Putting to rest some of the most persistent falsehoods about passwords and what it takes to come up with strong passwords and practice good password security in 2019.
This is a very helpful, easy-to-read guide covering current best practices for keeping your passwords and accounts secure.
An open source checklist of resources designed to improve your online privacy and security. Check things off to keep track as you go.
This is a great resource, but it highlights the delicate balance of security and user experience that often tips too far toward security at the expense of usability. For those of us in the software design world, it’s more important now than ever to make these technologies more easily accessible to the masses.
List of websites and whether or not they support 2FA.
A handy single-purpose website outlining which services support two-factor authentication and which don’t. Add to the collection by submitting a pull request on the GitHub repository.
Welcome to the Security Education Companion! SEC is a resource for people teaching digital security to their friends and neighbors.
For a better, safer world!
While you’re at it, consider donating to the Electronic Frontier Foundation.
Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.
In this post, Ian outlines several Web security-related flaws in current-era browser user interface. Browsers, in an attempt to be clever, obfuscate several important pieces of information that might provide users with details about the people behind a particular website. On top of that, Ian demonstrates flaws in the cross-jurisdicitonal systems that allow for the coexistence of like-named but unrelated business entities.
Browser vendors treat extended validation certificates as special cases, giving them visual priority over standard TLS certificates. The average user won’t know the difference—nor should they—when they see “Trusted Company X” highlighted in green in their browser’s URL bar. The expectation is that they’re actually viewing Trusted Company X’s website and not the website of some rando with a little bit of money to spare.
I posted yesterday on Twitter about an issue I ran into when trying to use a bookmarklet on a website—GitHub, in this case—with a Content Security Policy. Instapaper developer Brian Donohue pointed me to a post he’d written on just this issue in 2014.
The ultimate catch-22 of the new Content Security Policy wording is that it’s intended to benefit the users, by providing additional security from hypothetical malicious add-ons on websites that enforce a Content Security Policy. In the end the bookmarklet has been relegated obsolete by the change, a casualty of one clause in one section of one web specification, and end-users and developers are the ones who will mourn its demise. The path to hell is paved with good intentions.
I’ve implemented a CSP on my own site and have now switched from using Instapaper’s bookmarklet to their Safari extension.