nasko

@[email protected]
690 Followers
198 Following
137 Posts
Security geek with his own views and opinions. Hacking on Chromium to make it more secure, increasing the cost for attackers. Recovered TLS/SSL/PKI engineer.
Twitter@nasko
Webhttps://netsekure.org/
naskoMay 14, 2025
Open Web DocsMay 14, 2025

We've written a new guide on XS-Leaks:

https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XS-Leaks

Many thanks to @freddy, Hamish Willee, @MartinaKraus11, and @terjanq for your reviews and collaboration. #websecurity

Cross-site leaks (XS-Leaks) - Security on the web | MDN

Cross-site leaks (also called XS-Leaks) are a class of attack in which an attacker's site can derive information about the target site, or about the user's relationship with the target site, by using web platform APIs that enable sites to interact with one another. The information leaked could include, for example:

MDN Web Docs
naskoMar 19, 2025
Dominik Röttsches Mar 19, 2025
Our blog post is live: We just published https://developer.chrome.com/blog/memory-safety-fonts sharing our journey on how we migrated from FreeType to Fontations in Chrome to improve memory safety and development velocity in our cross-platform open-source font stack. Shipping in Chrome 133. (Reposting with public visibility.)
Memory safety for web fonts  |  Blog  |  Chrome for Developers

Learn how and why the Chrome team has replaced FreeType with Skrifa.

Chrome for Developers
naskoMar 19, 2025
Making inroads into memory safety, one step at a time - https://developer.chrome.com/blog/memory-safety-fonts
Memory safety for web fonts  |  Blog  |  Chrome for Developers

Learn how and why the Chrome team has replaced FreeType with Skrifa.

Chrome for Developers
naskoJan 15, 2025
Jonathan MetzmanJan 15, 2025
The OSS-Fuzz team is hiring a PhD intern for this summer. Come join us and build something interesting that will have immediate impact on 1000+ open source projects. https://www.google.com/about/careers/applications/jobs/results/90765822003159750-software-engineering-intern-phd-summer-2025
Software Engineering Intern, PhD, Summer 2025 — Google Careers

naskoJan 15, 2025
Alex GoughJan 15, 2025

My team in Chrome Platform Security is hiring for a senior Android security expert - if you're into syscalls, binder, processes and other low level stuff you'd be perfect - I do this but for Windows and didn't know Chrome or much C++ when I started.

The ad is generic but feel free to ask questions - https://www.google.com/about/careers/applications/jobs/results/104891950447895238 - you'll be a part of a wider security team that works on lots of cool stuff and protects billions of people - https://www.chromium.org/Home/chromium-security/quarterly-updates/

Senior Software Engineer, Chrome — Google Careers

naskoJan 15, 2025
We are looking for an Android security expert to join our team and work on securing Chrome on Andoird. Job posting is available at https://google.com/about/careers/applications/jobs/results/104891950447895238, but also feel free to reach out to me directly.
Senior Software Engineer, Chrome — Google Careers

naskoNov 2, 2024
Adrian TaylorOct 31, 2024
2024 Q3 update from #googlechrome security https://www.chromium.org/Home/chromium-security/quarterly-updates/#q3-2024
Quarterly Updates

naskoOct 3, 2024
Natalie SilvanovichOct 3, 2024
On DAV1D and fuzzing https://googleprojectzero.blogspot.com/2024/10/effective-fuzzing-dav1d-case-study.html
Effective Fuzzing: A Dav1d Case Study

Guest post by Nick Galloway, Senior Security Engineer, 20% time on Project Zero Late in 2023, while working on a 20% project with Projec...

naskoOct 3, 2024
Alex GoughOct 3, 2024
Thinking about which bugs are useful to attackers, and recognizing that not every mitigation needs to be perfect to help protect some of the people using Chrome.
https://security.googleblog.com/2024/10/evaluating-mitigations-vulnerabilities.html?m=1
Evaluating Mitigations & Vulnerabilities in Chrome

Posted by Alex Gough, Chrome Security Team The Chrome Security Team is constantly striving to make it safer to browse the web. We invest ...

Google Online Security Blog
naskoAug 28, 2024
AmyAug 28, 2024

Hi everyone — especially browser security researchers! Today we’ve announced some pretty significant changes to the Chrome VRP reward structure and amounts. This was all built with the purpose of incentivizing deeper and ever more impactful research of Chromium security issues.

I wrote a little blog about it here: https://bughunters.google.com/blog/5302044291629056/chrome-vrp-reward-updates-to-incentivize-deeper-research

We wanted to acknowledge the challenges faced and skills required to find the more complex and impactful issues in Chrome, especially when it comes to demonstrating the full exploitability and impact.

We hope these changes are helpful inspiring to browser security researchers and signal our continued investment in working with you to make Chrome more secure for all users.

Blog: Chrome VRP Reward Updates to Incentivize Deeper Research

The Chrome VRP is increasing reward amounts and their structure to incentivize high-quality reporting and deeper research of Chrome vulnerabilities, see this post for details!