Have you considered writing more about potatoes?
15.12.2024 20:12 β π 2 π 0 π¬ 0 π 0
On the other hand, knocking down fences is fun, while understanding why fences are there is usually not fun. :(
10.12.2024 09:10 β π 3 π 0 π¬ 1 π 0
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
27.11.2024 07:50 β π 34 π 19 π¬ 0 π 1
April King β Handling Cookies is a Minefield
Discrepancies in how browsers and libraries handle HTTP cookies, and the problems caused by such things.
There's a good blog post from @april.social about cookie parsing: grayduck.mn/2024/11/21/h...
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
21.11.2024 20:39 β π 17 π 7 π¬ 1 π 0
SHA2 digest generator
Do you, like me, periodically need to produce a base64-encoded SHA-2 hash of some text? Have you found existing online generator tools to be slightly annoying in some minor way that doesn't precisely fit your workflow? Well, here's another that will annoy you in _different_ ways:
sha2.it
20.11.2024 09:48 β π 3 π 0 π¬ 0 π 0
Signature-based Integrity
You're entirely right. The promises signatures can make are different in kind, but hopefully no less useful. wicg.github.io/signature-ba... and wicg.github.io/signature-ba... get at the distinctions to some extent, and I'd welcome additions to those descriptions.
19.11.2024 14:53 β π 1 π 0 π¬ 0 π 0
It's unfortunate that this is _also_ the way to discover whether food is untasty.
19.11.2024 07:03 β π 0 π 0 π¬ 0 π 0
Security Signals: Making Web Security Posture Measurable At Scale
Happy to publish the effort of my last five years: Security Signals.
research.google/pubs/securit...
17.11.2024 13:02 β π 26 π 7 π¬ 0 π 1
Signature-based Integrity
wicg.github.io/signature-ba... seems likely to depend on this mechanism; it's going to be necessary to spell out unambiguous approaches to those decision points that make it clear how to generate and validate signatures in a consistent way on both the server and the client.
17.11.2024 18:07 β π 0 π 0 π¬ 0 π 0
RFC 9421: HTTP Message Signatures
This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where...
I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? π€·
www.rfc-editor.org/rfc/rfc9421....
17.11.2024 18:02 β π 0 π 0 π¬ 1 π 0
I set up this account, then nerdsniped myself right past the process of crafting a witty and enticing "Hello, world!" post to instead spend a few minutes trying to figure out whether Bluesky supported security keys rather than email for 2FA.
It apparently doesn't. π€·
15.11.2024 16:12 β π 1 π 0 π¬ 0 π 0
Back in Chicago as a stay-at-home dad starting a small business. Expect some infosec/privacy/safety, 3D printing, and politics. You're probably following me because of my old job(s).
infosec.exchange/@jschuh
Defunct: twitter.com/justinschuh
security gal | resident Chrome Security border collie && VRP lead | pop culture glutton | outdoor super enthusiast | looking at birds & making up music videos in my head | she /her / hers
Law professor & journalist researching geopolitics of tech, free expression, internet law, online speech governance, and AI.
For sporadic writings on these things see: https://klonick.substack.com/
For more info and full bio see: www.kateklonick.com
An Englishman in San Francisco. Director of Security for Google Chrome.
@ksvesq.bsky.socialβs husband; father of daughters; professor @georgetownlaw.bsky.social; #SCOTUS nerd @CNN.com
Bio: www.law.georgetown.edu/faculty/stephen-i-vladeck
"One First" Supreme Court newsletter: stevevladeck.com
Book: tinyurl.com/shadowdocketpb
Law Prof at UC Davis Law; co-host of the 99pi Breakdown of the Constitution https://99percentinvisible.org/book-club/
tech reporter for the NYT!
co-author of CHARACTER LIMIT!
signal: kateconger.11
buy our book: https://www.penguinrandomhouse.com/books/737290/character-limit-by-kate-conger-and-ryan-mac/
tour dates & translations: https://linktr.ee/kateconger
Substack: http://lcamtuf.substack.com/archive
Homepage: http://lcamtuf.coredump.cx
Staff Security Engineer at some random tech company, previously Mozilla, Dropbox, and (pre-Elon) Twitter. Has read @kateconger.bsky.socialβs autobiography.
web @ grayduck.mn // also github.com/april
Security researcher at Crosspoint Labs. AppSec. Tweets are my own and do not express the opinion of my employer. OWASP. retire.js
In your web, securing your app. Hacker, webdev, speaker, engineer. Security shoptet.cz, ex-report-uri.com, ex-teenager. HTTPS = How To Transfer Private Shπ©. Also https://infosec.exchange/@spazef0rze
I help developers protect companies through better web security
Writing about law and democracy at The Atlantic, previously Lawfare. Not a lawyer. It's KWIN-ta.
signal: qjurecic.32
Writer, lawyer, Dodger fan, internet dog. nycsouthpaw18 at gmail.
Scientist. Dir. of Usable Security & Privacy at the International Computer Science Institute (icsi.berkeley.edu). Founder, AppCensus (appcensus.io). All opinions are those of his employer(s), and not his own.
https://www.guanotronic.com/~serge/
Leading Google's web security team.
Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
Hi, I'm Scott Helme, a Security Researcher, Entrepreneur and International Speaker. I'm the creator of Report URI and Security Headers, and I deliver world renowned training on Hacking and Encryption.
https://scotthelme.co.uk
