My oldest supported Windows application is a launcher app named SlickRun, and it’s ~24 years old this year. I haven’t done much to maintain it over the last few years, although it’s now available in 64-bit and runs great on Windows 10. (Thanks go to Embarcadero, who now offer a free “Community” edition of Delphi, theContinue reading “ShellExecute Doesn’t”
Tag Archives: security
Stop Spilling the Beans
I’ve written about Same Origin Policy a bunch over the years, with a blog series mapping it to the Read/Write/Execute mental model. More recently, I wrote about why Content-Type headers matter for same-origin-policy enforcement. I’ve just read a great paper on cross-origin infoleaks and current/future mitigations. If you’re interested in browser security, it’s definitely worth a read.
HSTS Preload and Subdomains
In order to be eligible for the HSTS Preload list, your site must usually serve a Strict-Transport-Security header with an includeSubdomains directive. Unfortunately, some sites do not follow the best practices recommended and instead just set a one-year preload header with includeSubdomains and then immediately request addition to the HSTS Preload list. The result is thatContinue reading “HSTS Preload and Subdomains”
TLS Fallbacks are Dead
Just over 5 years ago, I wrote a blog post titled “Misbehaving HTTPS Servers Impair TLS 1.1 and TLS 1.2.” In that post, I noted that enabling versions 1.1 and 1.2 of the TLS protocol in IE would cause some sites to load more slowly, or fail to load at all. Sites that failed toContinue reading “TLS Fallbacks are Dead”
Non-Secure Clicktrackers–The Fastest Path from A+ to F
HTTPS only works if you use it. Coinbase is an online bitcoin exchange backed by $106M in venture capital investment. They’ve got a strong HTTPS security posture, including the latest ciphers, a 4096bit RSA key, and advanced features like browser-preloaded HSTS and HPKP. SSLLabs grades Coinbase’s HTTPS deployment an A+: This is a well-secured siteContinue reading “Non-Secure Clicktrackers–The Fastest Path from A+ to F”
text/plain 