HTTPS In 2015

Last week at the CodeMash conference, I delivered a session titled HTTPS in 2015: Securing your websites and services using HTTPS has never been more important, or more complicated. In this talk, a former browser Security Program Manager covers the best practices for using HTTPS today. Topics covered in this session include ciphers and hash…

1

Strict P3P Validation

Internet Explorer offers users many tools to help protect their privacy, including InPrivate Browsing, cookie controls (including P3P), and Tracking Protection Lists. In February of 2012, the IE team described how a misleading P3P statement was being used to circumvent users’ privacy settings. Default P3P Restrictions Internet Explorer’s default settings restrict the use of 3rd…

3

A Quick Look at P3P

Internet Explorer supports a cookie-restricting privacy feature called P3P. Web developers often get tripped up by it because no other browser implements the P3P standard. I’ve written about IE’s cookie control features previously (and more comprehensively), but here’s a summary of the “least you need to know.” P3P Made Simple By default, IE will reject cookies…

4

Understanding Cookie Controls

Internet Explorer offers an extremely rich set of options for controlling cookies. The default settings are fairly well-balanced, but some users may want to introduce more restrictive or specialized controls. To configure cookie settings in IE, click Tools > Internet Options. Click the Privacy tab. The tab offers a simple slider with a range of…

4

Client Certificate Selection Prompt

The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password. Internet Explorer’s behavior…

23

The Privacy Impact of Add-ons: New APIs for IE8

By default, when starting a new session using IE8’s InPrivate Browsing feature, toolbars and Browser Helper Objects are disabled. This is done to help protect the user’s privacy: many toolbars and extensions maintain their own navigation/search/etc history lists, and such lists could violate the user’s expectation of privacy while InPrivate Browsing is enabled. In contrast, ActiveX controls remain enabled…

6

CSS History Probing, or: "I know where you went last week"

BackgroundOne of the interesting attacks which makes the rounds every few years concerns the ability of web pages to use CSS to detect whether or not certain URLs have been visited.  Given a sufficiently large set of URLs to probe, a website may be able to develop an interesting profile of where your browser has been. You…

5

Think of the children!

Another question from the audience today: Q: I like IE8’s InPrivate Browsing feature, but I’m worried that it won’t let me see what my kids are up to.  Can I prevent them from using it? A: Yes. When you enable the Windows Parental Controls feature, or use the Windows Live family safety tool, Internet Explorer’s InPrivate feature is disabled. The…

0