Tags: security

90

sparkline

Certified Malice – text/plain

Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.

Let them paste passwords - NCSC Site

Ever been on one of those websites that doesn’t allow you to paste into the password field? Frustrating, isn’t it? (Especially if you use a password manager.)

It turns out that nobody knows how this ever started. It’s like a cargo cult without any cargo.

The Line of Death – text/plain

A thoroughly fascinating look at which parts of a browser’s interface are available to prevent phishing attacks, and which parts are available to enable phishing attacks. It’s like trench warfare for pixels.

What you need to know about using VPN in the UK – By Andy Parker

If you’re prepping your defences against the snooper’s charter (and you/I should be), Andy recommend using NordVPN.

DiceWARE

This is a wonderful service! Handcrafted artisanal passwords made with a tried and trusted technique:

You roll a die 5 times and write down each number. Then you look up the resulting five-digit number in the Diceware dictionary, which contains a numbered list of short words.

That’s the description from the site’s creator, Mira:

Please keep in mind when ordering that I am a full-time sixth grade student with a lot of homework.

She’s the daughter of Julia Angwin, author of Dragnet Nation.

The Guardian has moved to https 🔒 | Info | The Guardian

Details of The Guardian’s switch to HTTPS.

Oversharing with the browser’s autofill / Stoyan’s phpied.com

Equal parts clever and scary. By using autocomplete in HTML and some offscreen positioning in CSS, it’s possible to extract some unexpected personal information.

I expect browsers will be closing these holes pretty quickly.

Your Social Media Fingerprint

Clever! By exploiting the redirect pattern that most social networks use for logging in, and assuming that site’s favicon isn’t stored in a CDN, it’s possible to figure out whether someone is logged into that site.

Your Private Encrypted Browser | Tenta Browser

A browser for Android that specifically touts privacy and security as its key features.

Passing Away In Pixels – The Interconnected

Justin has been thinking about how we ensure our digital legacy survives our passing.

Battery Status readout as a privacy risk

The security research that went into improving the spec for the Battery Status API. This is why it’s so important that the web holds itself to high standard.

Even most unlikely mechanisms bring unexpected consequences from privacy point of views. That’s why it is necessary to analyze new features, standards, designs, architectures - and products with a privacy angle. This careful process will yield results, decrease the number of issues, abuses and unwelcome surprizes.

Hidden Expectations - daverupert.com

Over the years I’ve come to realize that most difficult part of making websites isn’t the code, it’s the “hidden expectations”, the unseen aspects I didn’t know were my responsibility when I started: Accessibility, Security, Performance, and Empathy.

HTTPS Adoption *doubled* this year

Slowly but surely the web is switching over to HTTPS. The past year shows a two to threefold increase.

Things to Know (and Potential Dangers) with Third-Party Scripts | CSS-Tricks

Third-party scripts can provide powerful functionality, but they also bring risks to privacy, security, performance, and page behavior.

Making bad ads sad. Rad! - O’Reilly Media

A great talk from Bruce on the digital self-defence that ad-blockers provide. I think it’s great that Opera are building ad-blocking straight into the browser.

ISP’s are updating your site without your permission

One more reason to make the switch to HTTPS.

Certbot

For your information, the Let’s Encrypt client is now called Certbot for some reason.

Carry on.

Adding HTTPS to your web site - Robert’s talk

Robert walks through the process he went through to get HTTPS up and running on his Media Temple site.

If you have any experience of switching to HTTPS, please, please share it.

Goodbye CSRF - SameSite to the rescue!

I wasn’t aware of the forthcoming SameSite attribute for cookies—sounds very sensible indeed.

GitHub’s CSP journey - GitHub Engineering

A step-by-step walkthrough of how GitHub has tweaked its Content Security Policy over time. There are some valuable insights here, and I’m really, really happy to see companies share this kind of information.