Troy Hunt: SSL - Troy Hunt (Page 3)

Sponsored by:

SSL

A 42-post collection

Understanding HTTP Strict Transport Security (HSTS) and preloading it into the browser

During my travels over recent weeks I’ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com and show the network requests: I point out how the first one goes out over HTTP because this is what browsers do when you don’t explicitly enter a scheme such as “https://”. The server responds to this request with an HTTP 301 “Moved Permanently” and a “location” header which tells the browser to go back and request the resource securely: If I’m feeling adventurous, I’ll show this pattern whilst connected...

It’s time for A grade SSL on Azure websites

I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? (HIBP) site and they’re right, it only scores a B grade: The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lower than it would otherwise be if it was no longer supported. So I’d get a report from someone along these lines and have to explain why: “HIBP is hosted on the Azure website server (now known as Web...

Do you really want “bank grade” security in your SSL? Here’s how Aussie banks fare

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result and even if you do, Qualys who runs the service is only checking for publicly accessible information anyway, they’re simply bundling it up into a single test that’s...

How to get your SSL for free on a Shared Azure website with CloudFlare

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" As you may be well aware by this, Microsoft’s Azure gets me rather excited. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have an awesome answer ready to go. Almost… The one question that throws me is the one I was once again asked just recently: I can only justify paying for a Shared Azure website but I need SSL – what do I do? I have...

Everything you need to know about the POODLE SSL bug

We don’t seem to go far these days without the next “catastrophic” bug hitting the internets. Remember how a few weeks ago Shellshock was going to end the internet as we know it? If you believed all the headlines, that sucker was going to own us through our light globes (I suspect some poetic license was taken on my IoT comments) and the web would never be the same. Scroll forward and it’s already “Shell-what?” Earlier this year it was Heartbleed and it too was destined to bring the internet to its knees. Except it didn’t. Whilst I’ve no doubt a number of sites got well and truly...

Lessons in insecure SSL courtesy of Hoyts cinemas

Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this? This was in response to Robert kindly pointing out that their payment screen is not secured. Robert, of course, is entirely correct: Whoa – no padlock in the address bar! Oh no, wait, there it is down in the bottom...

Why have security on a vBulletin forum? Because it’s none of your business, that’s why!

I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise: This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion, a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public view), communicate privately with other registered users via the messaging system and of course being a vBulletin site, partake in the usual public forum activities. For this particular site, naturally there’s a lot of discussion about gaming. There’s the...

Everything you need to know about the Heartbleed SSL bug

Massive. Huge. Catastrophic. These are all headlines I’ve seen today that basically say we’re now well and truly screwed when it comes to security on the internet. Specifically though, it’s this: The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Every now and then in the world of security, something rather serious and broad-reaching happens and we all run around like headless chicken wondering what on earth it means. Did the NSA finally “get us”? Is SSL dead? Is the sky falling? Well it’s bad, but not for everyone and quite possibly not as bad...

For your convenience, please disable security warnings

Let’s just start here: Allow me to provide a technical security perspective on this – it’s complete bullshit. More specifically, you’re seeing this because whoever designed the Smashwords site screwed up and embedded insecure content in a page loaded over a secure connection. So what does this look like? Here’s an example in Internet Explorer: But more importantly, what does it actually mean? Short answer: you can’t trust the page any more than you can trust any other page served over an insecure connection. The longer answer is that an asset has been embedded into a page loaded over HTTPS, but the reference to the asset is over HTTP. Now...

On getting Pineappled at Web Directions South

So I’ve just wrapped up another Web Directions presentation where the Pineapple has featured. The what now?! You know, the WiFi Pineapple, that little guy with the ability to do all sorts of nasty things to wireless traffic. Now I’ve Pineappled before, but I’ve never Pineappled quite like this and that’s all down to the Mark V which performed significantly better than the old IV when it comes to the act of Pineappling people. You can read the background on the device in the links above if it’s unfamiliar to you, let me give you an example of what I see in the Pineapple UI. Keeping in mind that the...