Stop Spilling the Beans

I’ve written about Same Origin Policy a bunch over the years, with a blog series mapping it to the Read/Write/Execute mental model. More recently, I wrote about why Content-Type headers matter for same-origin-policy enforcement. I’ve just read a great paper on cross-origin infoleaks and current/future mitigations. If you’re interested in browser security, it’s definitely worth a read.

HSTS Preload and Subdomains

In order to be eligible for the HSTS Preload list, your site must usually serve a Strict-Transport-Security header with a includeSubdomains directive. Unfortunately, some sites do not follow the best practices recommended and instead just set a one-year preload header with includeSubdomains and then immediately request addition to the HSTS Preload list. The result is that any problemsContinue reading “HSTS Preload and Subdomains”

Non-Secure Clicktrackers–The Fastest Path from A+ to F

HTTPS only works if you use it. Coinbase is an online bitcoin exchange backed by $106M in venture capital investment. They’ve got a strong HTTPS security posture, including the latest ciphers, a 4096bit RSA key, and advanced features like browser-preloaded HSTS and HPKP. SSLLabs grades Coinbase’s HTTPS deployment an A+: This is a well-secured siteContinue reading “Non-Secure Clicktrackers–The Fastest Path from A+ to F”

Bolstering HTTPS Security

When #MovingToHTTPS, the first step is to obtain the necessary certificates for your domains and enable HTTPS on your webserver. After your site is fully HTTPS, there are some other configuration changes you should consider to further enhance the site’s security. Validate Basic Configuration First, use SSLLab’s Server Test  to ensure that your existing HTTPSContinue reading “Bolstering HTTPS Security”

Silliness – Fiddler Blocks Malware

Enough malware researchers now depend upon Fiddler that some bad guys won’t even try to infect your system if you have Fiddler installed. The Malware Bytes blog post has the details, but the gist of it is that the attackers use JavaScript to probe the would-be victim’s PC for a variety of software. Beyond Kaspersky,Continue reading “Silliness – Fiddler Blocks Malware”

Compression Context

ZIP is a great format—it’s extremely broadly deployed, relatively simple, and supports a wide variety of use-cases pretty well. ZIP is the underlying format beneath Java (.jar) Archives, Office (docx/xlsx/pptx) files, Fiddler (.saz) Session Archive ZIP files, and many more. Even though some features (Unicode filenames, AES encryption, advanced compression engines) aren’t supported by allContinue reading “Compression Context”

Downloads and the Mark-of-the-Web

Background Windows uses a simple technique to keep track of which binary files were downloaded from the Internet (or a network share). Each downloaded file is is tagged with a hidden NTFS Alternate Data Stream file named Zone.Identifier. You can check for the presence of this “Mark of the Web” (MotW) using dir /r or programmatically, andContinue reading “Downloads and the Mark-of-the-Web”

Seek and Destroy Non-Secure References Using the moarTLS Analyzer

tl;dr: I made a Chrome Extension that finds security vulnerabilities.It’s now available for Firefox too! To secure web connections, TLS-enabling servers is only half the battle; the other half is ensuring that TLS is used everywhere. Unfortunately, many HTTPS sites today include insecure references that provide an network-based attacker the opportunity to break into theContinue reading “Seek and Destroy Non-Secure References Using the moarTLS Analyzer”

Web Developers and Footguns

If you offer web developers footguns, you’d better staff up your local trauma department. In a prior life, I wrote a lot about Same-Origin-Policy, including the basic DENY-READ principle that means that script running in the context of origin A.com cannot read content from B.com. When we built the (ill-fated) XDomainRequest object in IE8, weContinue reading “Web Developers and Footguns”