I’m a big proponent of the content security policy paradigm (CSP) supported by modern browsers. In fact I’m so keen on them I even wrote a Pluralsight course: Introduction to Browser Security Headers [http://www.pluralsight.com/courses/browser-security-headers]. (Sidenote: I’m enormously happy with how well this course has been received, seems there’s an appetite for securing our things after all!) Now if you’re not sure what all the fuss is about, have a quick read of my launch blog post for...

So it turns out that someone got in my wife’s ear and suggested it might be a good idea for her to start a blog. Who would ever suggest such a crazy thing [https://www.troyhunt.com/2009/10/why-online-identities-are-smart-career.html]?! It actually makes a lot of sense as Kylie embarks on her path as a more public identity and fellow Pluralsight Author [http://www.pluralsight.com/author/kylie-hunt] that she has an online presence. Having me around who has some experience with this should make it...

I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work. Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone. Enjoy! SSL / TLS / HTTPS 1...

Now I swear this is entirely coincidental, but only this month I wrote a very tongue-in-cheek piece titled Good news – your credit card is fine and only your irreplaceable things were hacked! [https://www.troyhunt.com/2015/09/good-news-your-credit-card-is-fine-and.html] The basic premise of this piece was that when you see a company proudly asserting that your credit card is fine even though they’ve just been pwned six ways from Sunday (hi Ashley Madison!), that assurance is of little consequenc...

I’ve had a rough time of it lately – the internet has been down. I know, it’s been disturbing to say the least and I actually can’t remember the last time the connection coming into my home was totally out. In some ways, the problem is not as bad as it was some years ago due to my wife and I having fast other devices that can connect direct to 4G yet in other ways, it’s worse due to the number of things connected – usually connected – to the internet. The hardest bit of all this though was deal...

Hey, I really hate to tell you this, but we were hacked and your account containing a bunch of really sensitive personal data was exposed. I know, it’s enormously inconvenient but I have good news for you – your credit card is fine! Now yes, banks do have very good fraud protection these days and they would almost certainly have reversed any illegitimate charges, but isn’t this great news! Oh yeah – they’ll also issue you a new card too and don’t worry, that won’t cost you a cent. Yes, you’ll n...

I’ve been doing this fantastic demo about browser security headers in a lot of my recent talks and workshops. It’s always a lot of fun and it’s very interactive – you can try this out for yourself right now – and it works like this: So cross site scripting (XSS) is still a big thing. Yes it’s been around for ages and yes we should be on top of it by now, but here we are. Anyway, I was at the AppSecEU conference in the Netherlands a few months ago and a local guy called Breno de Winter did a fan...

I’ve always written very publicly about how Have I been pwned [https://haveibeenpwned.com/] (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the t...

To date, I’ve avoided commenting on the other Ashley Madison search services and have invested my efforts purely in keeping Have I been pwned? [https://haveibeenpwned.com/] (HIBP) ticking along. I’ve seen them come and indeed I’ve seen some of them go too. I’ve seen many that enable you to get confirmation about the presence of an email in Ashley Madison, others that return everything about the user. Publicly. To anyone. But something I saw today struck a very different chord with me, something...

I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? [https://haveibeenpwned.com/] (HIBP) and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well. These stories shed a very interesting light on the incident, one that mos...