Tags: security

More Proof We Don’t Control Our Web Pages, From the Notebook of Aaron Gustafson

Aaron collects some recent examples that demonstrate

  1. why we should use HTTPS and
  2. why we should use progressive enhancement.

Keep The Web Healthy

I really like this impassioned love letter to the web. This resonates:

The web is a worthy monument for society. It cannot be taken away by apps in the app store or link bait on Facebook, but it can be lost if we don’t continue to steward this creation of ours. The web is a garden that needs constant tending to thrive. And in the true fashion of the world wide web, this is no task for one person or entity. It will require vigilance and work from us all.

The real story of how the Internet became so vulnerable | The Washington Post

The first in a series of articles about the architecture of the internet and its security issues, this is a great history lesson of how our network came to be.

What began as an online community for a few dozen researchers now is accessible to an estimated 3 billion people. That’s roughly the population of the entire planet in the early 1960s, when talk began of building a revolutionary new computer network.

Monica at Mozilla: Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable “free” content are in direct conflict with security, privacy, stability, and performance concerns — and that Firefox is first and foremost a user-agent, not an industry-agent.

Enabling https SSL on your site | Surf the Dream

Justin is at Indie Web Camp Germany with me and he’s been converting Am I Responsive? to https—here’s his write-up.


François is here at Indie Web Camp Germany helping out anyone who wants to get their site running on https. He wrote this great post to get people started.

TLS Everywhere, not https: URIs - Design Issues

This is a really good point from Tim Berners-Lee: there’s no good reason why switching to TLS should require a change of URLs from http:// to https://

LukeW | Showing Passwords on Log-In Screens

Luke continues to tilt against the windmills of the security theatre inertia that still has us hiding passwords by default. As ever, he’s got the data to back up his findings.


Tracking the state of TLS support on prominent websites. It doesn’t look great, particularly in the States.

HTTP/2.0 - The IETF is Phoning It In - ACM Queue

There are some good points here comparing HTTP2 and SPDY, but I’m mostly linking to this because of the three wonderful opening paragraphs:

A very long time ago —in 1989 —Ronald Reagan was president, albeit only for the final 19½ days of his term. And before 1989 was over Taylor Swift had been born, and Andrei Sakharov and Samuel Beckett had died.

In the long run, the most memorable event of 1989 will probably be that Tim Berners-Lee hacked up the HTTP protocol and named the result the “World Wide Web.” (One remarkable property of this name is that the abbreviation “WWW” has twice as many syllables and takes longer to pronounce.)

Tim’s HTTP protocol ran on 10Mbit/s, Ethernet, and coax cables, and his computer was a NeXT Cube with a 25-MHz clock frequency. Twenty-six years later, my laptop CPU is a hundred times faster and has a thousand times as much RAM as Tim’s machine had, but the HTTP protocol is still the same.


A really handy command-line tool that scans your site for mixed content — very useful if you’re making the switch from http to https.

The Secret Life of Passwords - NYTimes.com

A fascinating look at how the humble password gets imbued with incredible levels of meaning.

It reminds me of something I heard Ze Frank say last year: “People fill up the cracks with intimacy.”

Let’s Encrypt

This is a great development! The EFF are working on a creating a new certificate authority that will issue certs for free.

I am so happy that the certificate authority racket is getting this shake-up.

Embracing HTTPS - NYTimes.com

A friendly challenge from The Grey Lady for news sites to enable TLS.

Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.

OS X bash Update 1.0 – OS X Mavericks

Incredibly, you have to manually download and run this patch for Shellshock on OS X: it’s not being pushed as a security update.

But the new U2 album? That’s being pushed to everyone.

Introducing Universal SSL

Great news from Cloudflare—https endpoints by default!

This means that if you’re planning on switching on TLS for your site, but you’re using Cloudflare as a CDN, you’ve got one less thing to change (and goodness knows you’re going to have enough to do already).

