Not only has this been a super busy blogging week, it's also the week my coffee machine decided to die 😢 It's not terminal, it's just continually leaking so it's off for a service and I have to fuel my productivity through other means.
But fuel it I did and I spent a big whack of the week doing things I hope to talk about next week (namely some major architectural changes to HIBP services), as well as preparing both the Pemiblanc credential stuffing list for HIBP and then pushing out Pwned Passwords V3. But if I'm honest, it's the post and associated video on HTTPS and static websites I enjoyed the most and based on the number of likes in the launch tweet, it's really hit a sweet spot:
I've wanted to do this post for ages & it's finally done - "Here's Why Your Static Website Needs HTTPS". It's a 24 min video showing a bunch of nasty stuff that can happen to *any* site served insecurely from crypto miners to credential phishing to Clippy: https://t.co/6FfQV7X7bc— Troy Hunt (@troyhunt) July 12, 2018
Yet amazingly, as I type this I'm watching my Twitter feed fill with arguments about the feasibility of attacks, how Google is being an unfair bully and how Scott wasn't very nice when he referred to HTTPS-naysayers as "anti-vaxxers". But this is just a fleeting thing, in the grand scheme of it all, and in the near future we'll all look back and wonder what the fuss was about as secure connections become the norm. For those struggling to accept the change, I suggest having a read of Who Moved My Cheese? An Amazing Way to Deal with Change in Your Work and in Your Life. (True story: this was a corporate mandate in my last job as we were going through a round of layoffs!)
- There were a bunch of data breaches I discussed this week including:
2. Domain Factory in Germany
3. Polar Fitness and military personnel tracking
4. Timehop got popped...
5. ...but their breach disclosure message is awesome
6. Cyanweb's breach disclosure message is terrible
- Check out Stefán Jökull Sigurðarson's poll on how to handle a customer with a pwned password (wow, you people are ruthless!)
- I loaded a 111 million record credential stuffing list called "Pemiblanc" (and heaps of people asked for their password from the data so...)
- I published Pwned Passwords V3 (which, of course, includes all the Pemiblanc passwords so hopefully that helps people who found themselves in that data set)
- Your static website needs HTTPS (I kinda love this video, it was fun and the feedback has been sensational)
- Netsparker is sponsoring my blog again this week (still my favourite security tool after all these years!)