Script Polyglots

Lately, there’s been a resurgence of interest in hiding script inside files of other types; sometimes this is known as a polyglot file. On Twitter, there’s been some excitement about a new tool that creates GIF/JavaScript polyglots. As you can see in the example provided in the aforementioned blog, when referenced as the source of…


Compressing the Web

Be succinct. Virtually any network-based application can be made faster by optimizing the number of bytes transferred across the network. Taking advantage of caching is a great way to minimize transfer sizes, but just as important is to reduce the size of the resources you transfer. Data compression is used throughout the protocols and formats…


New Microsoft Message Analyzer Released

If you want to monitor extremely low-level network traffic (e.g. TCP/IP packet flags, HTTPS alert records, etc), then Fiddler typically cannot help you; you will need to use a packet capture tool like Wireshark or Microsoft’s Network Monitor (old) or Message Analyzer (new). Yesterday, Microsoft released the newest version of Microsoft Message Analyzer (v1.1), which…


Caveats for Authenticode Code Signing

Back in 2011, I wrote a long post about Authenticode, Microsoft’s Code Signing technology. In that post, I noted: Digitally signing your code helps to ensure that it cannot be tampered with, either on your servers, or when it is being downloaded to a user’s computer, especially over an insecure protocol like HTTP or FTP….


Optimizing Sprites

Today, I’m writing about a topic I personally know little about, but I’ve heard experts mention it in passing for years. I couldn’t find any good references, hence the post below. The first rule for building high performance web sites is to make fewer requests, and using CSS sprites is one key and commonly-deployed means…


Strict Transport Security

Ivan Ristic’s meticulously researched Bulletproof SSL & TLS book spurred me to spend some time thinking about the HTTP Strict Transport Security (HSTS) feature under development by the Internet Explorer team and already available in other major browsers. HSTS enables a website to opt-in to stricter client handling of HTTPS behavior. Specifically: All HTTP connections to…


URL Length Limits

Today’s question is a simple one: “What is the maximum URL length supported by Internet Explorer?” And the answer, as befitting an IEInternals post, is surprisingly complicated.  The simplistic answer is that WinINET.h defines INTERNET_MAX_URL_LENGTH as 2083 characters, and this limit remains in force in a number of places. However, the true limit can be…


Bolstering Protected Mode

Internet Explorer 7 introduced Protected Mode, a defense-in-depth security feature which relied upon the Windows Vista Integrity Levels (IL) system to mitigate drive-by attacks against the browser. Internet Explorer 10 introduced a stronger version of that feature, called Enhanced Protected Mode (EPM), which goes beyond the legacy IL system and provides isolation using the Windows…


RFCs for HTTP/1.1 Updated

After years of effort, the HTTPBIS working group of the IETF has completed revisions of the venerable RFC2616 that defines the HTTP/1.1 protocol. These revisions clarify ambiguous sections of the original, deprecate problematic features, and reflect real-world implementation experiences. There’s a quick summary of the updates here. The specification has been broken up into six…


I’ll be at the Velocity Conference in Santa Clara

Later this month, I’ll be at the Velocity Web Performance and Operations conference in Santa Clara. I hope to see some of you there! Beyond my “Lightning Demo” of new Fiddler features, some IE Engineers will be presenting the latest on performance optimization.