SSL

I’ve been writing a bunch of content around HTTPS lately and recording videos to demonstrate the ease with which insecure implementations of SSL can be broken. For example, there was the piece on why you can’t trust SSL logos [https://www.troyhunt.com/2013/05/heres-why-you-cant-trust-ssl-logos-on.html], then how loading login forms over HTTP but posting to HTTPS is pointless [https://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html] and most recently, why those mixed content...

Ever see one of these? Or these? Or maybe this one? It means something is wrong with the website – very wrong – yet somehow we seem to keep building websites that do this. The problem, as you’ll see in the video below, is that it jeopardises the security of traffic going backwards and forwards over what otherwise appears to be a secure site, at least in terms of implementing SSL. This can lead to issues such as the theft of identity data, potentially including such personal information...

Here’s an often held conversation between concerned website user and site owner: User: “Hey mate, your website isn’t using SSL when I enter my password, what gives?!” Owner: “Ah, but it posts to HTTPS so your password is secure! We take security seriously. Our measures are robust.” (and other random, unquantifiable claims) Loading login forms over HTTP renders any downstream transport layer security almost entirely useless. Rather than just tell you what’s wrong with this, let me show precise...

A couple of days ago I wrote about Why I am the world’s greatest lover (and other worthless security claims) [https://www.troyhunt.com/2013/05/why-i-am-worlds-greatest-lover-and.html] and it  really seemed to resonate with people. In short, whacking a seal on your website that talks about security awesomeness in no way causes security awesomeness. Andy Gambles gets that and shared this tweet with me: [https://twitter.com/andygambles/status/332065425485611008] So let’s check out exactly what’s...

I’ve been considering purchasing one of these t-shirts: This shirt would announce to everyone who crosses my path that I am, in fact, the world’s greatest lover. They would know this because I have a t-shirt that tells them so and it would give them enormous confidence in my sexual prowess. If ever I was challenged on the claim, I could quite rightly say that nobody has ever demonstrated that this is not the case and there are no proven incidents that disprove it. Sound ridiculous? Of cou...

HTTPS or SSL or TLS or whatever you want to call it can be a confusing beast. Some say it’s just about protecting your password and banking info whilst the packets are flying around the web but I’ve long said that SSL is not about encryption [https://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html]. As an indication of how tricky the whole situation is, OWASP talks about insufficient transport layer security [https://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...

What do you think of when you see this little guy on a webpage: You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleadi...

It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I was critical of a number of sites not implementin...