SSL

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" [http://www.pluralsight.com/courses/cloudflare-security-getting-started]As you may be well aware by this, Microsoft’s Azure gets me rather excited [https://www.troyhunt.com/search/label/Azure]. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have...

We don’t seem to go far these days without the next “catastrophic” bug hitting the internets. Remember how a few weeks ago Shellshock [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html] was going to end the internet as we know it? If you believed all the headlines, that sucker was going to own us through our light globes (I suspect some poetic license was taken on my IoT comments) and the web would never be the same. Scroll forward and it’s already “Shell-what?” Earlier th...

Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this? [https://twitter.com/HoytsAustralia/status/478320507402465281] This was in response t...

I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise: [https://twitter.com/vBZachery/status/471161211401555968] This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion [http://www.mmo-champion.com/], a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public v...

Massive. Huge. Catastrophic. These are all headlines I’ve seen today that basically say we’re now well and truly screwed when it comes to security on the internet. Specifically though, it’s this [http://heartbleed.com/]: > The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Every now and then in the world of security, something rather serious and broad-reaching happens and we all run around like head...

Let’s just start here [https://www.smashwords.com/about/supportfaq]: Allow me to provide a technical security perspective on this – it’s complete bullshit. More specifically, you’re seeing this because whoever designed the Smashwords site screwed up and embedded insecure content in a page loaded over a secure connection. So what does this look like? Here’s an example in Internet Explorer: But more importantly, what does it actually mean? Short answer: you can’t trust the page any more tha...

So I’ve just wrapped up another Web Directions [http://webdirections.org/wds13] presentation where the Pineapple has featured. The what now?! You know, the WiFi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html], that little guy with the ability to do all sorts of nasty things to wireless traffic. Now I’ve Pineappled before, but I’ve never Pineappled quite like this and that’s all down to the Mark V [http://hakshop.myshopify.com/products/wifi-pineapple] w...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Note: In this blog post I show how to load a certificate from StartCom into Azure. They've subsequently had some pretty serious issues related to WoSign [https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/] and I would not recommend getti...

Apparently the average number of apps someone has on their smartphone is 41 [http://www.networkworld.com/community/blog/average-us-smartphone-user-has-41-apps-their-device] . It sounds like a lot but do the maths on how long you’ve had the phone (or a predecessor) and it you realise it’s a pretty low frequency of taking something new from the app store. A significant proportion of these apps allow you to share sensitive personal information with them; your home address, phone number, email and p...

Earlier this year I wrote about 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data) [https://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html]. The entire premise of the post was that following a customer raising concerns about their SSL implementation, Top CashBack went on to assert that everything that needed to be protected, was. Except it wasn’t, at least not sufficiently and that’s the rub with SSL; it’s not about having it or not having it, it’s about un...