A Hidden Benefit of HTML5

Try parsing a web page some time. If you’re lucky, it’ll be “correct” HTML without too many typos. You might get away with using some regexes to accomplish this task, but be prepared for complex elements and attributes. And good luck dealing with code inside <script> tags. Sometimes there’s a long journey between seeing the …

RVAsec 2013: JavaScript Security & HTML5

Here are the slides for my presentation at this year’s RVAsec, JavaScript Security & HTML5. Thanks to all who attended! RVAsec, held in Richmond, VA, is a relatively new conference. But one complete with hardware badges, capture the flag, and pizza and donuts for breakfast. So, yeah, mark your calendar for next year; it’s a …

Plugins Stand Out

A minor theme in my recent B-Sides SF presentation was the stagnancy of innovation since HTML4 was finalized in December 1999. New programming patterns emerged over that time, only to be hobbled by the outmoded spec. To help recall that era I scoured archive.org for ancient curiosities of the last millennium. (Like Geocities’ announcement of …

RSA US 2013, ASEC-F41 Slides

Here are the slides for my presentation, Using HTML5 WebSockets Securely, at this year’s RSA US conference in San Francisco. It’s a continuation of the content created for last year’s BlackHat and BayThreat presentations. RSA wants slides to be in a specific template. So, these slides are less visually stimulating than I usually have the …

B-Sides SF 2013: JavaScript Security & HTML5

I’ve emerged from the gloomy dungeon of C++ and book writing long enough to venture into the gloomy dungeon of the DNA Lounge for B-Sides San Francisco. It’s the perfect venue to talk about the building blocks of web apps: the twin strands of JavaScript and HTML5. As noted at the end of my talk, …

User Agent. Secret Agent. Double Agent.

We hope our browsers are secure in light of the sites we choose to visit. What we often forget, is whether we are secure in light of the sites our browsers choose to visit. Sometimes it’s hard to even figure out whose side our browsers are on. Browsers act on our behalf, hence the term …

BayThreat 2012 WebSocket Presentation

BayThreat held its 2012 conference this December in Sunnyvale, CA. Yes, I was sorely disappointed it wasn’t actually in Sunnydale (with a ‘d’). My colleagues, @sshekyan and @tukharian, and I gave an overview on the security of WebSockets. The presentation slides are available now. Reading slides is always a hazardous approach to understanding a presentation. …

JavaScript Is Harmless

In the preface to my “Mitigating…” talk I offer this Orwellian summation of the state of JavaScript as it relates to browser security: War is peace. Freedom is slavery. Ignorance is strength. JavaScript is harmless. I then put forth arguments and examples for securing the client from JavaScript-related mishaps by adopting HTML5. The goal, to quote another …