One commonly-reported issue to browsers’ security teams sounds like: “Some random person’s passwords started appearing in my browser password manager?!? This must be a security bug of some sort!” This issue has been reported dozens of times, and it’s a reflection of a perhaps-surprising behavior of browser login and sync. So, what’s happening? Background EvenContinue reading “How do Random Credentials Mysteriously Appear?”
Tag Archives: Edge
Improving Native Message Host Reliability on Windows
Last Update: May 24, 2023 —UPDATE— Chrome postponed this change, re-releasing v113 without it :'( Edge also removed the change in v113.0.1774.42. The plan is to eventually turn it on-by-default, so extension authors really should read this post and update their extensions if needed. The feature was relanded inside Chrome Canary version 115.0.5789.0. It’s off-by-default,Continue reading “Improving Native Message Host Reliability on Windows”
Q: “Remember this Device, Doesn’t?!?”
Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up with that? A: Unfortunately, there’s no easy answer here. There is no browser standard forContinue reading “Q: “Remember this Device, Doesn’t?!?””
TLS Certificate Verification Changes in Edge
Status as of May 2023: When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows delegated this validation task to APIs in the operating system, layering a minimal set ofContinue reading “TLS Certificate Verification Changes in Edge”
“Not Secure” Warning for IE Mode
A customer recently wrote to ask whether there was any way to suppress the red “/!\ Not Secure” warning shown in the omnibox when IE Mode loads a HTTPS site containing non-secure images: Notably, this warning isn’t seen when the page is loaded in modern Edge mode or in Chrome, because all non-secure “optionally-blockable” resourceContinue reading ““Not Secure” Warning for IE Mode”
Q: Why do tabs sometimes show an orange dot?
Sometimes, you’ll notice that a background tab has an orange dot on it in Edge (or a blue dot in Chrome). If you click on the tab, the dot disappears. Why? The dot indicates that the tab wants “attention” — more specifically, that there’s a dialog in the tab asking for your attention. This mightContinue reading “Q: Why do tabs sometimes show an orange dot?”
Capturing Logs for Debugging SmartScreen
The Microsoft Edge browser makes use of a service called Microsoft Defender SmartScreen to help protect users from phishing websites and malicious downloads. The SmartScreen service integrates with a Microsoft threat intelligence service running in the cloud to quickly block discovered threats. As I explained last year, the SmartScreen service also helps reduce spurious securityContinue reading “Capturing Logs for Debugging SmartScreen”
Edge’s Super-Res Image Enhancement
One interesting feature that the Edge team is experimenting with this summer is called “SuperRes” or “Enhance Images.” This feature allows Microsoft Edge to use a Microsoft-built AI/ML service to enhance the quality of images shown within the browser. You can learn more about how the images are enhanced (and see some examples) in theContinue reading “Edge’s Super-Res Image Enhancement”
Passkeys – Syncable WebAuthN credentials
Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security with multi-factor authentication (e.g. one-time codes via SMS, ToTP authenticators, etc) and usability improvements (e.g.Continue reading “Passkeys – Syncable WebAuthN credentials”
Understanding Browser Channels
Microsoft Edge (and upstream Chrome) is available in four different Channels: Stable, Beta, Dev, and Canary. The vast majority of Edge users run on the Stable Channel, but the three pre-Stable channels can be downloaded easily from microsoftedgeinsider.com. You can keep them around for testing if you like, or join the cool kids and setContinue reading “Understanding Browser Channels”
text/plain 