-
The right way to embed
I occasionally rant about “web 2.0” services which want me to embed Javascript on my page to get the functionality. Besides them being a security risk (because they can change the JS on their servers at any time and p0wn all my visitors – and it doesn’t have to be malice on their part –…
-
Does Google Chrome prevent CSRF?
Some time ago I was reading the article Session Destroyer: Automatic Webapp Session Invalidation from the Linux Journal. It was a neat idea, however the part which peeked my interest was the following: Mozilla Firefox does not protect you against this attack by default. However, Google Chrome supposedly does because they implement each tab in…
-
Browser Password Manager test
This is rather old, but still good (originally found it via the Pat’s Daily Grind blog): a security company did some tests with the password manager included in different browsers. And of course they slapped not one but two sensationalistic titles on it (“Google Chrome Receives Lowest Password Security Score” and “Safari Ties for Last…
-
SSLFail
Tyler and Marcin started the site SSLFail.com, which inspired me to do some digging of my own. The results are shocking! A few words about the methodology: I took the top 1 000 000 sites list from Alexa (love them or hate them for their toolbars, but it is very nice of them to provide…
-
Anonymous browsing is hard
From the “big fricking surprise department” comes the news that “private browsing is hard to implement“. Well, duh! Also, quite obvious: the biggest problem were “Flash cookies” – again, duh!, since they are stored outside of the browser, so there is not very much the browser can do about them. There are many ways users…
-
Internet Explorer + Frames = Headache
So lets say you have the following HTML snippet: <html> <frameset rows="20,*" border="0" frameborder="no"> <frame name="menu" src="menu_frame.html" scrolling="no" noresize="1"> <frame name="work_frame" src=""> </frameset> </html> First of all you would say: but frames are so 1998! And you would be right. Frames are outmoded, deprecated and a usability nightmare (because you can’t bookmark the exact state…
-
Reinventing the wheel
Those damn kids today don’t know their history and think that .NET is 1337! 😀 Some random dude in Taiwan couldn’t browse the web (because an undersea cable broke due to a recent earthquake) and he decided that using a webserver (probably configured by him) which ran arbitrary executables mailed to it (hint: the from…
-
Tracking Users Via the Browser Cache
From the department of old things I didn’t know about comes the following bit: Tracking Users Via the Browser Cache. Original story: meantime: non-consensual http user tracking using caches. Also covered here: Clearing cookies is not enough to save your privacy. And it was already posted on slashdot (so please don’t post it again :)).…