Seamless Single Sign-On

There are many different authentication primitives built into browsers. The most common include Web Forms authentication, HTTP authentication, client certificate authentication, and the new WebAuthN standard. Numerous different authentication frameworks build atop these, and many enterprise websites support more than one scheme. Each of the underlying authentication primitives has different characteristics: client certificate authentication isContinue reading “Seamless Single Sign-On”

Client Certificate Authentication

While most HTTPS sites only authenticate the server (using a certificate sent by the website), HTTPS also supports a mutual authentication mode, whereby the client supplies a certificate that authenticates the visiting user’s identity. Such a certificate might be stored on a SmartCard, or used as a part of an OS identity feature like WindowsContinue reading “Client Certificate Authentication”

Disabling TLS/1.0 and TLS/1.1 in the new Edge Browser

UPDATE: Timelines in this post were updated in March 2020 and October 2020 to reflect the best available information. HTTPS traffic is encrypted and protected from snooping and modification by an underlying protocol called Transport Layer Security (TLS). Disabling outdated versions of the TLS security protocol will help move the web forward toward a moreContinue reading “Disabling TLS/1.0 and TLS/1.1 in the new Edge Browser”

Thoughts on DNS-over-HTTPS

Updated November 30, 2020 with new information about DoH in Edge, ECH, and HTTPSSVC records. Type https://example.com in your web browser’s address bar and hit enter. What happens? Before connecting to the example.com server, your browser must convert “example.com” to the network address at which that server is located. It does this lookup using aContinue reading “Thoughts on DNS-over-HTTPS”

Edge79+ vs. Edge18 vs. Chrome

Note: I expect to update this post over time. Last update: 10/8/2020. Compatibility Deltas As our new Edge Insider builds roll out to the public, we’re starting to triage reports of compatibility issues where Edge79+ (the new Chromium-based Edge, aka Anaheim) behaves differently than the old Edge (Edge18, aka Spartan, aka Edge Legacy) and/or GoogleContinue reading “Edge79+ vs. Edge18 vs. Chrome”

Edge EV UI Requires SmartScreen

A user recently noticed that when loading Paypal.com in Microsoft Edge, the UI shown was the default HTTPS UI (a gray lock): Instead of the fancier “green” UI shown for servers that present Extended Validation (EV) certificates: The user observed this on some Windows 10 machines but not others. The variable that differed between those machines wasContinue reading “Edge EV UI Requires SmartScreen”

Building your .APP website with NameCheap and GitHub Pages–A Visual Guide

I recently bought a few new domain names under the brand new .app top-level-domain (TLD). The .app TLD is awesome because it’s on the HSTSPreload list, meaning that browsers will automatically use only HTTPS for every request on every domain under .app, keeping connections secure and improving performance. I’m not doing anything terribly exciting withContinue reading “Building your .APP website with NameCheap and GitHub Pages–A Visual Guide”

Fight Phish with Facebook (and Certificate Transparency)

As of April 30th, Chrome now requires that all certificates issued by a public certificate authority be logged in multiple public Certificate Transparency (CT) logs, ensuring that anyone can audit all certificates that have been issued. CT logs allow site owners and security researchers to much more easily detect if a sloppy or compromised Certificate Authority hasContinue reading “Fight Phish with Facebook (and Certificate Transparency)”

SSLVersionMin Policy returns to Chrome 66

Chrome 66, releasing to stable this week, again supports the SSLVersionMin policy that enables administrators to control the minimum version of TLS that Chrome is willing to negotiate with a server. If this policy is in effect and configured to permit, say, only TLS/1.2+ connections, attempting to connect to a site that only supports TLS/1.0Continue reading “SSLVersionMin Policy returns to Chrome 66”