I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? [https://haveibeenpwned.com/] (HIBP) site and they’re right, it only scores a B grade [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com]: [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com] The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lo...

It’s the “Hack Yourself First” trilogy: Watch the talk [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698] , take the Pluralsight course [http://www.pluralsight.com/courses/hack-yourself-first] and now you can spend a couple of days with me in Amsterdam next month on June 22 and 23 doing the workshop [https://training.xebia.com/developer-skills/hack-yourself-first-how-to-go-on-the-cyber-offence/] . I’ve teamed up with X...

So I’m at the DevSum conference in Stockholm [http://www.devsum.se/speaker/troy-hunt/] and yesterday afternoon was busily preparing for my talk, Hack Yourself First. It’s a talk I’ve done many times before and it always rocks not just based on the attendee feedback, but because frankly I just have a lot of fun doing it (you can watch a recording from Yow! in December [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698]...

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R [https://www.troyhunt.com/2013/07/gt-r-technology-of-speed.html] instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural...

I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do. What I can now share with everyone is that over the last few months, I’ve been work...

So the dust has finally settled. A month ago I wrote about </pfizer> [https://www.troyhunt.com/2015/04/today-marks-two-important-milestones.html] which marked my departure from the corporate world after spending the last 14 years building and managing their software things across a good whack of the world. With that chapter now formally closed, it’s time to talk about the next phase. It’s time to talk about Pluralsight [http://www.pluralsight.com/]. The path to Pluralsight It was 2012 when I...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test [https://www.ssllabs.com/ssltest] that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result...

Sometimes, good ideas take a while to materialise. The penny only dropped on just how long some of them take when I was going back through my Pluralsight notes just the other day and found this: That was March last year and an awful lot of water has gone under the bridge since then. But it seemed like a really good idea at the time and inevitably, it was. I’d find a willing “muse” with a suitable website then go to town on it, critiquing everything that could possibly we wrong with it. This w...

I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example: > @BetfairHelpdesk [https://twitter.com/BetfairHelpdesk] Is it right that all one needs to change their password is their username and date of birth? — Paul Sawers (@psawers) April 23, 2015 [https://twitter.com/psawers/status/591279641828143104] Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair r...