Plugins Stand Out

A minor theme in my recent B-Sides SF presentation was the stagnancy of innovation since HTML4 was finalized in December 1999. New programming patterns emerged over that time, only to be hobbled by the outmoded spec. To help recall that era I scoured archive.org for ancient curiosities of the last millennium. (Like Geocities’ announcement of […]

RSA US 2013, ASEC-F41 Slides

Here are the slides for my presentation, Using HTML5 WebSockets Securely, at this year’s RSA US conference in San Francisco. It’s a continuation of the content created for last year’s BlackHat and BayThreat presentations. RSA wants slides to be in a specific template. So, these slides are less visually stimulating than I usually have the […]

B-Sides SF 2013: JavaScript Security & HTML5

I’ve emerged from the gloomy dungeon of C++ and book writing long enough to venture into the gloomy dungeon of the DNA Lounge for B-Sides San Francisco. It’s the perfect venue to talk about the building blocks of web apps: the twin strands of JavaScript and HTML5. As noted at the end of my talk, […]

User Agent. Secret Agent. Double Agent.

We hope our browsers are secure in light of the sites we choose to visit. What we often forget, is whether we are secure in light of the sites our browsers choose to visit. Sometimes it’s hard to even figure out whose side our browsers are on. Browsers act on our behalf, hence the term […]

BayThreat 2012 WebSocket Presentation

BayThreat held its 2012 conference this December in Sunnyvale, CA. Yes, I was sorely disappointed it wasn’t actually in Sunnydale (with a ‘d’). My colleagues, @sshekyan and @tukharian, and I gave an overview on the security of WebSockets. The presentation slides are available now. Reading slides is always a hazardous approach to understanding a presentation. […]

JavaScript Is Harmless

In the preface to my “Mitigating…” talk I offer this Orwellian summation of the state of JavaScript as it relates to browser security: War is peace. Freedom is slavery. Ignorance is strength. JavaScript is harmless. I then put forth arguments and examples for securing the client from JavaScript-related mishaps by adopting HTML5. The goal, to quote another […]

A Trail of Translations

I’ve returned from London with plenty of notes and useful feedback on my RSA presentation regarding the kind of information that would be more interesting or more helpful to take to developers regarding JavaScript, HTML5, and security. It’ll take another week or so to sort them into coherent thoughts to post here. Two major topics […]