Slowly but surely the web is switching over to HTTPS. The past year shows a two to threefold increase.
Third-party scripts can provide powerful functionality, but they also bring risks to privacy, security, performance, and page behavior.
A great talk from Bruce on the digital self-defence that ad-blockers provide. I think it’s great that Opera are building ad-blocking straight into the browser.
One more reason to make the switch to HTTPS.
For your information, the Let’s Encrypt client is now called Certbot for some reason.
Robert walks through the process he went through to get HTTPS up and running on his Media Temple site.
If you have any experience of switching to HTTPS, please, please share it.
I wasn’t aware of the forthcoming
SameSite attribute for cookies—sounds very sensible indeed.
A step-by-step walkthrough of how GitHub has tweaked its Content Security Policy over time. There are some valuable insights here, and I’m really, really happy to see companies share this kind of information.
Finally! An article about moving to HTTPS that isn’t simply saying “Hey, it’s easy and everyone should do it!” This case study says “Hey, it’s hard …and everyone should do it.”
Widespread XSS Vulnerabilities in Ad Network Code Affecting Top Tier Publishers, Retailers - Randy Westergren
This industry-wide problem serves as a great example of how 3rd-party components can compromise the security of an otherwise secure site.
One more reason to install an ad blocker.
This is useful if you’re making the switch to HTTPS: choose your web server software and version to generate a configuration file.
Remember when I mentioned that you can get free certificates from Amazon now? Well, Oliver has written an in-depth step-by-step description of how he got his static site all set up with HTTPS.
More of this please! Share your experiences with moving to TLS—the more, the better.
If you’re hosting with Amazon, you now get HTTPS for free.
If you’re planning the move to TLS and your server is on Digital Ocean running Nginx, Graham’s here to run you through the (surprisingly simple) process.
Tim outlines the process for getting up and running with HTTPS using Let’s Encrypt. Looks like it’s pretty straightforward, which is very, very good news.
I’m using the Salter Cane site as a test ground for this. I was able to get everything installed fairly easily. The tricky thing will be having some kind of renewal reminder—the certificates expire after three months.
Still, all the signs are good that HTTPS is about to get a lot less painful.
Aaron collects some recent examples that demonstrate
- why we should use HTTPS and
- why we should use progressive enhancement.
I really like this impassioned love letter to the web. This resonates:
The web is a worthy monument for society. It cannot be taken away by apps in the app store or link bait on Facebook, but it can be lost if we don’t continue to steward this creation of ours. The web is a garden that needs constant tending to thrive. And in the true fashion of the world wide web, this is no task for one person or entity. It will require vigilance and work from us all.
The first in a series of articles about the architecture of the internet and its security issues, this is a great history lesson of how our network came to be.
What began as an online community for a few dozen researchers now is accessible to an estimated 3 billion people. That’s roughly the population of the entire planet in the early 1960s, when talk began of building a revolutionary new computer network.
I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable “free” content are in direct conflict with security, privacy, stability, and performance concerns — and that Firefox is first and foremost a user-agent, not an industry-agent.
François is here at Indie Web Camp Germany helping out anyone who wants to get their site running on https. He wrote this great post to get people started.
This is a really good point from Tim Berners-Lee: there’s no good reason why switching to TLS should require a change of URLs from http:// to https://
Luke continues to tilt against the windmills of the security theatre inertia that still has us hiding passwords by default. As ever, he’s got the data to back up his findings.
There are some good points here comparing HTTP2 and SPDY, but I’m mostly linking to this because of the three wonderful opening paragraphs:
A very long time ago —in 1989 —Ronald Reagan was president, albeit only for the final 19½ days of his term. And before 1989 was over Taylor Swift had been born, and Andrei Sakharov and Samuel Beckett had died.
In the long run, the most memorable event of 1989 will probably be that Tim Berners-Lee hacked up the HTTP protocol and named the result the “World Wide Web.” (One remarkable property of this name is that the abbreviation “WWW” has twice as many syllables and takes longer to pronounce.)
Tim’s HTTP protocol ran on 10Mbit/s, Ethernet, and coax cables, and his computer was a NeXT Cube with a 25-MHz clock frequency. Twenty-six years later, my laptop CPU is a hundred times faster and has a thousand times as much RAM as Tim’s machine had, but the HTTP protocol is still the same.
A really handy command-line tool that scans your site for mixed content — very useful if you’re making the switch from http to https.
A fascinating look at how the humble password gets imbued with incredible levels of meaning.
It reminds me of something I heard Ze Frank say last year: “People fill up the cracks with intimacy.”
This is a great development! The EFF are working on a creating a new certificate authority that will issue certs for free.
I am so happy that the certificate authority racket is getting this shake-up.
A friendly challenge from The Grey Lady for news sites to enable TLS.
Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.
Netflix are going full 927 on TLS.
Incredibly, you have to manually download and run this patch for Shellshock on OS X: it’s not being pushed as a security update.
But the new U2 album? That’s being pushed to everyone.
Great news from Cloudflare—https endpoints by default!
This means that if you’re planning on switching on TLS for your site, but you’re using Cloudflare as a CDN, you’ve got one less thing to change (and goodness knows you’re going to have enough to do already).
I really like their reasoning for doing this, despite the fact that it might mean that they take a financial hit:
Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world. Together we can do great things.
