This video should be called "The origin of the same origin policy"

"Did you ever install software on Windows 95?" IIRC that is an InstallShield installer (or something mimicking one). That visual style of installer was also seen back in Windows 3.11. I believe it is based off of the Windows 3.11 first run setup wizard. For the local file listings in the browser, it's worth noting even after the same origin problem was fixed, websites would still try to trick users into thinking you were vulnerable by showing you a frame with your local file listing and then trying to convince you to buy their anti-virus software to fix it. This was especially bad in IE where the local file listing was a REAL Windows File Explorer frame, as IE and the file explorer were deeply integrated then, before MS realized it was a bad idea (and they got sued over anticompetitive practices regarding IE by the EU).

This is going to turn into a really fun series, please keep doing more :D

This is soo interesting yet I'd never spend my own time researching it so thank you for spending yours!

The old installer brings back memories. I once was allowed to install a game in kindergarten as a 4 year old kid. Installing the game took about an hour (I clicked "previous" and "next" over and over again because I've seen my brother do it, plus I couldnt read yet). Eventually I got it installed. It's funny that the video got out today. I just picked up an old Pentium 4 HP computer with Win XP Professional.

In the early days you could just disable Javascript, because it wasn't used a lot. You could use the internet fine. Then Dynamic webpages came along with a lot of Javascript (and ActiveX for IE users) and Macromedia Flash. In these times, disabling Javascripts killed some functionality like form checking or displaying data. I am glad developers have created like noscript plugins to "filter" javasript. This should be a standard setting, browsers never gave users a granular access control with javascript. Just a ON/OFF button to use it and a console to debug. Thanks for the history lesson

This was a pretty good video! I'm 23, but started actually tinkering with computers/electronics & programming when I was young (~8 ish) But when I was a bit older, around 12, is when I finally got started messing around with website development. AND OOhHH BOYYY!!! Not a lot of people today remembers/knows how BAD the internet truly was even 10 years ago. So I remember spending hours stressing to get something to work in Internet Explorer 6 to 8. But Microsoft still had a large monopoly with their GARBAGE IE. It was a pain in the ass to work, because it quite literally acts like Safari. It was either behind on the standards, or it didn't implement it properly, or it just ignored it and Microsoft did their own things. But IE was an absolute security nightmare. You remember (or have seen some videos) on weird internet website history? Pretty much all those real actual virus websites, or stupid websites you see in on email chain spam mail, a lot of those pretty much effected only Internet Explorer, because of how garbage it was. You could quite literally go on some website, and they could very easily exploit some vuln and BAM you have malware. Around the same time, Smosh, was still pretty damn popular on youtube (rip good ol' days) and they posted stuff on their website. ANd my god the 12 year old me loved their website design. But one day the Google Ads on the page reloaded, and the ad on the top went white. And then I quite literally got a virus. From a fucking ad! I was obviously pissed, but I knew **JUST ENOUGH** to open task manager, found the malware software running, and I killed it, then I manually deleted the files. ANd jussttttt to be safe, I installed Avast on my shitty WIndows Vista PC lmao. But Internet Explorer was truly a very odd & strange thing. Not only did it support javascript, but it even supported VBScript/VBA (basically running Visual Basic in your browser.) Not only that, but IE had a disgustingly plugin system, and you could have Flash, Shockwave, SIlverlight, Java, ActiveX; etc, that were all basically completely different technologies, different programming languages, and things you can build different apps OR games. IE also had a bunch of even weirder shit, like it had this proprietary gross conditional comment thing, where you can surround some HTML and target a specific version of IE. Because the standards were garbage, so a website had to have a lot of CSS to format for different browsers, and different versions! The one realllyyy cool thing, but I never understood, was Internet Explorer 5, had something called HTML Components (.htc) and it was a little plaintext file of some code, that would implement behaviour of DHTML (basically the predecessor to DOM) and I recall painstakingly Googled how to get PNG images to be transparent in old IE versions; which of course those HTC files partially fixed. Side note that this video reminded me, my uncle gave me a shitty old PC, I think it only had 8 megabytes of ram. This was 2012, but it was an old hacked together PC of various old parts from the mid 90's; and I installed Windows 95) I remember installing IE 4 & then 5 on it, and trying to use the internet on it. I don't think it lasted very long, but I remember trying to see if I could use it as a server. I have no idea if anyone actually read this but, modern day website development is soo refined butter now. Everything is essentially more secure, and probably in some form of sandbox. All the scary extension/plugin stuff were ripped out. But the soul of the internet, where anyone could express themselves is long gone. Now every website looks the exact same, and now everything just feels like a gross APP... :(

