The average phishing site doesn’t live very long– think hours rather than days or weeks. Attackers use a variety of techniques to try to keep ahead of the Defenders who work tirelessly to break their attack chains and protect the public. Defenders have several opportunities to interfere with attackers: Each of these represents a weakContinue reading “Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my”
Tag Archives: security
Attack Techniques: Priming Attacks on Legitimate Sites
Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure that entices a user to visit a legitimate site and perform an unsafe operation onContinue reading “Attack Techniques: Priming Attacks on Legitimate Sites”
Attack Techniques: Phishing via Mailto
Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode the attack within a mailto URL, because anti-phishing scanners and email clients rarely apply reputationContinue reading “Attack Techniques: Phishing via Mailto”
TLS Certificate Verification Changes in Edge
Updated Timeline as of Mar 2023: When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows delegated this validation task to APIs in the operating system, layering a minimal setContinue reading “TLS Certificate Verification Changes in Edge”
Mark-of-the-Web: Additional Guidance
I’ve been writing about the Mark-of-the-Web (MotW) security primitive in Windows for decades now, with 2016’s Downloads and MoTW being one of my longer posts that I’ve updated intermittently over the last few years. If you haven’t read that post already, you should start there. Advice for Implementers At this point, MotW is old enoughContinue reading “Mark-of-the-Web: Additional Guidance”
HTTPS Goofs: Forgetting the Bare Domain
As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like. Unfortunately, there’s another common case, whereby the user simply types your bare domain name (example.com) in the browser’s address bar without specifying https:// first. For decades, manyContinue reading “HTTPS Goofs: Forgetting the Bare Domain”
Badware Techniques: Notification Spam
I tried visiting an old colleague’s long-expired blog today, just to see what would happen. I got redirected here: Wat? What is this even talking about? There’s no “Allow” link or button anywhere. The clue is that tiny bell with a red X in the omnibox– This site tried to ask for permission to spamContinue reading “Badware Techniques: Notification Spam”
Passkeys – Syncable WebAuthN credentials
Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security with multi-factor authentication (e.g. one-time codes via SMS, ToTP authenticators, etc) and usability improvements (e.g.Continue reading “Passkeys – Syncable WebAuthN credentials”
Certificate Revocation in Microsoft Edge
When you visit a HTTPS site, the server must present a certificate, signed by a trusted third-party (a Certificate Authority, aka CA), vouching for the identity of the bearer. The certificate contains an expiration date, and is considered valid until that date arrives. But what if the CA later realizes that it issued the certificateContinue reading “Certificate Revocation in Microsoft Edge”
“Batteries-Included” vs “Bloated”
Fundamentals are invisible. Features are controversial. One of the few common complaints against Microsoft Edge is that “It’s bloated– there’s too much stuff in it!” A big philosophical question for designers of popular software concerns whether the product should include features that might not be useful for everyone or even a majority of users. ThereContinue reading ““Batteries-Included” vs “Bloated””
text/plain 