I’ve written about signing your code using Authenticode a lot over the years, from a post in 2015 about my first hardware token to a 2024 post about signing using a Digicert HSM. Recently, Azure opened their Trusted Signing Service preview program up for individual users and I decided to try it out. The documentationContinue reading “Authenticode in 2025 – Azure Trusted Signing”
Tag Archives: security
Guidelines for Secure Filename Display
Many years ago, I wrote the first drafts of Chromium’s Guidelines for Secure URL Display. These guidelines were designed to help feature teams avoid security bugs whereby a user might misinterpret a URL when making a security decision. From a security standpoint, URLs are tricky because they consist of a mix of security-critical information (theContinue reading “Guidelines for Secure Filename Display”
Mark-of-the-Web: Real-World Protection
Two years ago, I wrote up some best practices for developers who want to take a file’s security origin into account when deciding how to handle it. That post was an update of a post I’d written six years prior explaining how internet clients (e.g. browsers) mark a file to indicate that it originated fromContinue reading “Mark-of-the-Web: Real-World Protection”
Security Software – An Overview
I’ve spent nearly my entire professional career in software security: designing software to prevent abuse by bad actors. I’ve been battling the bad guys for over two decades now, from hunting security bugs in Microsoft Office (I once won an Xbox for finding a vulnerability that allowed malicious clipart take over your computer) to designingContinue reading “Security Software – An Overview”
Defensive Technology: Controlled Folder Access
Most client software’s threat models (e.g. Edge, Chrome) explicitly exclude threats where the local computer was compromised by malware. That’s because, without a trusted computing base, it’s basically impossible to be secure against attackers. This concept was immortalized decades ago in the Ten Immutable Laws of Security: In the intervening years, new technologies (like SecureContinue reading “Defensive Technology: Controlled Folder Access”
Defensive Technology: Antimalware Scan Interface (AMSI)
Endpoint security software faces a tough challenge — it needs to be able to rapidly distinguish between desired and unwanted behavior with few false positives and false negatives, and attackers work hard to obfuscate (or cloak) their malicious code to prevent detection by security scanners. To maximize protection, security software wants visibility into attack chainsContinue reading “Defensive Technology: Antimalware Scan Interface (AMSI)”
Content-Blocking in Manifest v3
I’ve written about selectively blocking content in browsers several times over the last two decades. In this post, I don’t aim to convince you that ad-blocking is good or bad, instead focusing on one narrow topic. Circa 2006, I was responsible for changing IE so that you could simply add an advertising site to theContinue reading “Content-Blocking in Manifest v3”
Authenticode in 2024
My 2021-2024 Authenticode certificate expired yesterday, so I began the process of getting a replacement last week. As in past years, I again selected a 3 year OV certificate from DigiCert. Validation was straightforward. After placing my order, I got a request for high-resolution photos of me holding my ID (I sent my passport andContinue reading “Authenticode in 2024”
Attack Techniques: Full-Trust Script Downloads
While it’s common to think of cyberattacks as being conducted by teams of elite cybercriminals leveraging the freshest 0-day attacks against victims’ PCs, the reality is far more mundane. Most attacks start as social engineering attacks: abusing a user’s misplaced trust. Most attackers don’t hack in, they log in. The most common cyberattack is phishing:Continue reading “Attack Techniques: Full-Trust Script Downloads”
ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox
Recently, many Microsoft employees taking training courses have reported problems accessing documents linked to in those courses in Chrome and Edge. In Edge, the screen looks like this: But the problem isn’t limited to Microsoft’s internal training platform, and can be easily reproduced in Chrome: What’s going on? There are a number of root causesContinue reading “ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox”
text/plain 