0:44 Joking about being able to hit ESC at the Windows password prompt is a common theme - but few people know that the Windows password actually *does* protect you in some way. There is the CryptProtectData / CryptUnprotectData function pair in the Win32 API that is used to encrypt data with a user-specific key. This key is derived from the login password. If you hit ESC at the login prompt, you can't decrypt data that was encrypted in a session that had the correct password entered. This data encryption facility is used to store SMB passwords (IIRC Windows 95 insistes on sending the logon name as user name to every SMB computer you connect to, so no SMB usernames need to be stored) and website credentials saved by Internet Explorer. Hitting ESC at the password prompt makes saving SMB passwords and storing website logins unavailable.

Fantastic video! That's a throw back indeed! Haha, I remember those three vertical bars when installing software, hahaha! Looking forward to your future videos for this series.

In the 90s, the WWW was easy to understand, not the Internet, which most people don’t even understand today. Browser didn’t exist at first and I was using IRC, Usenet, mailing lists… way before any browser could be run even on big university computers.

what a throwback in history. before these language of browser attacks -- before the internet even became a thing. what a treasure of a video

Beyond its interesting history and bringing back the good retro feelings, you're doing a very important thing: review the old developed, but probably still used security policies with today's hacker's eyes, because the whole concept could be outdated. Different root cause, but the log4j is a good example of how long could a vulnerability sleeps.

I wish I could have your voice read/explain everything to me, I don't know why but I just feel more engaged when listening/watching your videos

This is my favorite video from LiveOverflow. The retrospective view makes it interesting. Keep it up!

There is so much questions that I wanted to ask, that it made an overflow in my memory... But I still comment for referencement. Continue like this it's amazing !

As a professional web developer, I'm ashamed to say that I simply copy and pasted the strictest origin-policy I could find. I still don't fully understand it and I hope this series will cast some light on the dark and dusty corners of the web. I do feel that the same origin policy headers are not very well explained, so I'm looking forward to getting your thoughts on them and how best to use them today. Lucky for me, I don't need and I don't want to share information across origin, so I'm absolutely fine with the restricted set that I have.

Great way to explain the details from the start using Win 95.

I am so curious to see the evolution of this. Thank you for sharing mate.

Thanks for this "classic" kind of video.

Love this idea for a history series, can't wait to see some SoftICE action!

This was epic. Looking forward to next episode

That's REALLY interesting, especially for folks like me that weren't there at the time! I remember, as a tech-inclined kid, reading old newsletters by a prominent Italian IT journalist which advised to just don't use JS, Java and ActiveX. For modern standard, unthinkable 😃

2:03 As a german "Live Überlauf" killed me it's so dull that it is funny 😂

This was super cool, thank you. Very excited for the next video! First time viewing the 95 installation :)

wow, thank you so much, I spent so much time trying to understand client-side stuff, but after watching this video I finally understood!!

For me it is incredible how one can find the exact copy of a legacy program and installed in the appropriate machine. Ah, the beauty of the digital.

Amazing video. I really really loved it. Thank you for putting the work into making it 💙

Please continue to do these history types of videos. As an old man that started on CP/M, I love this stuff :)

fab absolutely fab!! watching this fun video while preparing for JS interview reminds why JS is interesting.

