Bolstering Protected Mode

Internet Explorer 7 introduced Protected Mode, a defense-in-depth security feature which relied upon the Windows Vista Integrity Levels (IL) system to mitigate drive-by attacks against the browser. Internet Explorer 10 introduced a stronger version of that feature, called Enhanced Protected Mode (EPM), which goes beyond the legacy IL system and provides isolation using the Windows…


RFCs for HTTP/1.1 Updated

After years of effort, the HTTPBIS working group of the IETF has completed revisions of the venerable RFC2616 that defines the HTTP/1.1 protocol. These revisions clarify ambiguous sections of the original, deprecate problematic features, and reflect real-world implementation experiences. There’s a quick summary of the updates here. The specification has been broken up into six…


I’ll be at the Velocity Conference in Santa Clara

Later this month, I’ll be at the Velocity Web Performance and Operations conference in Santa Clara. I hope to see some of you there! Beyond my “Lightning Demo” of new Fiddler features, some IE Engineers will be presenting the latest on performance optimization.


Unicode in URL changes for IE11

I wrote a bit about Internet Explorer’s International Settings back in July of 2012. Internet Explorer 10 and 11 quietly brought some changes: In IE10, the Use UTF-8 for mailto links option was removed. In IE11, the misleadingly-named Send UTF-8 URLs option is renamed to correctly reflect its function (Send URL path as UTF-8) and…


Internet Explorer 11 and Perfect-Forward-Secrecy

In case you missed it, the recent Windows 8.1 Update update adds four new ciphersuites (including two supported by Chrome32) and changes the ciphersuite order to prefer algorithms that offer Perfect-Forward-Secrecy. You can read more about this update here. Wikipedia has a nice article on PFS, but the short summary is as follows: When your…


Managed Code Browser Extensions

I love the .NET Framework. I’ve been programming in C# since 2001, I spent much of my free time for a decade building Fiddler on .NET, and I now code in C# for a living. .NET provides a fantastic, highly-productive platform suitable for building a huge range of tools and applications, and as it grows…


Awesome IE11 News, in case you missed it

Big news from the //build conference this week: 1. The IE team has announced a feature-implementation tracking site, which you can find at This site shows what IE supports (and when it supported it) and provides a look at what to expect in future versions of Internet Explorer. It also provides links to relevant…


Windows Server as a Workstation

Back in the Windows 2003 timeframe, Microsoft had a problem. The security press of the time liked to put out charts showing which operating systems had the most vulnerabilities. Windows 2000 wasn’t looking so hot, owing to the fact that Windows 2000 Server had a full web browser built-in, “out of the box.” Even if…


Same Origin Policy Part 0: Origins

Recently, someone asked a pretty simple question: “Why doesn’t IE consider the port when evaluating Same Origin Policy?” and I realized that my Same-Origin-Policy series lacks an in-depth look at the concepts surrounding origins. Table of Contents: Same Origin Policy Posts Part 0 – (This post) What’s an Origin Part 1 – Deny Read Part…


Browser Arcana: IP Literals in URLs

While virtually all web traffic flows over connections based on the Internet Protocol, most of the time your browser first uses DNS to look up the target hostname’s IP address. However, sometimes URLs directly specify an IP address, skipping DNS altogether. When an IP appears directly within such an URL, it is said to have…