Security

Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead [https://www.troyhunt.com/extended-validation-certificates-are-dead/] for all sorts of good reasons that have only been reinforced since that time. Yet somehow, the discussion does seem to come up time and again as it did following this recent tweet of mine: > Always find comments like this amusing: “The...

Do you ever hear those stories from your parents along the lines of "when I was young..." and then there's a tale of how risky life was back then compared to today. You know, stuff like having to walk themselves to school without adult supervision, crazy stuff like that which we somehow seem to worry much more about today than what we did then. Never mind that far less kids go missing today than 20 years [https://archives.fbi.gov/archives/about-us/cjis/ncic/ncic-missing-person-and-unidentified-...

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a...

Time and time again, I get emails and DMs from people that effectively boil down to this: > Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach Many years ago, I introduced the concept of pastes to HIBP [https://www.troyhunt.com/introducing-paste-searches-and/] and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Very often, those addresses are a...

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet [https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/] and then secondly, about how we all bear some responsibility for making good password choices [https://www.troyhunt.com/when-accounts-are-hacked-victims-must-share-the-blame/]. A few people took some of the points I made in those posts as being contentious, although on reflection I sus...

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" [https://www.zdnet.com/article/hsbc-discloses-security-incident/] which, upon closer inspection, boiled down to this: > The security incident that HSBC described in its letter seems to fit the characteristics of brute-fo...

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. But on a fairly regular basis, I get an email from someone which effectively boils down to this: > Hey, have you seen [insert thing here]? It's totally going to kill passwords! No, it's not and to save myself from repeating the same mess...

I take more pleasure than I probably should in watching the bewilderment within organisations as the technology landscape rapidly changes and rushes ahead of them. Perhaps "pleasure" isn't the right word, is it more "amusement"? Or even "curiosity"? Whichever it is, I find myself rhetorically asking "so you just expected everything to stay the same forever, did you?" A case in point: you should look for the green padlock on a website so that you know it's safe. Except that you can't say that an...

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave w...

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned [https://haveibeenpwned.com] (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe [https://kayo.moe/] is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which a...