Seek and Destroy Non-Secure References Using the moarTLS Analyzer

tl;dr: I made a Chrome Extension that finds security vulnerabilities.It’s now available for Firefox too! To secure web connections, TLS-enabling servers is only half the battle; the other half is ensuring that TLS is used everywhere. Unfortunately, many HTTPS sites today include insecure references that provide an network-based attacker the opportunity to break into theContinue reading “Seek and Destroy Non-Secure References Using the moarTLS Analyzer”

Web Developers and Footguns

If you offer web developers footguns, you’d better staff up your local trauma department. In a prior life, I wrote a lot about Same-Origin-Policy, including the basic DENY-READ principle that means that script running in the context of origin A.com cannot read content from B.com. When we built the (ill-fated) XDomainRequest object in IE8, weContinue reading “Web Developers and Footguns”

Extended Validation Certificates – The Introduction

In 2005, one of my first projects on the Internet Explorer team was improving the user-experience for HTTPS sites (“SSLUX”). Our first task was to change the certificate error experience from the confusing and misleading modal dialog box: … to something that more clearly conveyed the risk and which more clearly discouraged users from acceptingContinue reading “Extended Validation Certificates – The Introduction”

Authenticode in 2016

Last month, I noticed that my eToken USB code-signing key only supports SHA1 and not SHA256. I began hunting for a replacement that can sign using the stronger hash. Fortunately, I didn’t have to look far—the Yubico YubiKey 4 is $40 and supports SHA256, RSA 4096, and ECC p384. Beyond supporting stronger algorithms, it seems toContinue reading “Authenticode in 2016”

Security Response Basics

Security response isn’t just about the “sexy” analysis of vulnerabilities, reverse-engineering of malware, and so on… it’s probably mostly about getting the basics right. Every morning, I forward all of the PayPal phishing scams I receive to PhishTank, Netcraft, and Spoof@Paypal. Today, I took a closer look at the response I got to the lastContinue reading “Security Response Basics”

DLL Hijacking Just Won’t Die

The folks that build the NSIS Installer have released updates to mitigate a serious security bug related to DLL loading. (v2.5 and v3.0b3 include the fixes). To make a long and complicated story short, a bad guy who exploits this vulnerability places a malicious DLL into your browser’s Downloads folder, then waits. When you run an installerContinue reading “DLL Hijacking Just Won’t Die”

Hashes and Code-Signing

I’ve written a few articles about using Authenticode to sign your code to help prevent attacks, increase user confidence, and reduce interference from security software like Windows SmartScreen. You can read the overview, discussion of code-signing tokens, and “tricks” you can use to shoot yourself in the foot by adding data to a file withoutContinue reading “Hashes and Code-Signing”

Duct Tape and Baling Wire–Cookie Prefixes

Update: Cookie Prefixes are supported by Chrome 49, Opera 36, and Firefox 50. Test page; no status from the Edge team.  A new cookie feature called SameSite Cookies has been shipped by Chrome, Firefox and Edge; it addresses slightly different threats. When I worked on Internet Explorer, we were severely constrained on development resources. WhileContinue reading “Duct Tape and Baling Wire–Cookie Prefixes”

Testing HTTPS In Native APPs

Over on Twitter, Paul asks how to verify that a native application is using TLS. For a PC, it’s pretty simple, just run Fiddler and watch the traffic. If you see any HTTP requests (other than those labeled “Tunnel to”, indicating a HTTP tunnel used for HTTPS traffic) from the Process of interest, that trafficContinue reading “Testing HTTPS In Native APPs”

Content Blocking: Unintended Consequences

Our company uses a web firewall device called IronPort to attempt to block unwanted network traffic; it blocks access to known phish and malware domains, and, more annoyingly, domains thought to be related to gaming or “questionable” topics (e.g. politics). Whatever. Today the IT department pushed a new rule set which blocks some requests to domains likeContinue reading “Content Blocking: Unintended Consequences”