Get Help with HTTPS problems

Sometimes, when you try to load a HTTPS address in Chrome, instead of the expected page, you get a scary warning, like this one: Chrome has found a problem with the security of the connection and has blocked loading the page to protect your information. In a lot of cases, if you’re just surfing around,Continue reading “Get Help with HTTPS problems”

Chrome Deprecates Subject CN Matching

If you’re using a Self-Signed certificate for your HTTPS server, a deprecation coming to Chrome may affect your workflow. Chrome 58 will require [why?] that certificates specify the hostname(s) to which they apply in the SubjectAltName field; values in the Subject field will be ignored. This follows a similar change in Firefox 48. If impacted,Continue reading “Chrome Deprecates Subject CN Matching”

The Trouble with Magic

“Magic” is great… except when it isn’t. Software Design is largely about tradeoffs, and one of the more interesting tradeoffs is between user experience and predictability. This has come up repeatedly throughout my career and in two independent contexts yesterday that I’ll describe in this post. Developer Magic I’m working on a tiny UX changeContinue reading “The Trouble with Magic”

Certified Malice

One unfortunate (albeit entirely predictable) consequence of making HTTPS certificates “fast, open, automated, and free” is that both good guys and bad guys alike will take advantage of the offer and obtain HTTPS certificates for their websites. Today’s bad guys can easily turn a run-of-the-mill phishing spoof: …into a somewhat more convincing version, by obtainingContinue reading “Certified Malice”

The Line of Death

When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything he wants, including the UI of the application itself. He can then induce the user to undertake an unsafe action, and a userContinue reading “The Line of Death”

Client Certificates on Android

Recently, this interesting tidbit crossed my Twitter feed: Sure enough, if you visited the site in Chrome, you’d get a baffling prompt. My hometown newspaper shows the same thing: Weird, huh? Client certificates are a way for a browser to supply a certificate to the server to verify the client’s identity (in the typical case,Continue reading “Client Certificates on Android”

HTTPS Only Works If You Use It – Tipster Edition

It’s recently become fashionable for news organizations to build “anonymous tip” sites that permit members of the public to confidentially submit tips about stories of public interest. Unfortunately, would-be tipsters need to take great care when exploring such options, because many organizations aren’t using HTTPS properly to ensure that the user’s traffic to the newsContinue reading “HTTPS Only Works If You Use It – Tipster Edition”

Security UI in Chrome

The combined address box and search bar at the top of the Chrome window is called the omnibox. The icon and optional verbose state text adjacent to that icon are collectively known as the Security Chip: The security chip can render in a number of states, depending on the status of the page: Secure –Continue reading “Security UI in Chrome”

2016 Brotli Update

Windows 10 Build 14986 adds support for Brotli compression to the Edge browser (but, somewhat surprisingly, not IE11). So at the end of 2016, we now have support for this improved compression algorithm in Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and the long tail of browsers based on Chromium. Of modern browsers, only Apple isContinue reading “2016 Brotli Update”