Updated November 30, 2020 with new information about DoH in Edge, ECH, and HTTPSSVC records, and January 25, 2021 with a few remarks about Edge’s implementation. Type https://example.com in your web browser’s address bar and hit enter. What happens? Before connecting to the example.com server, your browser must convert “example.com” to the network address atContinue reading “Thoughts on DNS-over-HTTPS”
Tag Archives: https
Spying on HTTPS
When I launched Chrome on Thursday, I saw something unexpected: While most users probably would have no idea what to make of this, I happened to know what it means– Chrome is warning me that the system configuration has instructed it to leak the secret keys it uses to encrypt and decrypt HTTPS traffic toContinue reading “Spying on HTTPS”
Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer
Note: I expect to update this post over time. Last update: April 14, 2023. Compatibility Deltas As our new Edge Insider builds roll out to the public, we’re starting to triage reports of compatibility issues where Edge79+ (the new Chromium-based Edge, aka Anaheim) behaves differently than the old Edge (Edge18, aka Spartan, aka Edge Legacy)Continue reading “Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer”
Edge EV UI Requires SmartScreen
A user recently noticed that when loading Paypal.com in Microsoft Edge, the UI shown was the default HTTPS UI (a gray lock): Instead of the fancier “green” UI shown for servers that present Extended Validation (EV) certificates: The user observed this on some Windows 10 machines but not others. The variable that differed between those machines wasContinue reading “Edge EV UI Requires SmartScreen”
Building your .APP website with NameCheap and GitHub Pages–A Visual Guide
I recently bought a few new domain names under the brand new .app top-level-domain (TLD). The .app TLD is awesome because it’s on the HSTSPreload list, meaning that browsers will automatically use only HTTPS for every request on every domain under .app, keeping connections secure and improving performance. I’m not doing anything terribly exciting withContinue reading “Building your .APP website with NameCheap and GitHub Pages–A Visual Guide”
Fight Phish with Facebook (and Certificate Transparency)
As of April 30th, Chrome now requires that all certificates issued by a public certificate authority be logged in multiple public Certificate Transparency (CT) logs, ensuring that anyone can audit all certificates that have been issued. CT logs allow site owners and security researchers to much more easily detect if a sloppy or compromised Certificate Authority hasContinue reading “Fight Phish with Facebook (and Certificate Transparency)”
SSLVersionMin Policy returns to Chrome 66
Chrome 66, releasing to stable this week, again supports the SSLVersionMin policy that enables administrators to control the minimum version of TLS that Chrome is willing to negotiate with a server. If this policy is in effect and configured to permit, say, only TLS/1.2+ connections, attempting to connect to a site that only supports TLS/1.0Continue reading “SSLVersionMin Policy returns to Chrome 66”
HSTS Preload and Subdomains
In order to be eligible for the HSTS Preload list, your site must usually serve a Strict-Transport-Security header with an includeSubdomains directive. Unfortunately, some sites do not follow the best practices recommended and instead just set a one-year preload header with includeSubdomains and then immediately request addition to the HSTS Preload list. The result is thatContinue reading “HSTS Preload and Subdomains”
NET::ERR_CERT_INVALID error
Some users report that after updating their Operating System or Chrome browser to a more recent version, they have problems accessing some sites (often internal sites with self-signed certificates) and the browser shows an error of NET::ERR_CERT_INVALID. NET::ERR_CERT_INVALID means that a certificate was itself is so malformed that it’s not accepted at all– sometimes rejected byContinue reading “NET::ERR_CERT_INVALID error”
Understanding the Limitations of HTTPS
A colleague recently forwarded me an article about the hazards of browsing on public WiFi with the question: “Doesn’t HTTPS fix this?” And the answer is, “Yes, generally.” As with most interesting questions, however, the complete answer is a bit more complicated. HTTPS is a powerful technology for helping secure the web; all websites should beContinue reading “Understanding the Limitations of HTTPS”
text/plain 