Tags: security



Friday, July 28th, 2017

Distributed and syndicated content: what’s wrong with this picture? | Technical Architecture Group

Hadley points to the serious security concerns with AMP:

Fundamentally, we think that it’s crucial to the web ecosystem for you to understand where content comes from and for the browser to protect you from harm. We are seriously concerned about publication strategies that undermine them.

Andrew goes into more detail:

The anchor element is designed to allow one website to refer visitors to content on another website, whilst retaining all the features of the web platform. We encourage distribution platforms to use this mechanism where appropriate. We encourage the loading of pages from original source origins, rather than re-hosted, non-canonical locations.

That last sentence there? That’s what I’m talking about!

Tuesday, May 23rd, 2017

Service Worker Security FAQ - The Chromium Projects

Got questions about the security of service workers? This document probably has the answer.

Friday, May 12th, 2017

Amber Wilson: HTTPS Poem

How wonderful is this‽ The latest research task I set for Amber was on HTTPS, and she has delivered her findings …as a poem!

Tuesday, April 25th, 2017

DRM for the Web is a Bad Idea | Internet Archive Blogs

The Encrypted Media Extensions (EME) addition to HTML is effectively DRM with the blessing of the W3C. It’s bad for accessibility, bad for usability, bad for security, and as the Internet Archive rightly points out, it’s bad for digital preservation.

Sunday, April 16th, 2017

Phishing with Unicode Domains - Xudong Zheng

Domains registered with punycode names (and then given TLS certificates) are worryingly indistinguishable from their ASCII counterparts.

Can you spot the difference between the URLs https://adactio.com and https://аdаctіо.com?

Thursday, April 13th, 2017

Digital Assistants, Facebook Quizzes, And Fake News! You Won’t Believe What Happens Next | Laura Kalbag

A great presentation from Laura on how tracking scripts are killing the web. We can point our fingers at advertising companies to blame for this, but it’s still developers like us who put those scripts onto websites.

We need to ask ourselves these questions about what we build. Because we are the gatekeepers of what we create. We don’t have to add tracking to everything, it’s already gotten out of our control.

Wednesday, April 12th, 2017

IF Data Permissions Catalogue

A collection of interface patterns for granting or denying permissions.

Friday, March 24th, 2017


Steps you can take to secure your phone and computer. This is especially useful in countries where ubiquitous surveillance is not only legal, but mandated by law (such as China, Australia, and the UK).

Friday, March 10th, 2017

Password Rules Are Bullshit

And here’s another reason why password rules are bullshit: you’re basically giving a list of instructions to hackers—the password rules help them narrow down the strings they need to brute force.

Monday, March 6th, 2017

PushCrew Push Notifications for HTTP websites

A nasty service that Harry noticed in his role as chronicler of dark patterns—this exploits the way that browser permissions are presented below the line of death.

Saturday, February 25th, 2017

Social Media Needs A Travel Mode (Idle Words)

We don’t take our other valuables with us when we travel—we leave the important stuff at home, or in a safe place. But Facebook and Google don’t give us similar control over our valuable data. With these online services, it’s all or nothing.

We need a ‘trip mode’ for social media sites that reduces our contact list and history to a minimal subset of what the site normally offers.

Monday, January 30th, 2017

The Invention of Wireless Cryptography—The Appendix

A marvellous story of early twentieth century espionage over the airwaves.

In one proposal, hidden instructions were interspersed within regular, ordinary-looking messages by slightly lengthening the spaces between dots and dashes.

Sunday, January 29th, 2017

Life plus Linux: Look before you paste from a website to terminal

The (literally) hidden dangers of copying code snippets from the web and pasting them into the command line.

This cautionary tale backs up a small tip I heard for getting to understand how found code works: deliberately type it out instead of copying and pasting.

Thursday, January 19th, 2017

Certified Malice – text/plain

Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.

Let them paste passwords - NCSC Site

Ever been on one of those websites that doesn’t allow you to paste into the password field? Frustrating, isn’t it? (Especially if you use a password manager.)

It turns out that nobody knows how this ever started. It’s like a cargo cult without any cargo.

Monday, January 16th, 2017

The Line of Death – text/plain

A thoroughly fascinating look at which parts of a browser’s interface are available to prevent phishing attacks, and which parts are available to enable phishing attacks. It’s like trench warfare for pixels.

Wednesday, December 28th, 2016

What you need to know about using VPN in the UK – By Andy Parker

If you’re prepping your defences against the snooper’s charter (and you/I should be), Andy recommend using NordVPN.

Saturday, December 10th, 2016

Certbot renewals with Apache

I wrote a while back about switching to HTTPS on Apache 2.4.7 on Ubuntu 14.04 on Digital Ocean. In that post, I pointed to an example .conf file.

I’ve been having a few issues with my certificate renewals with Certbot (the artist formerly known as Let’s Encrypt). If I did a dry-run for renewing my certificates…

/etc/certbot-auto renew --dry-run

… I kept getting this message:

Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories. Falling back to default vhost *:443…

It turns out that Certbot doesn’t like HTTP and HTTPS configurations being lumped into one .conf file. Instead it expects to see all the port 80 stuff in a domain.com.conf file, and the port 443 stuff in a domain.com-ssl.conf file.

So I’ve taken that original .conf file and split it up into two.

First I SSH’d into my server and went to the Apache directory where all these .conf files live:

cd /etc/apache2/sites-available

Then I copied the current (single) file to make the SSL version:

cp yourdomain.com.conf yourdomain.com-ssl.conf

Time to fire up one of those weird text editors to edit that newly-created file:

nano yourdomain.com-ssl.conf

I deleted everything related to port 80—all the stuff between (and including) the VirtualHost *:80 tags:

<VirtualHost *:80>

Hit ctrl and o, press enter in response to the prompt, and then hit ctrl and x.

Now I do the opposite for the original file:

nano yourdomain.com.conf

Delete everything related to VirtualHost *:443:

<VirtualHost *:443>

Once again, I hit ctrl and o, press enter in response to the prompt, and then hit ctrl and x.

Now I need to tell Apache about the new .conf file:

a2ensite yourdomain.com-ssl.conf

I’m told that’s cool and all, but that I need to restart Apache for the changes to take effect:

service apache2 restart

Now when I test the certificate renewing process…

/etc/certbot-auto renew --dry-run

…everything goes according to plan.

Wednesday, December 7th, 2016


This is a wonderful service! Handcrafted artisanal passwords made with a tried and trusted technique:

You roll a die 5 times and write down each number. Then you look up the resulting five-digit number in the Diceware dictionary, which contains a numbered list of short words.

That’s the description from the site’s creator, Mira:

Please keep in mind when ordering that I am a full-time sixth grade student with a lot of homework.

She’s the daughter of Julia Angwin, author of Dragnet Nation.