I really like their reasoning for doing this, despite the fact that it might mean that they take a financial hit:

Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world. Together we can do great things.

Anne’s Blog

Anne is documenting his process of going https:

  1. TLS: first steps
  2. TLS: issues with StartSSL
  3. TLS: issues with DreamHost
  4. TLS: deploy HSTS
  5. TLS: next steps

I’m really glad he’s doing this.

How to secure your site in an afternoon - Josh Emerson

Josh walks through the process he took to enabling SSL on his site (with particular attention to securing assets on CloudFront).

Seeing Like a Network — The Message — Medium

How computers work:

One day, a man name Alan Turing found a magic lamp, and rubbed it. Out popped a genie, and Turing wished for infinite wishes. Then we killed him for being gay, but we still have the wishes.

Then we networked computers together:

The network is ultimately not doing a favor for those in power, even if they think they’ve mastered it for now. It increases their power a bit, it increases the power of individuals immeasurably. We just have to learn to live in the age of networks.

We are all nodes in many networks. This is a beautiful description of how one of those networks operates.

Meet the Online Tracking Device That is Virtually Impossible to Block - ProPublica

Well, thanks to the ass-hattery of AddThis, the use case of your site’s visitors switching off JavaScript for (legitimate) security reasons just became a lot more plausible.

But you’re using JavaScript as an enhancement, right? You’re not relying on it for core tasks, right?

Keren Elazari: Hackers: the Internet’s immune system | Talk Video | TED.com

Did you see Keren at dConstruct 2012? Well, here she is at this year’s TED conference delivering a barnstorming talk on hacker culture.

Tim Bray · Pervasive Monitoring Is an Attack

The IETF have decided that network surveillance is damage to be routed around.

Section for peer-reviewed Custom Elements · Issue

Some sensible thoughts from Addy on how Web Components might be peer-reviewed.

Aerotwist - Web Components and the Three Unsexy Pillars

A healthy dose of scepticism about Web Components, looking at them through the lenses of accessibility, security, and performance.

I share some of this concern: Web Components might look like handy ready-made out-of-the-box solutions, but the truth is that web developers have to do much more of the hard graft that was traditionally left to the browser.

What is EME?

Henri gives an overview of the DRM-style encryption proposed for HTML. It’s a very balanced unbiased description, but if you have the slightest concern about security, sentences like this should give you the heebie-jeebies:

Neither the browser nor the JavaScript program understand the bytes.

NSA-Proof Your Email! Consider your Man Card Re-Issued. Never be Afraid Again.

We shouldn’t be protecting ourselves. We should be protecting each other.

Chrome’s insane password security strategy by Elliott Kember

A description of the shockingly cavalier attitude that Chrome takes with saved passwords:

Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

Installable Webapps: Extend the Sandbox by Boris Smus

This a great proposal: well-researched and explained, it tackles the tricky subject of balancing security and access to native APIs.

Far too many ideas around installable websites focus on imitating native behaviour in a cargo-cult kind of way, whereas this acknowledges addressability (with URLs) as a killer feature of the web …a beautiful baby that we definitely don’t want to throw out with the bathwater.

The open internet and the web

A history lesson from Vint Cerf. I can’t help but picture him as The Architect in The Matrix Reloaded.

When Tim Berners-Lee invented and released the World Wide Web (WWW) design in late 1991, he found an open and receptive internet in operation onto which the WWW could be placed. The WWW design, like the design of the internet, was very open and encouraged a growing cadre of self-taught webmasters to develop content and applications.

Alice and Bob in Cipherspace

A clear explanation of the current state of homomorphic encryption.

LukeW | Mobile Design Details: Hide/Show Passwords

I concur completely with Luke’s assessment here. Most password-masking on the web is just security theatre. Displaying password inputs by default (but with an option to hide) should be the norm.

The Perpetual, Invisible Window Into Your Gmail Inbox - Waxy.org

Andy sounds a cautionary note: the password anti-pattern may be dying, but OAuth permission-granting shouldn’t be blasé. This is why granular permissions are so important.

