You’re a paranoid schizophrenic if you think optionsbleed affects you in any meaningful way beyond what you should have already been aware of, unless you run systems with multiple tenants that upload their own crap to document roots and you’ll happily serve as-is, yet pretend to provide your customers with security; this is a use-after-free… Continue reading Optionsbleed: Don’t get your panties in a wad
Many distributions, among which Fedora in 23 & 24, and Arch Linux, have recently shipped NSS 3.27, sometimes packaged as 3.27.0, or even 3.27.1. This release may just have triggered some confusion about disabling, enabling, and defaulting to or not, the NSS implementation of TLS version 1.3 (currently in draft). Fun! We’ve received reports from… Continue reading Heads-up on NSS 3.27, Guam
Close your eyes and imagine a world in which a user visits a website. This website may be encrypted, and when it is, the SSL certificate used must somehow be validated. Traditionally, SSL certificates are issued by third parties that have their certificate authorities included in browsers and operating system’s bundles. This way, whichever SSL… Continue reading HPKP or DANE?
I don’t know how else to put it. I’m sorry. It’s bad. It’s bad in my opinion, not fact. My opinion, is my expectation, will only turn fact by the time it is too late to do anything about it. It’s like, “why back-up anything?” — well, you’ll know when you’ve lost everything. In other… Continue reading Oh SNAP, and there’s the Devil
A status board describes the services the way they run — in full effect, with some connotations, perhaps with a defect or failure. Whichever may be the case of the situation at that moment, though — a status board reflects the current state. I believe it does not solely reflect the current state. I believe… Continue reading You Board First When You Have Status
TL;DR: Do not use OAuth to “Sign in with…” without a second factor. OAuth is the mechanism with which a third party (a “client” or “App”) can be delegated a level of authority on an account (the “first party”, most commonly you) with an OAuth provider (the “second party”). This usually includes allowing an app… Continue reading Thou Shalt Not Use OAuth