Josh walks through the process he took to enabling SSL on his site (with particular attention to securing assets on CloudFront).
How computers work:
One day, a man name Alan Turing found a magic lamp, and rubbed it. Out popped a genie, and Turing wished for infinite wishes. Then we killed him for being gay, but we still have the wishes.
Then we networked computers together:
The network is ultimately not doing a favor for those in power, even if they think they’ve mastered it for now. It increases their power a bit, it increases the power of individuals immeasurably. We just have to learn to live in the age of networks.
We are all nodes in many networks. This is a beautiful description of how one of those networks operates.
Did you see Keren at dConstruct 2012? Well, here she is at this year’s TED conference delivering a barnstorming talk on hacker culture.
The IETF have decided that network surveillance is damage to be routed around.
Some sensible thoughts from Addy on how Web Components might be peer-reviewed.
A healthy dose of scepticism about Web Components, looking at them through the lenses of accessibility, security, and performance.
I share some of this concern: Web Components might look like handy ready-made out-of-the-box solutions, but the truth is that web developers have to do much more of the hard graft that was traditionally left to the browser.
Henri gives an overview of the DRM-style encryption proposed for HTML. It’s a very balanced unbiased description, but if you have the slightest concern about security, sentences like this should give you the heebie-jeebies:
We shouldn’t be protecting ourselves. We should be protecting each other.
A description of the shockingly cavalier attitude that Chrome takes with saved passwords:
Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.
This a great proposal: well-researched and explained, it tackles the tricky subject of balancing security and access to native APIs.
Far too many ideas around installable websites focus on imitating native behaviour in a cargo-cult kind of way, whereas this acknowledges addressability (with URLs) as a killer feature of the web …a beautiful baby that we definitely don’t want to throw out with the bathwater.
A history lesson from Vint Cerf. I can’t help but picture him as The Architect in The Matrix Reloaded.
When Tim Berners-Lee invented and released the World Wide Web (WWW) design in late 1991, he found an open and receptive internet in operation onto which the WWW could be placed. The WWW design, like the design of the internet, was very open and encouraged a growing cadre of self-taught webmasters to develop content and applications.
A clear explanation of the current state of homomorphic encryption.
I concur completely with Luke’s assessment here. Most password-masking on the web is just security theatre. Displaying password inputs by default (but with an option to hide) should be the norm.
Andy sounds a cautionary note: the password anti-pattern may be dying, but OAuth permission-granting shouldn’t be blasé. This is why granular permissions are so important.
Possibly the least imaginative concept video ever made, this piece commissioned by Blackberry shows a dystopian near-future ruled by security departments run by people with very, very tired arms.
Dana has put together an excellent grab-bag of data on people’s password habits.
This is the stuff James Bond stories are made of. Except in this case, the fortress exists to store data rather than criminal masterminds.
Metallic ink-printed undershirts and underwear. For Americans who wish to assert their rights without saying a word.
Leonard has some handy tips for protecting yourself against Firesheep and its ilk.
Mozilla aims to plug the :visited/getComputedStyle bug/feature.
Another interesting take on assigning a visual clue to password fields.
Here's an interesting idea: generating a sparkline when you input a password ...familiarity with the generated sparkline acts as a visual aid to the user.
And this, boys and girls, is why the password anti-pattern is bad, m'kay?
A thoughtful post from Ben on how the flow of OAuth, OpenID and Facebook Connect can be improved.
Wait till I come! Â» Blog Archive Â» Detecting and displaying the information of a logged-in twitter user
Clever or creepy? You decide.
Twitter's promotion of the password anti-pattern bites them on the ass.
This looks like being an excellentâ€”and freeâ€”resource "...meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers."
"Facebook has rolled out an identity system â€” Facebook Connect â€” with a slick UI that trains a gazillion tech-naÃ¯ve users to slap their identity credentials into any old website."
The slides from Simon's excellent full-length presentation at the head conference. Every web developer needs to be aware of these issues.
I never thought I'd find myself linking to and agreeing with a post on TechC*nt but it's good to see somebody pointing out Facebook's hypocrisy with using the password anti-pattern.
Fullscreen mode for Flash movies could be used to totally freak people out. Here's how.
An excellent article that explodes the ludicrous myth that terrorists like to go around taking pictures of potential targets so therefore photographers are dangerous.
A cautionary tale that explains just why the password anti-pattern needs to die. Coding horror indeed: in this case, 1,777 GMail accounts were compromised.
I must remember to allow plenty of time at the airport when I'm leaving San Francisco.
Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in. - CA Security Advisor Research Blog - CA
An excellent piece of research that shows how Facebook affiliates' cross-site scripting (Beacon) sends information back to the mothership regardless of whether the user has opted out.
Leisa joins in on the password anti-pattern. As she says, this is a question of ethics. I've already made my position clear to my colleagues and clients. Have you?
The ORG turn a Newsnight interview into hypertext, thereby strengthening the message exponentially.
Yes, you have to be a bit of a database geek to find this funny but if you are, this is very funny indeed.
An interesting product designed to catch the thieves after your Macbook gets stolen.
A few ideas for security questions that had me laughing out loud.
I know what I want for Christmas.
Looks like Google is getting into the WiFi game.