Categories
security (130)
- A year after the disastrous breach, LastPass has not improved
- Why browser extension games need access to all websites
- Another cluster of potentially malicious Chrome extensions
- Introducing PCVARK and their malicious ad blockers
- How malicious extensions hide running arbitrary code
- Read More »
mozilla (51)
- What would you risk for free Honey?
- A grim outlook on the future of browser add-ons
- Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?
- Dear Mozilla, please stop spamming!
- Google to developers: We take down your extension, because we can
- Read More »
privacy (37)
- Chrome Sync privacy is still very bad
- Why browser extension games need access to all websites
- Another cluster of potentially malicious Chrome extensions
- Introducing PCVARK and their malicious ad blockers
- How malicious extensions hide running arbitrary code
- Read More »
password-managers (33)
- A year after the disastrous breach, LastPass has not improved
- A way forward for PfP: Pain-free Passwords
- Documenting KeePass KDBX4 file format
- The end of PfP: Pain-free Passwords
- LastPass breach update: The few additional bits of information
- Read More »
add-ons (29)
- Why browser extension games need access to all websites
- Another cluster of potentially malicious Chrome extensions
- Introducing PCVARK and their malicious ad blockers
- How malicious extensions hide running arbitrary code
- More malicious extensions in Chrome Web Store
- Read More »
off-topic (29)
- Präsentation über Digitalisierung und soziale Interaktion
- Validating news stories: Syrian oil
- Don’t forget to check the facts – because nobody else will
- Closed my LinkedIn account
- Random thoughts on democracy and Russian presidential election
- Read More »
antivirus (17)
- Common pitfalls of breaking up HTTPS connections
- Dismantling BullGuard Antivirus’ online protection
- Exploiting Bitdefender Antivirus: RCE from any website
- McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges
- Insights from Avast/Jumpshot data: Pitfalls of data anonymization
- Read More »
gecko (17)
- Easy Passwords released as a Web Extension
- Is undetectable ad blocking possible?
- Introducing Easy Passwords: the new best way to juggle all those passwords
- Using WebExtensions APIs in a “classic” extension
- A systematic approach to MDN documentation?
- Read More »
lastpass (12)
- A year after the disastrous breach, LastPass has not improved
- LastPass breach update: The few additional bits of information
- Bitwarden design flaw: Server side iterations
- LastPass breach: The significance of these password iterations
- What’s in a PR statement: LastPass breach explained
- Read More »
pfp (12)
- A way forward for PfP: Pain-free Passwords
- The end of PfP: Pain-free Passwords
- Writing my own build system: Coupling gulp concepts with modern JavaScript
- PfP: Pain-free Passwords security review
- Implementing safe sync functionality in a server-less extension
- Read More »
google (11)
- Chrome Sync privacy is still very bad
- Another cluster of potentially malicious Chrome extensions
- Introducing PCVARK and their malicious ad blockers
- How malicious extensions hide running arbitrary code
- More malicious extensions in Chrome Web Store
- Read More »
xul (10)
- XULRunner in large projects, part 4: Localization pitfalls
- XULRunner in large projects, part 3: Bugs, bugs, and more bugs
- XULRunner in large projects, part 2: Why XULRunner isn’t like Java
- XULRunner in large projects, part 1: What is that “XULRunner” thingy, anyway?
- AMO getting serious about add-on security
- Read More »
adblock-plus (9)
- Links for my SINFO 25 presentation
- Taking a break from Adblock Plus development
- How bad is a buffer overflow in an Emscripten-compiled application?
- Is undetectable ad blocking possible?
- Which is better, Adblock or Adblock Plus?
- Read More »
private (9)
email (8)
- Converting incoming emails on the fly with OpenSMTPD filters
- Adding DKIM support to OpenSMTPD with custom filters
- Yahoo! and AOL: Where two-factor authentication makes your account less secure
- Dear Mozilla, please stop spamming!
- How much privacy do you have left on the web?
- Read More »
avast (6)
- Insights from Avast/Jumpshot data: Pitfalls of data anonymization
- Avast’s broken data anonymization approach
- Pwning Avast Secure Browser for fun and profit
- Avast complies to respect users’ privacy
- Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?
- Read More »
kaspersky (6)
- More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links
- Assorted Kaspersky vulnerabilities
- Internal Kaspersky API exposed to websites
- Kaspersky: The art of keeping your keys under the door mat
- Kaspersky in the Middle – what could possibly go wrong?
- Read More »
korea (6)
- Veraport: Inside Korea’s dysfunctional application management
- South Korea’s banking security: Intermediate conclusions
- Weakening TLS protection, South Korean style
- IPinside: Korea’s mandatory spyware
- TouchEn nxKey: The keylogging anti-keylogger solution
- Read More »
extension-security-basics (4)
- When extension pages are web-accessible
- Attack surface of extension pages
- Impact of extension privileges
- Anatomy of a basic extension
challenge (3)
- BBN challenge resolution: Getting the flag from a browser extension
- BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension
- BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page”
hugo (3)
- Added Webmention support to the blog
- The easier way to use lunr search with Hugo
- Switching my blog to a static site generator
os-x (3)
- Safari extension format (.safariextz) explained
- Crazy hacks: Changing Wine key mappings on Mac OS X
- Solution to a problem nobody has: Changing Total Commander application icon
tomtom (3)
website (3)
- Added Webmention support to the blog
- The easier way to use lunr search with Hugo
- Switching my blog to a static site generator
amazon (2)
- Follow-up on Amazon Assistant’s data collection
- How Amazon Assistant lets Amazon track your every move on the web
android (2)
crypto (2)
- Does Signal’s “secure value recovery” really work?
- Should your next web-based login form avoid sending passwords in clear text?
jquery (2)
- PSA: jQuery is bad for the security of your project
- Why you probably want to disable jQuery.parseHTML even though you don’t call it
jsdeobfuscator (2)
keepa (2)
mcafee (2)
- McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges
- Rendering McAfee web protection ineffective
opensmtpd (2)
- Converting incoming emails on the fly with OpenSMTPD filters
- Adding DKIM support to OpenSMTPD with custom filters
reverse-engineering (2)
wine (2)
- Crazy hacks: Changing Wine key mappings on Mac OS X
- Solution to a problem nobody has: Changing Total Commander application icon