Tags: security

Introducing Universal SSL

Great news from Cloudflare—https endpoints by default!

This means that if you’re planning on switching on TLS for your site, but you’re using Cloudflare as a CDN, you’ve got one less thing to change (and goodness knows you’re going to have enough to do already).

I really like their reasoning for doing this, despite the fact that it might mean that they take a financial hit:

Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world. Together we can do great things.

Anne’s Blog

Anne is documenting his process of going https:

  1. TLS: first steps
  2. TLS: issues with StartSSL
  3. TLS: issues with DreamHost
  4. TLS: deploy HSTS
  5. TLS: next steps

I’m really glad he’s doing this.

How to secure your site in an afternoon - Josh Emerson

Josh walks through the process he took to enabling SSL on his site (with particular attention to securing assets on CloudFront).

Seeing Like a Network — The Message — Medium

How computers work:

One day, a man name Alan Turing found a magic lamp, and rubbed it. Out popped a genie, and Turing wished for infinite wishes. Then we killed him for being gay, but we still have the wishes.

Then we networked computers together:

The network is ultimately not doing a favor for those in power, even if they think they’ve mastered it for now. It increases their power a bit, it increases the power of individuals immeasurably. We just have to learn to live in the age of networks.

We are all nodes in many networks. This is a beautiful description of how one of those networks operates.

Meet the Online Tracking Device That is Virtually Impossible to Block - ProPublica

Well, thanks to the ass-hattery of AddThis, the use case of your site’s visitors switching off JavaScript for (legitimate) security reasons just became a lot more plausible.

But you’re using JavaScript as an enhancement, right? You’re not relying on it for core tasks, right?

Keren Elazari: Hackers: the Internet’s immune system | Talk Video | TED.com

Did you see Keren at dConstruct 2012? Well, here she is at this year’s TED conference delivering a barnstorming talk on hacker culture.

Tim Bray · Pervasive Monitoring Is an Attack

The IETF have decided that network surveillance is damage to be routed around.

Section for peer-reviewed Custom Elements · Issue

Some sensible thoughts from Addy on how Web Components might be peer-reviewed.

Aerotwist - Web Components and the Three Unsexy Pillars

A healthy dose of scepticism about Web Components, looking at them through the lenses of accessibility, security, and performance.

I share some of this concern: Web Components might look like handy ready-made out-of-the-box solutions, but the truth is that web developers have to do much more of the hard graft that was traditionally left to the browser.

What is EME?

Henri gives an overview of the DRM-style encryption proposed for HTML. It’s a very balanced unbiased description, but if you have the slightest concern about security, sentences like this should give you the heebie-jeebies:

Neither the browser nor the JavaScript program understand the bytes.

NSA-Proof Your Email! Consider your Man Card Re-Issued. Never be Afraid Again.

We shouldn’t be protecting ourselves. We should be protecting each other.

Chrome’s insane password security strategy by Elliott Kember

A description of the shockingly cavalier attitude that Chrome takes with saved passwords:

Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

Installable Webapps: Extend the Sandbox by Boris Smus

This a great proposal: well-researched and explained, it tackles the tricky subject of balancing security and access to native APIs.

Far too many ideas around installable websites focus on imitating native behaviour in a cargo-cult kind of way, whereas this acknowledges addressability (with URLs) as a killer feature of the web …a beautiful baby that we definitely don’t want to throw out with the bathwater.

The open internet and the web

A history lesson from Vint Cerf. I can’t help but picture him as The Architect in The Matrix Reloaded.

When Tim Berners-Lee invented and released the World Wide Web (WWW) design in late 1991, he found an open and receptive internet in operation onto which the WWW could be placed. The WWW design, like the design of the internet, was very open and encouraged a growing cadre of self-taught webmasters to develop content and applications.

Alice and Bob in Cipherspace

A clear explanation of the current state of homomorphic encryption.

LukeW | Mobile Design Details: Hide/Show Passwords

I concur completely with Luke’s assessment here. Most password-masking on the web is just security theatre. Displaying password inputs by default (but with an option to hide) should be the norm.

The Perpetual, Invisible Window Into Your Gmail Inbox - Waxy.org

Andy sounds a cautionary note: the password anti-pattern may be dying, but OAuth permission-granting shouldn’t be blasé. This is why granular permissions are so important.