BlackBerry Future Visions 2 - Leaked Video - YouTube

Possibly the least imaginative concept video ever made, this piece commissioned by Blackberry shows a dystopian near-future ruled by security departments run by people with very, very tired arms.

Authentical: Random factoids I’ve encountered in authentication user research so far

Dana has put together an excellent grab-bag of data on people’s password habits.

Swiss Fort Knox

This is the stuff James Bond stories are made of. Except in this case, the fortress exists to store data rather than criminal masterminds.


Metallic ink-printed undershirts and underwear. For Americans who wish to assert their rights without saying a word.

random($foo): Secure Connections

Leonard has some handy tips for protecting yourself against Firesheep and its ilk.

Plugging the CSS History Leak at Mozilla Security Blog

Mozilla aims to plug the :visited/getComputedStyle bug/feature.

Chroma-Hash Demo

Another interesting take on assigning a visual clue to password fields.

arc90 lab : experiments : HashMask - Another (More Secure!) Experiment in Password Masking

Here's an interesting idea: generating a sparkline when you input a password ...familiarity with the generated sparkline acts as a visual aid to the user.

Twitter Status - Phishing scam

And this, boys and girls, is why the password anti-pattern is bad, m'kay?

The OpenID and OAuth Flow: Playing with UX · Ben Ward

A thoughtful post from Ben on how the flow of OAuth, OpenID and Facebook Connect can be improved.

Twitter Status - Don't Click That Link!

Twitter's promotion of the password anti-pattern bites them on the ass.

Main - browsersec - Google Code - Browser Security Handbook landing page

This looks like being an excellent—and free—resource "...meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers."

Maybe the effort we go to as we think about the... · Ben Ward's Scattered Mind

"Facebook has rolled out an identity system — Facebook Connect — with a slick UI that trains a gazillion tech-naïve users to slap their identity credentials into any old website."

Web Security Horror Stories: The Director's Cut at

The slides from Simon's excellent full-length presentation at the head conference. Every web developer needs to be aware of these issues.

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To

I never thought I'd find myself linking to and agreeing with a post on TechC*nt but it's good to see somebody pointing out Facebook's hypocrisy with using the password anti-pattern.

bunnyhero dev » Scaring people with fullScreen

Fullscreen mode for Flash movies could be used to totally freak people out. Here's how.

Bruce Schneier: Are photographers really a threat? | Technology | The Guardian

An excellent article that explodes the ludicrous myth that terrorists like to go around taking pictures of potential targets so therefore photographers are dangerous.

Coding Horror: A Question of Programming Ethics

A cautionary tale that explains just why the password anti-pattern needs to die. Coding horror indeed: in this case, 1,777 GMail accounts were compromised.

TSA Now Requiring All Electronic Items Placed In Bins at SFO | Laughing Squid

I must remember to allow plenty of time at the airport when I'm leaving San Francisco.

Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in. - CA Security Advisor Research Blog - CA

An excellent piece of research that shows how Facebook affiliates' cross-site scripting (Beacon) sends information back to the mothership regardless of whether the user has opted out.

disambiguity - » Design Ethics - Encouraging responsible behaviour

Leisa joins in on the password anti-pattern. As she says, this is a question of ethics. I've already made my position clear to my colleagues and clients. Have you?

The Open Rights Group : Blog Archive » HMRC fiasco: Government “not interested” in expert warnings

The ORG turn a Newsnight interview into hypertext, thereby strengthening the message exponentially.

xkcd - A webcomic of romance, sarcasm, math, and language - By Randall Munroe

Yes, you have to be a bit of a database geek to find this funny but if you are, this is very funny indeed.

Orbicule | Undercover

An interesting product designed to catch the thieves after your Macbook gets stolen.

antigeek dot net » On setting appropriate security questions

A few ideas for security questions that had me laughing out loud.

Google Secure Access

Looks like Google is getting into the WiFi game.