Results after 30 days of (almost) no trusted CAs
Today marks the 30th day since I removed all the root certificates for trusted certificate authorities. It was an interesting one month and I’ve learned a bunch. The main takeaway from this experiment...
View ArticlePrivilege separation in WordPress
A recent retweet by Jeremiah Grossman got me thinking. Why doesn’t WordPress implement privilege separation in their blog engine? After all it is fairly simple and can be implemented in a few lines of...
View ArticlePhoneFactor WordPress plugin
I have recently stumbled upon the plugin PhoneFactor has for WordPress and decided to give it a shot, knowing the idea behing the PhoneFactor authentication model. The install was smooth, since...
View ArticleWindows SSL/TLS update for secure renegotiation
Couple of weeks ago Microsoft released an update to the SSL/TLS stack to implement secure renegotiation as described in RFC 5746. The Microsoft KB article describes the three settings controlling the...
View ArticleFraudulent SSL certificates
As many people are reporting today, there have been a few SSL certificates issued to a fraudulent party. The Comodo CA had an RA account compromised and used to issue certificates for some of the top...
View ArticleAutomatic CA root certificate updates on Windows
I was recently listening to Chris Palmer talking about SSL on the PaulDotCom podcast and one thing caught my attention – the discussion on IE behavior with trusted roots certificates. It was discussed...
View ArticleTLS Client Authentication and Trusted Issuers List
One of the common questions I’ve seen asked lately is related to TLS client authentication, which likely means more people are interested in stronger client authentication. The problem people are...
View ArticleHow to approach fixing the TLS trust model
TLS is an exciting protocol and its wide deployment makes it even more interesting to work on. It has been said many times that the success of online commerce is due to the success of SSL/TLS and the...
View ArticlePass-The-Hash vs cookie stealing
I saw a few talks at the BlueHat conference at Microsoft and the funniest of all was Joe McCray’s (@j0emccray) “You Spent All That Money And You Still Got Owned????”. At some point, he touched on...
View Article30 days with isolated apps in Chrome
I have been using separate browsers for a while now to isolate generic web browsing from “high value” browsing, such as banking or administration of this blog. The reason I’ve been doing this is that a...
View Article
