It's a week of tweets! I only wrote the one short blog post this week, but I spent a heap of time on the Twitters arguing with people instead so... that's something? But seriously, there was a huge amount of discussion around HTTPS in particular and some very vocal opinions around its usefulness (or lack thereof), which frankly, had myself and many others tearing their hair out. I'll prepare some great demos over the next few days to illustrate the problems which just seem to be going over the heads of many people. It'll be a fun blog post ?
For now though, here's this week's update which talks through many of the issues covered in those tweets not just as it relates to HTTPS, but also beer, MD5 password hashes, giving another party access to your Gmail (hint: it actually gives them access to your Gmail!) and my 8th MVP award which landed this week.
Given most of these are just tweets, I'm going to embed them here then bullet point the other things further down:
I’m astounded to see people still arguing “my site doesn’t need HTTPS” so I’ll put it simply: either spend a few mins putting it on your site now or continually explaining to your visitors why your site is not “not secure” until you end up doing it anyway. It’s not a negotiation.— Troy Hunt (@troyhunt) June 29, 2018
Egypt didn't just censor the internet. It profited from it.— The Tor Project (@torproject) July 2, 2018
Many blocked sites were redirected to affiliate ads and cryptocurrency mining scripts.
Even @UN sites were redirected.https://t.co/YtwUmJAPJ8 pic.twitter.com/Tgs3gpIIax
“Why do you need so much beer?”— Troy Hunt (@troyhunt) June 30, 2018
Because read my timeline for the last 12 hours arguing with people about HTTPS ?♂️ pic.twitter.com/MJu9FDphWS
Don't think I've seen someone store both a password hash *and* the plain text of it in a data breach! That's, uh... "special" ?♂️ pic.twitter.com/Pw2PMMrmdo— Troy Hunt (@troyhunt) July 1, 2018
I’ve had multiple media requests for comments on this which surprises me because it seems so obvious: if you grant an app permission to read your mail, it can, uh, read your mail. That also means it may show parts of it to other humans - code can do that! https://t.co/krQ2JQiuwj— Troy Hunt (@troyhunt) July 4, 2018
I woke up at 1am unable to sleep with all these coding ideas for @haveibeenpwned in my head. Eventually just decided to get up at 3:30 and start work on it, only to find this email. This is nice ? pic.twitter.com/itsGfUCZcj— Troy Hunt (@troyhunt) July 1, 2018
- China's massive DDoS cannon against GitHub (this was distributed by exploiting unencrypted traffic)
- It's year 8 for MVP! (this program has been a pivotal part of what I do and it's great to remain a part of it)
- Gold Security is sponsoring my blog this week (big thanks to those guys for their ongoing support!)