Azure

A few years back, I added a donations page to Have I been pwned (HIBP). Now as I explained at the time, I didn't particularly need them to cover my hard-cash outgoings because I run the thing on a shoestring, but as I explain on that page, it takes a massive amount of effort. If people want to fling me a coffee or some beers, that's just great and I appreciate it enormously. Problem is, it's hard to individually show that appreciation. Especially during a busy period, I can end up with a lot of coffee and I can't realistically reply to each and every person by email thanking them or I end up with exactly the problem I describe...

I've been really actively involved with building things on Microsoft's Azure cloud for probably about 4 or 5 years now. Many of you will know already that Have I been pwned (HIBP) was built from the ground up on Azure (in fact, one of the reasons I built the service was to play with Azure "in anger"!), what less people know is the work I'd been doing before that. In my previous life looking after Pfizer's software architecture in this corner of the world, I was pushing hard to move apps we were building into Azure, in particular the PaaS constructs they have available. Time and time again, the discussion would go like this: Vendor: (Pfizer outsourced all...

I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet and was also hitting my hip pocket as I paid for the underlying infrastructure to scale out in response. By limiting requests to one per every 1.5 seconds and then returning HTTP 429 in excess of that, the rate limit meant there was no longer any point in hammering away at the service. However, just because there's no point in it doesn't mean that people aren't going to do...

Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below, there are hundreds of other root certs the OS will happily trust as required. Microsoft documents this on the Microsoft Trusted Root Certificate Program page. Now here's the point I'm driving at - if QuoVadis wants to sign a certificate...

Hey, did you hear about this new security risk? It’s called SQL injection and attackers can just suck all your datas out of your system if you screw it up badly enough. Allegedly there’s like, millions of websites at risk and even kids can easily break into them! Wait – this isn’t a new risk?! Well how come it’s all over the news and these seriously large companies keep getting pwned by it?! How is that even possible?! And here we are at that reality of today; SQL injection, whilst well understood for a good decade and a half, remains the number one risk on the web today. Certainly it’s...

I’ve always written very publicly about how Have I been pwned (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the torrent first hit the air (remember, I’m in Australia which is in the future for most of you). During the day, I pulled down...

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me. A couple of months ago I wrote about how It’s time for A grade SSL on Azure websites which talked about how Microsoft’s SSL...

I regularly share files with people that I want them to grab over HTTP from a location without any auth or other hurdles. They’re not sensitive files, they’re things like exercises I might be running in workshops which I want people to download from a common location. I normally put them in Dropbox, “Share Dropbox Link” then shorten it with my custom troy.hn short URL so they can read it from the screen in a meeting room and point them there. In fact this is exactly what I did last week – just as I’d done many times before – and then this started happening: Admittedly, I’ve hit this...

There’s been a huge amount of activity on Have I been pwned? (HIBP) in recent weeks, particularly in the wake of the Adult Friend Finder breach which drew a lot of attention. The activity has comprised of organic browser-based traffic as well hits to the API. The latter in particular is interesting as you can see a steady rate of traffic (or a steady increase of traffic) suddenly interrupted by a sudden and massive increase which then sits at a threshold for a period of time. Sometimes that’s minutes, sometimes it’s even days. I often get asked “I want to hit your API but I don’t want to disrupt the service...

I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? (HIBP) site and they’re right, it only scores a B grade: The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lower than it would otherwise be if it was no longer supported. So I’d get a report from someone along these lines and have to explain why: “HIBP is hosted on the Azure website server (now known as Web...