Dynamic JavaScript and SRI

by @edent | # # # | Read ~228 times.
HTML source of The Guardian website. Polyfill is being loaded from their own CDN.

Some external JavaScript libraries are dynamic. That's a problem for the SRI model of security. How can this be fixed? Definitions Suppose I want my website to have the latest version of the jQuery library. I might use a Content Delivery Network (CDN) to serve the code for me. <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> If an attacker were… Continue reading →

Responsible Disclosure: CloudFlare - more interested in tracking than security

by @edent | # # # # | 2 comments | Read ~366 times.
A confirmation email asking me to click on a link,

CloudFlare claim they want to secure the web - but they seem more interested in tracking their customers than giving them decent security. Upon registering with the Internet giant, users are encouraged to confirm their email addresses. So far, so standard. This is the confirmation message CloudFlare sends out: Looks good! Hey! I wonder where… Continue reading →

Security issues on ArtChain

by @edent | # # # # | 4 comments | Read ~4,407 times.
A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the… Continue reading →

Responsible Disclosure - Citizens Advice Bureaux

by @edent | # # # # # | Read ~213 times.

A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold,… Continue reading →

Privacy, Security, & Ethics - Computer Science's "Jüdische Physik"

by @edent | # # # # # | 1 comment | Read ~244 times.
A fist emerges from a computer screen and punches the user.

I'm going to tell you an anecdote which is a gross oversimplification of a complex topic. In the early half of the twentieth century, certain physicists made breakthroughs in relativity, quantum mechanics, and nuclear energy. Many of these scientists were Jewish. The Nazis called these heretical ideas "Jewish Science" and suppressed their teaching. Jewish physicists… Continue reading →

Would you trust this ATM?

by @edent | # # | 3 comments | Read ~281 times.
A sign is taped haphazardly to an ATM. It warns people that the ATM is slow and may take a while to return their card. There is no branding on the sign.

Fake cash-machines are an increasing problem around the UK. Criminals attach all sorts of machinery - including fake fronts - to ATMs with the aim of stealing cash or card details. Wandering around Oxford yesterday, I noticed this sign attached to a bank's ATM: "This ATM is running slow and may take a while to… Continue reading →

Udacity Bug Bounty - or, please stop tracking every link in your emails

by @edent | # # # | 2 comments | Read ~426 times.
Clicking on the button shows an insecure web address.

Look, I know your company wants metrics. I know your boss wants to see the exact percentages of people who click on links in your emails. Your sales team are desperate to track conversions. Someone wants to optimise your funnel for reasons which are unclear to you, a lowly engineer. So you make the mistake… Continue reading →

Advertising Screens Hacked To Mine BitCoin

by @edent | # # # # | 1 comment | Read ~16,776 times.
The display shows a windows desktop with a variety of icons. There is a window open

Spotted in London, yesterday. A large, Microsoft Windows-powered advertising hoarding has been hijacked. It's not uncommon to see broken-down Windows displays - I run https://windowsisbroken.tumblr.com/ - which is dedicated to pointing and laughing at such mistakes. But this is the first time I've seen a display repurposed for profit! It appears to be running NiceHash… Continue reading →

MailChimp leaks your email address

by @edent | # # # # | 6 comments | Read ~4,212 times.
Change email address page with obscured email address

An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here… Continue reading →

There's no HTTPS for the Internet of Things

by @edent | # # # # | 8 comments | Read ~557 times.
An error message in the browser warning of an unsafe SSL connection

Me being grumpy and stupid again. I have an IP Camera on my LAN, I want to connect to it via HTTPS. I can't. Why is that? Why do this? I have a username and password to access my IP camera. And my TV. And my lightbulbs. And all my networked gadgets. If I try… Continue reading →