This is just GOLD! Thanks for so much dedication and enthusiasm along with the teaching. I am much fan of history and computers. My nephew is studying web development and came to me asking for some directions. I inevitably ask him to study some history about computers so he can understand how things are done today! I really had fun with this video.

Eagerly waiting for the "Infosec heist" web series. Your videos contain so much insightful information.

Really interesting! Waiting for the next episode

Definitely a throwback :)

What an excellent video! Thank you very much for this historical approach. And your english is very clear for me, and subtitles are useful too. English is not my native language. I hope you can understand me =)

Netscape crash? Wonder how hard it would be to debug and exploit that by only using tools from back in the day :P

This is an excellent video, super informative! As a creator myself, I can’t fathom how much hard work was put into this.

Very interesting video, thank you for your efforts. I am looking forward to further videos of this series!

This is damnnn interesting. And for aspirants like me passionate about vuln or exploit research these series are absolutely valuable content. Please please keep doing more on such details on exploits, describing patches and how they stop the exploits and ... But discussions like these on endpoints along with these web exploits could make it even helpful for lot more people.

Yep installed Netscape in those days, on win95 and Linux. A 'bit' slower than shown here on a 4Mb 486.

Ooo nice. Hacker history, what a great concept 👍

7:04 It's a throwback for me, and I miss the 3 indicators on the left in modern installations.

Realtek audio drivers still use the same installer with the blue background (or at least they used to in 2019 when I was installing their drivers, idk about more recent versions)

seeing that installer wasn't a throwback, but seeing bang-path style email addresses sure was. It reminded me that last time i saw Navigator gold, i had to install trumpet winsock first...

Love these videos. Please keep up with the great content like this!

I am old enough to remember this lightgreen workspace. Windows 95 was on my first personal computer when i was a child. It was Pentium 120 MHz. It`s so pleasant nostalgy )

At school was 4 computers, I was hooked for sure ;] When DOOM game was installed.. new rules appeared.. sometimes we could see only locked doors.

Loving the series! Keep up the good work!

Thank you!!! for creating this video!!!

Great video as always!

It's wild that I'm trying to break a same origin policy right now that's controlled by regex and this video pops up in my feed.

Hell yes, I remember this very vividly - installing "Soldier of Fortune" on my families computer (obviously I was not allowed to) whily hearing my mom unlock the front door, praying the load bars would go away before she got to the room the computer was in (they did and I did enjoy the game quite a bit).

OH boy! A new LiveOverflow?? Oh sicckkk finally something that I can actually understand!

Thanks man!! This really helps to understand the tech itself 😁

Thank you, this is weekend, I used to learn a net stuff and your video regarding security concern is the best! not like other youtuber that concert to subscribtion and join specific channel, but you just recommend to support internet archive instead again thanks!

enjoy this history , gave me great flash backs thanks \o/

Amazing video! Thank you that is a great way to learn

My Journey on the internet started way back with windows 98 , netscape, and a 56k dial up modem, and then came Napster :) . Took 2 minutes to load an image, 30 minutes to download a song LOL.

OMG your video is so amazing, thank you so much

Alternative title: The origin of the same origin policy

This is great content! seriously

Excellent research.

Your scientists were so concerned with whether they could, they didn't stop to think about whether they should! Perhaps if JS had a few more months of beta testing, they'd have discovered some of these issues sooner, and could have addressed them at the core instead of having to work around them later... Imagine how the web would be today if they'd thought to implement a permission model.

Wonderful video!

I love your videos! :D Every video is always exciting and motivates me to try things out :)

XSS is like my bread and butter so its really wonderful to see its origins

Great video! Sounds like browsing the internet back then was the wild wild west! But yeah I'm glad the same origin policy exists. No steal my cookies hackers!

This is for sure my first time 😆

5:21, those are two different *host* names, not different domains. Cross site cookie protections and frame/ limits would have still seen these as the same site all the way up until the mid 2000s. (And even today, some security checks for things like microphone access will see them as the same site.) It's been 25 years, but vaguely remember the earliest versions of netscape would actually prevent cookies from being read via javascript across different sites. (But there were easy ways to get around that, and IE wasn't even *trying*.)

