Last week I wrote about how Life Is About to Get a Whole Lot Harder for Websites Without HTTPS [https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/]. Somewhere in the comments there, the discussion went off on a tangent about commercial CAs, the threat Let's Encrypt poses to them and subsequently, the value (or lack thereof) posed by extended validation (EV) certificates. That discussion boiled over onto Twitter with many vocal opinions from different camps. This pos...

I'm home! After that crazy travel schedule (6 weeks and 1 day in all, thank you very much) I'm back in my own bed with some peace and quiet and... jet lag. It's always worse coming home from Europe, a combination of flying east (I travel over two short nights) and frankly, just being worn out at the end of a long journey. Regardless I had a pretty massive week on the blog and consequently, this is my longest every weekly update at almost 40 minutes. This week, I somehow came across a lot of "cr...

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report [https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/] and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the T...

Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief [https://www.troyhunt.com/the-5-stages-of-data-breach-grief/] but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April: > A follower just advised they recently notified @TheAA_UK [https://twitter.com/TheAA_UK] about 13...

Well this trip is certainly ending with a bang: 3 blog posts this week (not including this one) plus two massive user group talks in the Netherlands and two workshops of two days each. But that's it - I'm done! It's Friday morning here in Nieuwegein at the time of writing and I'll be on the plane home by the end of the day. As for the blogging, I'm back again as a Microsoft MVP for the 7th year in a row, I'm debating the usefulness of password strength indicators and I'm lambasting The AA in th...

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied: > The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry. — The AA (@TheAA_UK) July 3, 2017 [https://twitter.com/TheAA_UK/status/88...

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: > When website errors make no sense! @Argos_Online [https://twitter.com/Argos_Online] my password is more complex than your system can handle. What gives? @troyhunt [https://twitter.com/troyhunt] #insecurity [https://twitter.com/hashtag/insecurity?src=hash] pic.twitter.com/64VA7qINGP [https://t.co/64VA7qINGP] — Jon Carlos (@billywizz) June 10, 2017 [https://twitter.com/billywizz/sta...

Just over 6 years ago, I received my first Microsoft MVP award [https://www.troyhunt.com/accidental-mvp/]. It was unexpected, in part because I'd only started doing anything community facing 18 months earlier. But it rated - people were finding what I was doing genuinely useful and that award was an absolutely pivotal moment which helped define what I do today. This weekend, I got the (still) eagerly awaited email for the seventh time: > Giddy up! 7 years running ? pic.twitter.com/okTP6GTk5n [...

Into week 5 of travel now and I'm in Southampton on the south coast of England. The family holidaying is over and it's back to workshops and user groups for the remainder of the trip both here in the UK then back in the Netherlands next week. Despite the schedule, I managed to pump out a quick blog post on what remains one of the most astoundingly insane security / privacy implementation I've seen - Strawberrynet. This has to be seen to be believed and the backstory I talk about in this week's...

A little while back, I wrote about Website enumeration insanity [https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/] and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page [https://adultfriendfinder...