SSL

That's it - I'm calling it - HTTPS adoption has now reached the moment of critical mass [https://en.wikipedia.org/wiki/The_Tipping_Point] where it's gathering enough momentum that it will very shortly become "the norm" rather than the exception it so frequently was in the past. In just the last few months, there's been some really significant things happen that have caused me to make this call, here's why I think we're now at that tipping point. We've already passed the halfway mark for request...

Last week Google announced some changes to Chrome [https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html], specifically that come January 2017, practices like this [https://www.troyhunt.com/thank-you-waitrose-now-fix-your/] are going to start resulting is browser warnings: That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right. But here's...

I tweeted this the other day, and the internet was not pleased: > HTTPS is slow. No - wait - is it HTTP that's slow?! https://t.co/T49GG7oCaK pic.twitter.com/cfnYOpXMWc [https://t.co/cfnYOpXMWc] — Troy Hunt (@troyhunt) July 8, 2016 [https://twitter.com/troyhunt/status/751317949349130240] In fact, a bunch of the internet was pretty upset. "It's not fair!", they cried. "You're comparing apples and oranges!", they raged. No, it's not fair, the internet is not fair. But that's just how the web i...

Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below [https://www.troyhunt.com/everything-you-nee...

I had a follower send me a curious question the other day which if I paraphrase, went like this: > Hi, I was worried about the security of the Waitrose login form so I contacted them about it. They sent me a response but I’m not sure if it’s correct – can you shed some light on it? Actually, yes, I can and frankly, it’s a bit of a comedy of errors. For those not familiar with Waitrose [https://en.wikipedia.org/wiki/Waitrose], they’re a large British supermarket chain bringing in somewhere ar...

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....

The web is going HTTPS only. In theory. The idea is that unless we encrypt all the transport things, we can have no confidence in the confidentiality, integrity or authenticity of the traffic and services we’re talking to. There’s growing awareness of how essential secure transport comms are (thank you NSA for your part in helping us come to this realisation), and indeed we’re being continually pushed in this direction. For example, last year Google said they’d start using the presence of HTTPS...

During my travels over recent weeks I’ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com [http://americanexpress.com] and show the network requests: I point out how the first one goes out over HTTP because this is what browsers do when you don’t explicitly enter a scheme such as “https://”. The server responds to this request with an HTTP 301 “Moved Permanently” and a “location” header w...

I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? [https://haveibeenpwned.com/] (HIBP) site and they’re right, it only scores a B grade [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com]: [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com] The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lo...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test [https://www.ssllabs.com/ssltest] that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result...