I hope you can touch on why it was ever allowed to write cookies of a different domain (when they clearly saw issues with cross-origin operations early on) - was it just for the ad industry?

Yes, I remember Windows 95. I started with Windows 3.0 and the beautiful MS-DOS. My programming journey started with TSR (terminate and stay resident), do you remember that?

its now safe to turn of your computer...loved it.

great history lesson

Amazing! Thanks!

At 5:21, those are hosts, not domains. The domain is the same (i.e. liveoverflow). The hostame part of the FQDN isn't.

men, what a great video!

Live Uberlauf. Sehr interessanter Name :D

I still find the same origin policy a very weird security feature. Like I am trying to get data from the server, I make a request saying "please send me this data", the server send the data back, and then the browser checks "ah, the server doesn't say that you are allowed to read it so I'm blocking the response of the server". A malicous server will just say "everybody can read", so this doesn't help against malicous servers. Also, if this is supposed to protect the servers, we can enable authentication header checks, so servers only allow requests that can be authenticated, which doesn't need the browser to do any extra checking. What exactly does the same origin policy help with? Who does it protect?

Poverty meant my parents still had a lot of 16 bit computers well in the 2000, so yes I remember those interfaces...

Amazing job.

0:37 window 95 had no login screen for user login. as you can see in the title of that window it was for accessing to network. I think windows added user login window for the first time in windows NT

Could you do a video about possible vulnerabilities in the Minecraft 1.19.1 chat signing/reporting system? I would love to know more about it from a security perspective

This is a throwback, but not as much as my ZX Spectrum emulators that emulate tape loading :-P

I was always told that the only thing that Java and Javascript had in common was the name, nothing else. Interesting.

My first own „Big Game“ was Gothic. I was confused for month how to install a game with two Disks with only one disk drive… The next lesson that i learned was that gpus are not just plug and play. Learned everything the hard way (without internet) but was only 9 years old, so im fine. Today its so much easier to get knowledge, but finding out things by your own is a unique feeling because, how will you use something the right way if you don’t understand how it works?

Hans, bitte mehr of zis! Danke Schön

Fun history lesson 😁😁

I'm old, actually used w95 and ME, that install screen is very familiar. I remember it from installing some scooby doo game

When I play with fetch API to hack a website. I got to know that the Same-Origin Policy is a crucial web security mechanism. Really interested to know the history of Same origin policy

I was born in 99, but my parents had been using windows 98 for quite a while before we got XP so yes, I have installed software on a windows 98 PC before :)

If you’re doing older malware, can you do older viruses like CIH and Sasser? I would love to see how they worked, especially CIH

Thanks!

I'm actually using Windows 95 in combination with a proxy that downgrades HTTPS-only sites to HTTP, thus allowing me to surf the modern web on a 486. I'd really like to see some RCE on Internet Explorer or Netscape one day.

Super cool 😎

My first windows was XP. It was around for a very long time

Back in the days i posted an image to a computer magazines (!) forum, which was pulled from another server. thing was that this server required http authentication prior to delivering the image, so when people got to the forum and klicked the thread, they were presented with an http authentication dialog from the image server. i didnt do anything evil like having my own image server with an altered http server to transmit user:pass unencrypted back to me (dunno if thats even possible or if the browsers have/had some sort of security), but it worked as intended - the computer magazines forum admins locked the image posting capability.

Oh man the nostalgia...

Question; Malicious JS code could have been stored in that attack.php site, it could then be sent to the attacker or written to some file. But..... What is stopping a web developer looking at that frame and actually reviewing the source code of attack.php?? surely, they would notice the malicious JS code, no?

I love this!!!

Yes, I unfortunately had to install programs on Windows 95. The moment I had enough money to buy more RAM, I switched to NT.

There was a time when Microsoft did not have driver for devices with TCP/IP stack cause according to there service hotline they "can't support every little protocol" :D