Security

A 264-post collection

I wanna go fast: HTTPS' massive speed advantage

I tweeted this the other day, and the internet was not pleased: HTTPS is slow. No - wait - is it HTTP that's slow?! https://t.co/T49GG7oCaK pic.twitter.com/cfnYOpXMWc— Troy Hunt (@troyhunt) July 8, 2016 In fact, a bunch of the internet was pretty upset. "It's not fair!", they cried. "You're comparing apples and oranges!", they raged. No, it's not fair, the internet is not fair. But that's just how the web is today and whilst you might not like that it's not fair, that's the ballgame we're playing. When it comes to performance tests, I don't care about "fair", I only care about one thing: Let's take just a moment to put how...

Why am I in a data breach for a site I never signed up to?

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leave a huge trail of accounts behind us on the web over the many years we've been online for and there's no doubt whatsoever that most of...

Round 4 of Europe for 2016: More talks, more workshops

If you follow my Twitters, you may have noticed I can be a bit, well, "despondent" about the climate in Europe. No, not the whole Brexit political climate situation, I mean more like this: Crowds of people in Birmingham waiting for summer before they go outside: pic.twitter.com/7ImjmCt4Bf— Troy Hunt (@troyhunt) June 16, 2016 Yet I keep ending up back there so either it's my poor judgement or... I secretly enjoy it. Back in Jan (when it was much easier to complain about the weather), I was over in England, Scotland and Norway for four weeks then in May it was Belgium and Spain and last month was Norway and England again plus a few days in...

Getting to grips with cloud computing security on Pluralsight

Two of the things you'll have found me most frequently writing about on this blog are "cloud" and "security". Whilst the latter seems to have been what I've gravitated towards most in recent years, the former is something I'm very heavily involved in, particularly with my work on Have I been pwned (HIBP). I'm enormously happy to see the very last course in the Ethical Hacking series I've been building out with Pluralsight now complete with the 8th and final one being Ethical Hacking: Cloud Computing. Overwhelmingly excited. Ecstatic! I'll come back to why I'm so happy that the entire thing has now been wrapped up, but let me start with my favourite cloud question of all: Is "the cloud"...

Everything you need to know about loading a free Let's Encrypt certificate into an Azure website

Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below, there are hundreds of other root certs the OS will happily trust as required. Microsoft documents this on the Microsoft Trusted Root Certificate Program page. Now here's the point I'm driving at - if QuoVadis wants to sign a certificate...