Azure

I’ve always written very publicly about how Have I been pwned [https://haveibeenpwned.com/] (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the t...

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....

I regularly share files with people that I want them to grab over HTTP from a location without any auth or other hurdles. They’re not sensitive files, they’re things like exercises I might be running in workshops which I want people to download from a common location. I normally put them in Dropbox, “Share Dropbox Link” then shorten it with my custom troy.hn short URL so they can read it from the screen in a meeting room and point them there. In fact this is exactly what I did last week – just a...

There’s been a huge amount of activity on Have I been pwned? [https://haveibeenpwned.com/] (HIBP) in recent weeks, particularly in the wake of the Adult Friend Finder breach [http://time.com/3893946/adultfriendfinder-data-breach/] which drew a lot of attention. The activity has comprised of organic browser-based traffic as well hits to the API [https://haveibeenpwned.com/API/v2]. The latter in particular is interesting as you can see a steady rate of traffic (or a steady increase of traffic) sud...

I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? [https://haveibeenpwned.com/] (HIBP) site and they’re right, it only scores a B grade [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com]: [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com] The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lo...

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R [https://www.troyhunt.com/2013/07/gt-r-technology-of-speed.html] instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

I’ve been having a few sleepless nights lately worrying about the big one. The big “what”, you ask? I mean another massive data breach the scale of Adobe back in 2013, you know, the one where they had a 153 million user accounts wander out the door. If I had to load those into Have I been pwned? [https://haveibeenpwned.com/] (HIBP), frankly I’m not sure how I’d do it. Or at least I wasn’t sure. When I first wrote about how I built the system [https://www.troyhunt.com/2013/12/working-with-154-mi...

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" [http://www.pluralsight.com/courses/cloudflare-security-getting-started]As you may be well aware by this, Microsoft’s Azure gets me rather excited [https://www.troyhunt.com/search/label/Azure]. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have...

Let’s just get this out of the way early – Azure is awesome. No really, I am continually blown away by the stuff you can do with it, how cheaply you can do it and just how much it changes the conversation you can have with those you’re delivering solution to using Microsoft’s cloud. This is not an endorsement based on my affinity for Microsoft nor is it constructed from what I read or see at talks, it’s based on my own firsthand experiences delivering real world software on the platform. I’ve b...