We're on a beach! It's the day after 3 pretty intense days of NDC conference and the day before Scott heads back to the UK so beach was an easy decision. The conference went fantastically well and, in all honesty, was the most enjoyable workshop I think I've done out of ~50 of them these last few years. NDC will be back on the Gold Coast next year, plus of course it will be in Oslo in a few weeks' time then Sydney in September where we'll both do it all again.
This week, we talk a lot about EV certs. As I say in the video, neither of us have anything against commercial CAs or even EV certs per se, but the bullshit that surrounds them is totally out of control. Unsubstantiated claims, unexpected revocations made without warning and a foundation of "people and browsers should work differently to make EV useful" is just polluting the airwaves with FUD. It will become less of an issue if (when) Chrome proceeds with deprecating the visual EV indicator altogether, but until then Scott and I will certainly keep calling it out when crazy claims are made. And this is really the crux of the issue; claims either for or against EV (and indeed visual indicators in general) need to be substantiated. This just simply isn't happening in the pro-EV camp, but it is happening on the Google front by virtue of the ongoing user testing we mention. Let's be pro-evidence and push for solid research and facts.
Also this week, 2 new Pluralsight courses! In fact, there's still 2 more with Casey Ellis on bug bounties yet to come too but I'll write about those next week. I'll be off traveling again next week (albeit only for a day domestically), and I'll do my best to get some more blogging done, but time has been absolutely flying by lately and I need to start thinking about preparation for the Europe trip in June too. Regardless, let's me see what I can pump out and at the very least, there'll always be something crazy and new to talk about next week anyway.
References
- Revocation is broken (Scott talks about the fundamental problems with cert revocation)
- Entrust made some pretty wild claims about EV (the first bullet point is pure speculation and the rest is based on very flawed thinking)
- Ryan Sleevi from Google tore the Entrust research to shreds (this is well worth a read)
- Scott tracked down Trustico (turns out that blocking on Twitter wasn't enough to keep him away!)
- I published a new Pluralsight course on the OWASP Top 10, 2017 edition (it's a "Play by Play" with Andrew van der Stock from the OWASP board)
- And a new Pluralsight course on shadow IT (this one as part of my "Security-centric Culture" series - and it's free!)
- Netsparker is sponsoring my blog again this week (big shout out to them for their continued support and for making a product I still regularly use myself)