(An adaptation of my earlier blog post on the same topic.) This is a case study focusing on the usability of encryption systems as used by political dissidents in Apartheid era South Africa. Background - South Africa Between 1948 and 1994, the nation of South Africa was ruled by an ethnically white minority. They set in place a system of government – known as Apartheid - which suppressed, b…
Continue reading →
2025 Update - Bitly removed the ability to create emoji links, so some of these links are now dead. Facebook rewrite URLs with Unicode in the path - this is not best practice and could be dangerous. It is possible to create a URL like http://bit.ly/😀 - the Unicode characters are valid in the path. The URL Encoded representation is : bit.ly/%F0%9F%98%80 Facebook mangles these URLs in such a wa…
Continue reading →
(These bugs were responsibly disclosed on 7th December 2014, and were reported fixed on 9th December 2014. I sought & received permission to make these findings public.) I love the idea of Keybase.io. It's a site which takes a lot of the hard work out of encryption. I've discovered (and responsibly disclosed) a minor vulnerability with their web service. It doesn't lead to anyone's details…
Continue reading →
I'm the sort of hip cat who frequents Internet Bulletin Boards. Recently I found myself needing to verify the email address associated with my Reddit account. The email I received from Reddit was charmingly lo-fi and eschewed those bourgeois capital letters. Notice the (teensy tiny) flaw? Yup, it's using vanilla "http" rather than the super secure "https". Earlier this year, Reddit switched …
Continue reading →
Responsible Disclosure This flaw was reported to both Google and Opera on 23rd October 2014. Background International Domain Names are great! They open the web up to the whole world and allow me to own a domain like 莎士比亚.org. But they are a constant battleground in the fight for security. Homograph attacks are when someone uses two letters or symbols which look the same, to fool a user into v…
Continue reading →
Private Eye is the only "Dead Tree" publication I buy. I think its satire misses the mark more often than not - but its investigative journalism and general muck-raking are second to none. The Eye has reluctantly been drawn into the digital age. It has a piss-poor website run by the sort of "tired and emotional" gnomes who struggle with concepts like sanitising user input. EXCLUSIVE Push…
Continue reading →
The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking. Tom Loosemore@tomskitomskiInteresting new digital stuff emerging from @CitizensAdvice display-screen.cab-alpha.org.uk <-- uncomfortable, messy, visceral reality @mikedixonCAB❤️ 8💬 3🔁 010:03 - Tue 21 October 2014 who supplies my electricity why do some children become…
Continue reading →
Her Majesty’s Inspectorate of Constabulary (HMIC) are the police who police the police. As the Police policers you'd expect their website to be copper-bottomed. That they would detect anything amiss when inspecting their thin blue links. Mind you, some web developers are a law unto themselves. Yeah, yeah, these puns are unbearable. Fine. Whatever. Amusing photo by kind permission of the i…
Continue reading →
Just a short usability / security post. Hopefully, you're all using Two-Factor Authentication on your important sites. As well as a username and password, you've also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS. Each code can only be used once - which makes it all the more curious that, after a few logins, Twitter's website looks like this: Now,…
Continue reading →
Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs. These are all - apparently - within the remit of The City Of London Police. Better report such heinous crimes to them. As a high-tech policing unit, they encourage you…
Continue reading →
Running a website is hard. Let me clarify - setting up a website is dead simple - keeping it running and updated is tricky. Now, for some of us, it doesn't really matter whether our sites live or die. But for big companies like McAfee it's not simple to switch off a site - especially when they've promised to keep it running in perpetuity. For some reason, the world's largest computer security …
Continue reading →
A (very minor) privacy issue I found with the iTunes API - disclosed on 7th April. Apple provide an API to allow users to search the iTunes store. Let's suppose that a user wishes to search for Music Videos from The Beatles. The search itself is performed over HTTPS. https://itunes.apple.com/search?entity=musicVideo&term=beatles This means that anyone sniffing the connection won't see what…
Continue reading →
