This post originally appeared on my cohost blog.

Today, it costs 68 cents to mail a letter under one ounce to anywhere in the United States (or to McMurdo Station in Antarctica). Mailing a postcard is even cheaper at 53 cents. But in a little over a week, both rates will go up, to 73 cents and 56 cents respectively.

Since 2007, postal customers have been able to purchase Forever stamps, non-denominated stamps that will always be worth whatever the current letter rate is. If you buy a regular Forever stamp today, it will cost you 68 cents, but you’ll still be able to use it next month to pay for a service that costs 73 cents. (This has fascinating implications for how the USPS recognizes revenue, but this is not a post about accounting.)

It’s worth acknowledging that that’s not how non-denominated stamps have worked historically.

This post originally appeared on my cohost blog.

If you like gimmicky lenticular/“3D” postcards, you may be tempted to buy some blanks and try to make your own. And when the blanks arrive and you realize that printing actual photos on actual photo paper is complicated and expensive, and getting everything aligned right will probably take a few attempts, you may be tempted to just tape the lenticular sheet to your computer screen and create the world’s jankiest 3D display. But it’s not going to work.

Here’s a test image:

This post originally appeared on my cohost blog.

Canvas fingerprinting is a relatively well-understood and well-documented technique: websites can use web APIs to access 2D and 3D rendering APIs inside the browser, which instruct the browser to draw lines, gradients, text, and other objects onto raster images. The same sequence of API calls can produce subtly different images depending on your browser, OS, the set of fonts you have installed, your GPU driver, and so on. The images that your browser renders therefore provide a useful signal, and when it is combined with information available through other browser APIs, it could be used to identify your device uniquely.

This post originally appeared on Mozilla’s Attack and Defense blog.

This is a writeup of a neat vulnerability I found in Chromium and Firefox that could allow a malicious page to read some parts of an image located on an origin it is not supposed to be able to access. Although technically interesting, it is quite limited in scope—I am not aware of any major websites it could’ve been used against. As of November 17th, 2020, the vulnerability has been fixed in the most recent versions of both browsers.

tl;dr

The time that it takes CanvasRenderingContext2D.drawImage to draw a pixel depends on whether it is fully transparent, opaque, or semi-transparent. By timing a bunch of calls to drawImage, we can reliably infer the transparency of each pixel in a cross-origin image, which is enough to, for example, read text on a transparent background, like this: