Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Something new: Weekly update 1

I've had this idea in mind for a while to start capturing some video on a weekly basis about things that are topical and interesting but that I'm probably just not going to get around to blogging into detail. Writing is massively time consuming plus I reckon there's a bit more candour that comes across in video. As I say in the intro, see if you like it. If it's good, let me know. If it's not, well, you probably should also let me know or at least tell me how to improve it. I'm about to head back to Europe for a few weeks so it'll be interesting to see if it makes any sense doing it while I'm...

Azure Functions in practice

I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet and was also hitting my hip pocket as I paid for the underlying infrastructure to scale out in response. By limiting requests to one per every 1.5 seconds and then returning HTTP 429 in excess of that, the rate limit meant there was no longer any point in hammering away at the service. However, just because there's no point in it doesn't mean that people aren't going to do...

I'm now offering sponsorship of this blog

I have a love-hate relationship with ads, whether they be on my blog or anywhere else for that matter. I get that they're a necessity for many news outlets to keep providing the free information that we all want, but I also can't stand the way advertising has descended into the sleazy, risky, slow and all-round negative experience it so frequently is today. I've had ads on this blog for years and they've been provided by Developer Media who specialise in serving technology-centric ads of relevance to my audience. Over the years I've seen a lot of ads for products ranging from cloud services to security appliances. Occasionally, I've also seen ads for things like consumer headphones because unsold ad...

Here's how broken today's web will feel in Chrome's secure-by-default future

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings: That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right. But here's the really interesting bit - that's just the beginning because Google has a plan: a long-term plan to mark all HTTP sites as non-secure I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to "Mark non-secure origins as...

Someone just lost 324k payment records, complete with CVVs

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post. I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures...

The "Have I been pwned" API rate limit has been brought forward - here's why

Three weeks ago today, I wrote about implementing a rate limit on the Have I been pwned (HIBP) API and the original plan was to have it begin a week from today. I want to talk more about why the rate limit was required and why I've had to bring it forward to today. As I explained in the original post, there were multiple reasons for the rate limit including high volumes of API calls impacting system performance (they were ramping up faster than Azure could auto-scale), the cost to me personally of supporting the traffic (I pay for all of this out of my own pocket), and finally, my desire to ensure the system is used for ethical purposes...

The Dropbox hack is real

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this: What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at...

CloudFlare, SSL and unhealthy security absolutism

Let's start with a quick quiz: Take a look at haveibeenpwned.com (HIBP) and tell me where the traffic is encrypted between: You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I mean at what point is the traffic decrypted? Many people would say it's at the web server but it's not, it's upstream of there at Microsoft's appliances that sits in front of the web application PaaS offering. You might see a padlock, but your traffic is not encrypted all the way to the server. But it's not just HIBP and it's not just Microsoft either, many of the websites you visit every day...

Protecting your embedded content with subresource integrity (SRI)

CDNs are good. You get to put your web things all over the world and then have them served to your global audience from a location close to them. For example, because this blog is served through CloudFlare and about two thirds of the requests to my site come direct from their cache, you're probably downloading all the images on this page from whichever point in the map below is closest to you: But what's even better than CDNs when it comes to cost and performance is public CDNs. For example, on Have I been pwned (HIBP) I serve various CSS and JavaScript files that are public libraries. It's stuff like jQuery and Bootstrap and my files are in no...

Self-hosted vBulletin - you're doing it wrong! (and why you should be using managed hosting services)

Another day, another data breach: Full news on the GTAGaming breach is here: https://t.co/KuNSuol442 (vBulletin again)— Troy Hunt (@troyhunt) August 23, 2016 Yesterday it was a different one: vBulletin... "Epic Games: Information Regarding Recent Forum Compromise" https://t.co/YqQlSRbtLU— Troy Hunt (@troyhunt) August 23, 2016 A couple of weeks ago it was this one: vBulletin... again https://t.co/dNBbuzRHbW— Troy Hunt (@troyhunt) August 10, 2016 A little before that there was this: In news that should surprise absolutely nobody, Disney's hacked forum software was running on vBulletin https://t.co/s6Uw4xXyl0— Troy Hunt (@troyhunt) July 30, 2016 A fortnight earlier: In the year's least surprising...