Steps you can take to secure your phone and computer. This is especially useful in countries where ubiquitous surveillance is not only legal, but mandated by law (such as China, Australia, and the UK).
Friday, March 24th, 2017
Friday, March 10th, 2017
And here’s another reason why password rules are bullshit: you’re basically giving a list of instructions to hackers—the password rules help them narrow down the strings they need to brute force.
Monday, March 6th, 2017
Saturday, February 25th, 2017
We don’t take our other valuables with us when we travel—we leave the important stuff at home, or in a safe place. But Facebook and Google don’t give us similar control over our valuable data. With these online services, it’s all or nothing.
We need a ‘trip mode’ for social media sites that reduces our contact list and history to a minimal subset of what the site normally offers.
Monday, January 30th, 2017
Things are looking good for HTTPS.
A marvellous story of early twentieth century espionage over the airwaves.
In one proposal, hidden instructions were interspersed within regular, ordinary-looking messages by slightly lengthening the spaces between dots and dashes.
Sunday, January 29th, 2017
The (literally) hidden dangers of copying code snippets from the web and pasting them into the command line.
This cautionary tale backs up a small tip I heard for getting to understand how found code works: deliberately type it out instead of copying and pasting.
Thursday, January 19th, 2017
Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.
Ever been on one of those websites that doesn’t allow you to paste into the password field? Frustrating, isn’t it? (Especially if you use a password manager.)
It turns out that nobody knows how this ever started. It’s like a cargo cult without any cargo.
Monday, January 16th, 2017
A thoroughly fascinating look at which parts of a browser’s interface are available to prevent phishing attacks, and which parts are available to enable phishing attacks. It’s like trench warfare for pixels.
Wednesday, December 28th, 2016
If you’re prepping your defences against the snooper’s charter (and you/I should be), Andy recommend using NordVPN.
Saturday, December 10th, 2016
Certbot renewals with Apache
I wrote a while back about switching to HTTPS on Apache 2.4.7 on Ubuntu 14.04 on Digital Ocean. In that post, I pointed to an example .conf file.
I’ve been having a few issues with my certificate renewals with Certbot (the artist formerly known as Let’s Encrypt). If I did a dry-run for renewing my certificates…
/etc/certbot-auto renew --dry-run
… I kept getting this message:
Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories. Falling back to default vhost *:443…
It turns out that Certbot doesn’t like HTTP and HTTPS configurations being lumped into one .conf file. Instead it expects to see all the port 80 stuff in a
domain.com.conf file, and the port 443 stuff in a
So I’ve taken that original .conf file and split it up into two.
First I SSH’d into my server and went to the Apache directory where all these .conf files live:
Then I copied the current (single) file to make the SSL version:
cp yourdomain.com.conf yourdomain.com-ssl.conf
Time to fire up one of those weird text editors to edit that newly-created file:
I deleted everything related to port 80—all the stuff between (and including) the
VirtualHost *:80 tags:
<VirtualHost *:80> ... </VirtualHost>
Hit ctrl and o, press enter in response to the prompt, and then hit ctrl and x.
Now I do the opposite for the original file:
Delete everything related to
<VirtualHost *:443> ... </VirtualHost>
Once again, I hit ctrl and o, press enter in response to the prompt, and then hit ctrl and x.
Now I need to tell Apache about the new .conf file:
I’m told that’s cool and all, but that I need to restart Apache for the changes to take effect:
service apache2 restart
Now when I test the certificate renewing process…
/etc/certbot-auto renew --dry-run
…everything goes according to plan.
Wednesday, December 7th, 2016
This is a wonderful service! Handcrafted artisanal passwords made with a tried and trusted technique:
You roll a die 5 times and write down each number. Then you look up the resulting five-digit number in the Diceware dictionary, which contains a numbered list of short words.
That’s the description from the site’s creator, Mira:
Please keep in mind when ordering that I am a full-time sixth grade student with a lot of homework.
She’s the daughter of Julia Angwin, author of Dragnet Nation.
Wednesday, November 30th, 2016
Details of The Guardian’s switch to HTTPS.
Sunday, October 16th, 2016
Equal parts clever and scary. By using
autocomplete in HTML and some offscreen positioning in CSS, it’s possible to extract some unexpected personal information.
I expect browsers will be closing these holes pretty quickly.
Clever! By exploiting the redirect pattern that most social networks use for logging in, and assuming that site’s favicon isn’t stored in a CDN, it’s possible to figure out whether someone is logged into that site.
Monday, October 10th, 2016
A browser for Android that specifically touts privacy and security as its key features.
Friday, September 30th, 2016
This is what tells all our browsers on all our devices to set the viewport to be the same width of the current device, and to also set the initial scale to 1 (not scaled at all). This essentially allows us to have responsive design consistently.
<meta name="viewport" content="width=device-width, initial-scale=1">
viewport value for the
meta element was invented by Apple when the iPhone was released. Back then, it was a safe bet that most websites were wider than the iPhone’s 320 pixel wide display—most of them were 960 pixels wide …because reasons. So mobile Safari would automatically shrink those sites down to fit within the display. If you wanted to over-ride that behaviour, you had to use the
meta viewport gubbins that they made up.
That was nine years ago. These days, if you’re building a responsive website, you still need to include that
That seems like a shame to me. I’m not suggesting that the default behaviour should switch to assuming a fluid layout, but maybe the browser could just figure it out. After all, the CSS will already be parsed by the time the HTML is rendering. Perhaps a quick test for the presence of a crawlbar could be used to trigger the shrinking behaviour. No crawlbar, no shrinking.
Maybe someday the assumption behind the current behaviour could be flipped—assume a website is responsive unless the author explicitly requests the shrinking behaviour. I’d like to think that could happen soon, but I suspect that a depressingly large number of sites are still fixed-width (I don’t even want to know—don’t tell me).
There are other browser default behaviours that might someday change. Right now, if I type
example.com into a browser, it will first attempt to contact
http://example.com rather than
https://example.com. That means the
example.com server has to do a redirect, costing the user valuable time.
You can mitigate this by putting your site on the HSTS preload list but wouldn’t it be nice if browsers first checked for
HTTPS instead of
HTTP? I don’t think that will happen anytime soon, but someday …someday.
Tuesday, August 30th, 2016
Justin has been thinking about how we ensure our digital legacy survives our passing.
Tuesday, August 2nd, 2016
The security research that went into improving the spec for the Battery Status API. This is why it’s so important that the web holds itself to high standard.
Even most unlikely mechanisms bring unexpected consequences from privacy point of views. That’s why it is necessary to analyze new features, standards, designs, architectures - and products with a privacy angle. This careful process will yield results, decrease the number of issues, abuses and unwelcome surprizes.