Authenticode in 2015

Back in 2011, I wrote a post explaining why and how software developers should use Authenticode to digitally sign their applications. While the vast majority of the original post remains relevant, in today’s post, I’ll share my most recent experiences with code-signing. Shopping for a Certificate In the past, I signed my code using a…


In Case You Missed It

A random collection of noteworthy links: Spartan PM Jacob Rossi wrote about the new Project Spartan rendering engine. Spartan Developer Justin Rogers has a great new blog on development in general, including some tantalizing posts on evolving the Spartan codebase. Windows 10 build 9926 has been released; Spartan is not yet in it, but you…


HTTPS In 2015

Last week at the CodeMash conference, I delivered a session titled HTTPS in 2015: Securing your websites and services using HTTPS has never been more important, or more complicated. In this talk, a former browser Security Program Manager covers the best practices for using HTTPS today. Topics covered in this session include ciphers and hash…


Script Polyglots

Lately, there’s been a resurgence of interest in hiding script inside files of other types; sometimes this is known as a polyglot file. On Twitter, there’s been some excitement about a new tool that creates GIF/JavaScript polyglots. As you can see in the example provided in the aforementioned blog, when referenced as the source of…


Compressing the Web

Be succinct. Virtually any network-based application can be made faster by optimizing the number of bytes transferred across the network. Taking advantage of caching is a great way to minimize transfer sizes, but just as important is to reduce the size of the resources you transfer. Data compression is used throughout the protocols and formats…


New Microsoft Message Analyzer Released

If you want to monitor extremely low-level network traffic (e.g. TCP/IP packet flags, HTTPS alert records, etc), then Fiddler typically cannot help you; you will need to use a packet capture tool like Wireshark or Microsoft’s Network Monitor (old) or Message Analyzer (new). Yesterday, Microsoft released the newest version of Microsoft Message Analyzer (v1.1), which…


Caveats for Authenticode Code Signing

Back in 2011, I wrote a long post about Authenticode, Microsoft’s Code Signing technology. In that post, I noted: Digitally signing your code helps to ensure that it cannot be tampered with, either on your servers, or when it is being downloaded to a user’s computer, especially over an insecure protocol like HTTP or FTP….


Optimizing Sprites

Today, I’m writing about a topic I personally know little about, but I’ve heard experts mention it in passing for years. I couldn’t find any good references, hence the post below. The first rule for building high performance web sites is to make fewer requests, and using CSS sprites is one key and commonly-deployed means…


Strict Transport Security

Ivan Ristic’s meticulously researched Bulletproof SSL & TLS book spurred me to spend some time thinking about the HTTP Strict Transport Security (HSTS) feature under development by the Internet Explorer team and already available in other major browsers. HSTS enables a website to opt-in to stricter client handling of HTTPS behavior. Specifically: All HTTP connections to…


URL Length Limits

Today’s question is a simple one: “What is the maximum URL length supported by Internet Explorer?” And the answer, as befitting an IEInternals post, is surprisingly complicated.  The simplistic answer is that WinINET.h defines INTERNET_MAX_URL_LENGTH as 2083 characters, and this limit remains in force in a number of places. However, the true limit can be…