BlackBerry Future Visions 2 - Leaked Video - YouTube

Possibly the least imaginative concept video ever made, this piece commissioned by Blackberry shows a dystopian near-future ruled by security departments run by people with very, very tired arms.

Authentical: Random factoids I’ve encountered in authentication user research so far

Dana has put together an excellent grab-bag of data on people’s password habits.

Swiss Fort Knox

This is the stuff James Bond stories are made of. Except in this case, the fortress exists to store data rather than criminal masterminds.

4thamendmentwear

Metallic ink-printed undershirts and underwear. For Americans who wish to assert their rights without saying a word.

random($foo): Secure Connections

Leonard has some handy tips for protecting yourself against Firesheep and its ilk.

Plugging the CSS History Leak at Mozilla Security Blog

Mozilla aims to plug the :visited/getComputedStyle bug/feature.

Chroma-Hash Demo

Another interesting take on assigning a visual clue to password fields.

arc90 lab : experiments : HashMask - Another (More Secure!) Experiment in Password Masking

Here's an interesting idea: generating a sparkline when you input a password ...familiarity with the generated sparkline acts as a visual aid to the user.

Twitter Status - Phishing scam

And this, boys and girls, is why the password anti-pattern is bad, m'kay?

The OpenID and OAuth Flow: Playing with UX · Ben Ward

A thoughtful post from Ben on how the flow of OAuth, OpenID and Facebook Connect can be improved.

Wait till I come! » Blog Archive » Detecting and displaying the information of a logged-in twitter user

Clever or creepy? You decide.

Twitter Status - Don't Click That Link!

Twitter's promotion of the password anti-pattern bites them on the ass.

Main - browsersec - Google Code - Browser Security Handbook landing page

This looks like being an excellent—and free—resource "...meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers."

Maybe the effort we go to as we think about the... · Ben Ward's Scattered Mind

"Facebook has rolled out an identity system — Facebook Connect — with a slick UI that trains a gazillion tech-naïve users to slap their identity credentials into any old website."

Web Security Horror Stories: The Director's Cut at

The slides from Simon's excellent full-length presentation at the head conference. Every web developer needs to be aware of these issues.

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To

I never thought I'd find myself linking to and agreeing with a post on TechC*nt but it's good to see somebody pointing out Facebook's hypocrisy with using the password anti-pattern.

bunnyhero dev » Scaring people with fullScreen

Fullscreen mode for Flash movies could be used to totally freak people out. Here's how.

Bruce Schneier: Are photographers really a threat? | Technology | The Guardian

An excellent article that explodes the ludicrous myth that terrorists like to go around taking pictures of potential targets so therefore photographers are dangerous.

Coding Horror: A Question of Programming Ethics

A cautionary tale that explains just why the password anti-pattern needs to die. Coding horror indeed: in this case, 1,777 GMail accounts were compromised.

TSA Now Requiring All Electronic Items Placed In Bins at SFO | Laughing Squid

I must remember to allow plenty of time at the airport when I'm leaving San Francisco.

Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in. - CA Security Advisor Research Blog - CA

An excellent piece of research that shows how Facebook affiliates' cross-site scripting (Beacon) sends information back to the mothership regardless of whether the user has opted out.

disambiguity - » Design Ethics - Encouraging responsible behaviour

Leisa joins in on the password anti-pattern. As she says, this is a question of ethics. I've already made my position clear to my colleagues and clients. Have you?

The Open Rights Group : Blog Archive » HMRC fiasco: Government “not interested” in expert warnings

The ORG turn a Newsnight interview into hypertext, thereby strengthening the message exponentially.

xkcd - A webcomic of romance, sarcasm, math, and language - By Randall Munroe

Yes, you have to be a bit of a database geek to find this funny but if you are, this is very funny indeed.

Orbicule | Undercover

An interesting product designed to catch the thieves after your Macbook gets stolen.

antigeek dot net » On setting appropriate security questions

A few ideas for security questions that had me laughing out loud.

Concurring Opinions: The Airline Screening Playset: Hours of Fun!

I know what I want for Christmas.

Google Secure Access

Looks like Google is getting into the WiFi game.