Let's start with a quick quiz: Take a look at haveibeenpwned.com [https://haveibeenpwned.com/] (HIBP) and tell me where the traffic is encrypted between: You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I mean at what point is the traffic decrypted? Many people would say it's at the web server but it's not, it's upstream of there at Microsoft's appliances that sits in front of the web application PaaS offering. You...

CDNs are good. You get to put your web things all over the world and then have them served to your global audience from a location close to them. For example, because this blog is served through CloudFlare [https://www.cloudflare.com/] and about two thirds of the requests to my site come direct from their cache, you're probably downloading all the images on this page from whichever point in the map below is closest to you: But what's even better than CDNs when it comes to cost and performance...

Another day, another data breach: > Full news on the GTAGaming breach is here: https://t.co/KuNSuol442 (vBulletin again) — Troy Hunt (@troyhunt) August 23, 2016 [https://twitter.com/troyhunt/status/768195115282145280] Yesterday it was a different one: > vBulletin... "Epic Games: Information Regarding Recent Forum Compromise" https://t.co/YqQlSRbtLU — Troy Hunt (@troyhunt) August 23, 2016 [https://twitter.com/troyhunt/status/768055785448321024] A couple of weeks ago it was this one: > vBull...

I've been running my Hack Yourself First workshop [https://www.troyhunt.com/workshops/] all over the world where I talk to software developers about various security risks which they then get to exploit firsthand. It's a lot of fun and very hands on and practical which inevitably means spending time looking at real world implementations of security. After running a couple of these workshops last week, I wrote Website enumeration insanity: how our personal data is leaked [https://www.troyhunt.co...

I've just wrapped up a couple of Hack Yourself First workshops [https://www.troyhunt.com/workshops/] down closer to home in Australia and true to usual form, attendees found some absolute zinger security implementations. Previous workshops have found various vulnerabilities ranging from realestate.com.au's lack of HTTPS in their Android app [https://www.troyhunt.com/are-your-apps-giving-one-device/] (pro tip: don't 301 HTTP requests to APIs!) to the one that really made headlines earlier this ye...

It's almost 3 years ago now that I launched the Have I been pwned (HIBP) API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/] and made it free and unlimited. No dollars, no rate limits just query it at will and results not flagged as sensitive [https://haveibeenpwned.com/FAQs#SensitiveBreach] will be returned. Since then it's been called, well, I don't know how many times but at the least, it's well into the hundreds of millions if not billions. I've always been pretty clear on...

There's a lot of people getting themselves worked up about the Australian census [https://en.wikipedia.org/wiki/Census_in_Australia] whose five-yearly cycle falls due today. For the most part, it's like any other normal census we've done ever since I can remember, but what's changed this year is the duration for which names and addresses will be retained against the census answers. There are some good reasons to question the whole thing, plus some good reasons why it's really a non-event. Let m...

You know the best way to sell security products? Scare the shit out of people. I mean make them really genuinely fearful that if they don't have the thing you're pushing that a bunch of nasty stuff will happen to them. It's the Donald Trump school of winning hearts and minds. Which brings me to CUJO [https://www.indiegogo.com/projects/cujo-the-smart-way-to-fight-hacking-security#/] , an Indiegogo campaign for a "security in a box" product. Strap yourself in and watch the video: Are we terrifie...

I tweeted this the other day, and the internet was not pleased: > HTTPS is slow. No - wait - is it HTTP that's slow?! https://t.co/T49GG7oCaK pic.twitter.com/cfnYOpXMWc [https://t.co/cfnYOpXMWc] — Troy Hunt (@troyhunt) July 8, 2016 [https://twitter.com/troyhunt/status/751317949349130240] In fact, a bunch of the internet was pretty upset. "It's not fair!", they cried. "You're comparing apples and oranges!", they raged. No, it's not fair, the internet is not fair. But that's just how the web i...

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leav...