Authenticode in 2015

Back in 2011, I wrote a post explaining why and how software developers should use Authenticode to digitally sign their applications. While the vast majority of the original post remains relevant, in today’s post, I’ll share my most recent experiences with code-signing. Shopping for a Certificate In the past, I signed my code using a…


In Case You Missed It

A random collection of noteworthy links: Spartan PM Jacob Rossi wrote about the new Project Spartan rendering engine. Spartan Developer Justin Rogers has a great new blog on development in general, including some tantalizing posts on evolving the Spartan codebase. Windows 10 build 9926 has been released; Spartan is not yet in it, but you…


HTTPS In 2015

Last week at the CodeMash conference, I delivered a session titled HTTPS in 2015: Securing your websites and services using HTTPS has never been more important, or more complicated. In this talk, a former browser Security Program Manager covers the best practices for using HTTPS today. Topics covered in this session include ciphers and hash…


Script Polyglots

Lately, there’s been a resurgence of interest in hiding script inside files of other types; sometimes this is known as a polyglot file. On Twitter, there’s been some excitement about a new tool that creates GIF/JavaScript polyglots. As you can see in the example provided in the aforementioned blog, when referenced as the source of…


Caveats for Authenticode Code Signing

Back in 2011, I wrote a long post about Authenticode, Microsoft’s Code Signing technology. In that post, I noted: Digitally signing your code helps to ensure that it cannot be tampered with, either on your servers, or when it is being downloaded to a user’s computer, especially over an insecure protocol like HTTP or FTP….


Strict Transport Security

Ivan Ristic’s meticulously researched Bulletproof SSL & TLS book spurred me to spend some time thinking about the HTTP Strict Transport Security (HSTS) feature under development by the Internet Explorer team and already available in other major browsers. HSTS enables a website to opt-in to stricter client handling of HTTPS behavior. Specifically: All HTTP connections to…


Bolstering Protected Mode

Internet Explorer 7 introduced Protected Mode, a defense-in-depth security feature which relied upon the Windows Vista Integrity Levels (IL) system to mitigate drive-by attacks against the browser. Internet Explorer 10 introduced a stronger version of that feature, called Enhanced Protected Mode (EPM), which goes beyond the legacy IL system and provides isolation using the Windows…


Internet Explorer 11 and Perfect-Forward-Secrecy

In case you missed it, the recent Windows 8.1 Update update adds four new ciphersuites (including two supported by Chrome32) and changes the ciphersuite order to prefer algorithms that offer Perfect-Forward-Secrecy. You can read more about this update here. Wikipedia has a nice article on PFS, but the short summary is as follows: When your…


Windows Server as a Workstation

Back in the Windows 2003 timeframe, Microsoft had a problem. The security press of the time liked to put out charts showing which operating systems had the most vulnerabilities. Windows 2000 wasn’t looking so hot, owing to the fact that Windows 2000 Server had a full web browser built-in, “out of the box.” Even if…


Same Origin Policy Part 0: Origins

Recently, someone asked a pretty simple question: “Why doesn’t IE consider the port when evaluating Same Origin Policy?” and I realized that my Same-Origin-Policy series lacks an in-depth look at the concepts surrounding origins. Table of Contents: Same Origin Policy Posts Part 0 – (This post) What’s an Origin Part 1 – Deny Read Part…