Tag Archives: SmartScreen

Runtime Signature Checking Threat Model

Telerik developers recently changed Fiddler to validate the signature on extension assemblies before they load. If the assembly is unsigned, the user is presented with the following message: In theory, this seems fine/good– signing files is a good thing! However, it’s important to understand the threat model and tradeoffs here. Validating signatures every time aContinue reading “Runtime Signature Checking Threat Model”

Best Practices for SmartScreen AppRep

Last year, I wrote about how Windows integrates SmartScreen Application Reputation to help ensure users have a secure and smooth experience when running downloaded software. tl;dr: When a user runs a downloaded program, a call to SmartScreen’s web-based reputation service is made, and four possible outcomes can occur: As a software developer, it’s natural thatContinue reading “Best Practices for SmartScreen AppRep”

Attack Techniques: Encrypted Archives

Tricking a user into downloading and opening malware is a common attack technique, and defenders have introduced security scanners to many layers of the ecosystem in an attempt to combat the technique: With all this scanning in place, attackers have great incentives to try to prevent their malicious code from detection up until the momentContinue reading “Attack Techniques: Encrypted Archives”

pushState and URL Blocking

The Web Platform offers a handy API called pushState that allows a website’s JavaScript to change the URL displayed in the address bar to another URL within the same origin without sending a network request and loading a new page. The pushState API is handy because it means that a Web Application can change theContinue reading “pushState and URL Blocking”

Cloaking, Detonation, and Client-side Phishing Detection

Today, most browsers integrate security services that attempt to protect users from phishing attacks: for Microsoft’s Edge, the service is Defender SmartScreen, and for Chrome, Firefox, and many derivatives, it’s Google’s Safe Browsing. URL Reputation services do what you’d guess — they return a reputation based on the URL, and the browser will warn/block loadingContinue reading “Cloaking, Detonation, and Client-side Phishing Detection”