Category Archives: security

PSA: Service Workers are Coming

IF YOU DO NOT RUN A SITE THAT HOSTS UNTRUSTED/USER-PROVIDED FILES OVER SSL/TLS, YOU CAN STOP READING NOW This post describes the potential amplification of existing risks that Service Workers bring for multi-user origins where the origin may not fully trust the content or, in which, users should not be able to modify each other’s […]

Origin(al) Sins

Video is now up from a talk I gave in October at OWASP’s AppSec USA conference — something of a departure from my usual speil: Origin(al) Sins – Alex Russell from OWASP AppSec USA on Vimeo. I made some pretty glaring errors in the talk: you can’t combine sandboxing with seamlessness for cross-origin content. It’s […]

Perspective Is Not A Liquid Asset

ZDNet has an article out discussing a study that shows that that Chrome’s (Open Source) auto-update system makes the browser more secure than the alternatives. Disclosure: Google co-authored the study. I work for Google, on Chrome. Caveat emptor. Back when I did security for a living, I quickly noted a distinction between those who saw […]

…and if only Google can read your IMs…

Google Talk requires SSL to connect to Google’s XMPP servers, why then isn’t OTR rolled in?