taskedContinue reading “Improving the Microsoft Defender Browser Protection Extension”

Q: “Remember this Device, Doesn’t?!?”

Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up with that? A: Unfortunately, there’s no easy answer here. There is no browser standard forContinue reading “Q: “Remember this Device, Doesn’t?!?””

Attack Techniques: Notification Spam

A colleague recently saw the following popups when using their computer: Because they seemed to come from nowhere in particular, they seemed credible– either Windows itself had detected a virus, or perhaps their computer was infected with malware and it caused the popups? The reality is more mundane and more much more common. These areContinue reading “Attack Techniques: Notification Spam”

Edge’s Super-Res Image Enhancement

One interesting feature that the Edge team is experimenting with this summer is called “SuperRes” or “Enhance Images.” This feature allows Microsoft Edge to use a Microsoft-built AI/ML service to enhance the quality of images shown within the browser. You can learn more about how the images are enhanced (and see some examples) in theContinue reading “Edge’s Super-Res Image Enhancement”

Passkeys – Syncable WebAuthN credentials

Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security with multi-factor authentication (e.g. one-time codes via SMS, ToTP authenticators, etc) and usability improvements (e.g.Continue reading “Passkeys – Syncable WebAuthN credentials”