Optionsbleed: Don’t get your panties in a wad

You’re a paranoid schizophrenic if you think optionsbleed affects you in any meaningful way beyond what you should have already been aware of, unless you run systems with multiple tenants that upload their own crap to document roots and you’ll happily serve as-is, yet pretend to provide your customers with security; this is a use-after-free… Continue reading Optionsbleed: Don’t get your panties in a wad

Heads-up on NSS 3.27, Guam

Many distributions, among which Fedora in 23 & 24, and Arch Linux, have recently shipped NSS 3.27, sometimes packaged as 3.27.0, or even 3.27.1. This release may just have triggered some confusion about disabling, enabling, and defaulting to or not, the NSS implementation of TLS version 1.3 (currently in draft). Fun! We’ve received reports from… Continue reading Heads-up on NSS 3.27, Guam

HPKP or DANE?

Close your eyes and imagine a world in which a user visits a website. This website may be encrypted, and when it is, the SSL certificate used must somehow be validated. Traditionally, SSL certificates are issued by third parties that have their certificate authorities included in browsers and operating system’s bundles. This way, whichever SSL… Continue reading HPKP or DANE?

Oh SNAP, and there’s the Devil

I don’t know how else to put it. I’m sorry. It’s bad. It’s bad in my opinion, not fact. My opinion, is my expectation, will only turn fact by the time it is too late to do anything about it. It’s like, “why back-up anything?” — well, you’ll know when you’ve lost everything. In other… Continue reading Oh SNAP, and there’s the Devil

You Board First When You Have Status

A status board describes the services the way they run — in full effect, with some connotations, perhaps with a defect or failure. Whichever may be the case of the situation at that moment, though — a status board reflects the current state. I believe it does not solely reflect the current state. I believe… Continue reading You Board First When You Have Status

Thou Shalt Not Use OAuth

TL;DR: Do not use OAuth to “Sign in with…” without a second factor. OAuth is the mechanism with which a third party (a “client” or “App”) can be delegated a level of authority on an account (the “first party”, most commonly you) with an OAuth provider (the “second party”). This usually includes allowing an app… Continue reading Thou Shalt Not Use OAuth