Security

A 368-post collection

Why No HTTPS? Questions Answered, New Data, Path Forward

So that little project Scott Helme and I took on - WhyNoHTTPS.com - seems to have garnered quite a bit of attention. We had about 81k visitors drop by on the first day and for the most part, the feedback has been overwhelmingly positive. Most people have said it's great to have the data surfaced publicly and they've used that list to put some pressure on sites to up their game. We're already seeing some sites on the Day 1 list go HTTPS (although frankly, if the site is that large and they've done it that quickly then I doubt it's because of our list), and really, that's the best possible outcome of this project - seeing websites drop...

Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely: The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t...

Here's Why Your Static Website Needs HTTPS

It was Jan last year that I suggested HTTPS adoption had passed the "tipping point", that is, it had passed the moment of critical mass and as I said at the time, "will very shortly become the norm". Since that time, the percentage of web pages loaded over a secure connection has rocketed from 52% to 71% whilst the proportion of the world's top 1 million websites redirecting people to HTTPS has gone from 20% to about half (projected). The rapid adoption has been driven by a combination of ever more visible browser warnings (it was Chrome and Firefox's changes which prompted the aforementioned tipping point post), more easily accessible certificates via both Let's Encrypt and...

New Pluralsight Course: Bug Bounties for Companies

Try publishing something to the internet - anything - and see how it long it takes before something nasty is probing away at it. Brand new website, new domain and it's mere hours (if not minutes) before requests for wp-admin are in the logs. Yes, I know it's not a Wordpress site but that doesn't matter, the bots don't care. But that's just indiscriminate scanning, nothing personal; how about deliberate and concerted attacks more specifically designed to get into your things? As the value of what you have increases, so do the attacks and there's absolutely nothing you can do about it. There's a lot you can do in terms of defences, but nothing you can do to stop randoms...

New Pluralsight Course: OWASP Top 10, 2017

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET. More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in the library even today by a long way. Developers have a huge appetite for OWASP content and I'm very happy to now give them even more Top 10 goodness in the course I'm announcing here - Play by Play: OWASP Top 10 2017. This time, I've teamed up with Andrew van der Stock who was an integral part of...

The Decreasing Usefulness of Positive Visual Security Indicators (and the Importance of Negative Ones)

Remember when web security was all about looking for padlocks? I mean in terms of the advice we gave your everyday people, that's what it boiled down to - "look for the padlock before entering passwords or credit card info into a website". Back in the day, this was pretty solid advice too as it gave you confidence not just in the usual confidentiality, integrity and authenticity of the web traffic, but in the legitimacy of the site as well. If it had a padlock, you could trust it and there's weren't a lot of exceptions to that. But as time has gone by and HTTPS has become increasingly ubiquitous and obtainable by all, the veracity of that...

New Pluralsight Course: JavaScript Security Play by Play

Ah JavaScript, the answer to - and cause of - all our problems on the web today! Just kidding, jQuery has solved all our JS problems now... But seriously, JS is a major component of so much of what we build online these days and as with our other online things, the security posture of it is enormously important to understand. Recently, I teamed up with good mate and fellow Pluralsight author Aaron Powell who spends his life writing JS things. We spoke about managing auth tokens, identity persistence across sessions, service workers, CORS, third party libraries (and their vulnerabilities), client side validation considerations, anti-forgery tokens and much, much more. This is a 1 hour and 13 minute "Play...

Subresource Integrity and Upgrade-Insecure-Requests are Now Supported in Microsoft Edge

The more time that goes by and the more deeply I give it thought, the more convinced I am that the web is held together with sticky tape. No - cyber-sticky tape! Because especially when it comes to security, there are fundamental and inherent shortcomings in everything from HTTP to HTML and many of the other acronyms that make the web work as it does today. We've been trying to get this right for 25 years as of yesterday too: Today: The 25th anniversary of the web: https://t.co/57NuBcpuqt Thanks CERN and Sir Tim Berners-Lee! #madeineurope— Mikko Hypponen (@mikko) April 30, 2018 Cross site request forgery is a perfect example; here we have a situation where the...

IRL Analogies Explaining Digital Concepts are Terrible

Remember the anti-piracy campaign from years back about "You Wouldn't Steal a Car"? This was the rather sensationalist piece put together by the Motion Picture Association of America in an attempt to draw parallels between digital piracy and what they viewed as IRL ("In Real Life") equivalents. Here's a quick recap: The very premise that the young girl sitting in her bedroom in the opening scene is in any way relatable to the guy in the dark alley sliding a slim jim down the Merc's door is ridiculous. As expected, the internet responded with much hilarity because no-way, no-how are any of the analogies in that video even remotely equivalent to digital piracy: And even if...

Is Enumerating Resources on a Website "Hacking"?

I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate. It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms: VIDEO: Nova Scotia's government is accusing a 19-year-old of breaching their government website's security ~ Privacy experts disagree. Oh, and here's how the teen did it: pic.twitter.com/FQ2qXJoP89— Brett Ruskin (@Brett_CBC) April 13, 2018 So the crux of the matter seems to be that the guy...