How Downloads Work
I delivered a one hour session on the internals of file downloads in web browsers at That Conference TX 2024. The slides are here and a MP3 of the talk is available. If you’d prefer to read, much of...
View Articlex22i Treadmill Review
I love my treadmill, but two years in, I cannot recommend it. On New Year’s Day 2022 I bought a NordicTrack x22i Incline Trainer (a treadmill that supports 40% incline and 6% decline) with the aim of...
View ArticleClik here to view.
Cloaking, Detonation, and Client-side Phishing Detection
Today, most browsers integrate security services that attempt to protect users from phishing attacks: for Microsoft’s Edge, the service is Defender SmartScreen, and for Chrome, Firefox, and many...
View ArticleClik here to view.
The Importance of Feedback Loops
This morning, I found myself once again thinking about the critical importance of feedback loops. I thought about obvious examples where small bad things can so easily grow into large bad things: – A...
View ArticleClik here to view.
Second Seaside Half
I ran my second Galveston Half Marathon on Sunday, February 25th. The course was identical to last year’s race, starting at Stewart beach heading north before looping back down to the Pleasure Pier...
View ArticleClik here to view.
Browser Extensions: Powerful and Potentially Dangerous
Regular readers of my blogs know that I love browser extensions. Extensions can make using your browser more convenient, fun, and secure. Unfortunately, extensions can also break websites in bizarre...
View ArticleClik here to view.
pushState and URL Blocking
The Web Platform offers a handy API called pushState that allows a website’s JavaScript to change the URL displayed in the address bar to another URL within the same origin without sending a network...
View ArticleClik here to view.
Attacker Techniques: Gesture Jacking
A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the...
View ArticleClik here to view.
A Slow 10K
I “ran” the Capitol 10K for a third time on Sunday. It did not go well, but not for any of the reasons I worried about. The rain stopped hours before the race, and the course wasn’t wet. My knees and...
View ArticleClik here to view.
Browser Security Bugs that Aren’t: JavaScript in PDF
A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) message displayed:...
View Article
