corenominal

Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Tagged: security

A practical security guide for web developers image/svg+xml

Security issues happen for two reasons –

  1. Developers who have just started and cannot really tell a difference between using MD5 or bcrypt.
  2. Developers who know stuff but forget/ignore them.

Our detailed explanations should help the first type while we hope our checklist helps the second one create more secure systems. This is by no means a comprehensive guide, it just covers stuff based on the most common issues we have discovered in the past.

I can’t think that I’ve ever seen a really exhaustive web development security checklist, so this looks promising. Still in development, but definitely worth keeping an eye on, or contributing to.

Of Course I’ll Let You Execute Arbitrary Javascript Code in My Users’ Browsers image/svg+xml

All about the dangers of including externally hosted JavaScript in your websites. I would have thought that most of this would be common knowledge for professional developers, but the web being the web, there are plenty of hobbyist and amateurs out there who are probably very clueless about this stuff, so I thought it was worth sharing.

Also, I found this slightly amusing:

I’ll admit it, I used this vector for some grey-hat purposes back in my college days. In college, I wrote a terrible Javascript animation library that inexplicably became very popular among Spanish-speaking web developers. In order to facilitate onboarding, I offered the library over a public CDN that anybody could use.

At its peak, the script was being loaded from a few hundred websites and receiving about 100k loads per day. Some of my friends were in a band and they were participating in a local battle-of-the-bands competition for a radio station that featured weekly online votes to move to the next round. Their voting system did nothing to defend against XSRF attacks, but did limit votes to 1 per IP address.

So naturally, my friends won by a landslide of votes, most of which originated in Latin America.

** chuckles **

WordPress crusade against technical responsibility image/svg+xml

It is often stressed in WordPress circles that plugins and themes should be compatible to obsolete 5.2 version of PHP programming language.

Why?

Because otherwise you will break people’s sites.

Why?

Because people still run their sites on PHP 5.2.

Why?

Because they don’t know they should update.

Why?

Because we won’t tell them.

Why?

Because they don’t have to know.

Wait, what?

It took me a long time to grasp that “they don’t have to know” is one of the most important and least obvious WordPress principles.

I don’t agree with that.

I don’t agree with it either, it’s insane. WordPress has more than enough security concerns without the added issues of supporting dead versions of PHP. Bonkers.

BTW, this WP site runs on PHP v7.0.9 and it really wasn’t very difficult to achieve.

Reducing Adobe Flash Usage in Firefox image/svg+xml

Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness.

Seems like a wise move. What’s interesting here is the graph they show that details how the crash rates decreased dramatically when YouTube and Facebook switched to HTML5 video. I wonder if other browser vendors will follow suit?

P.S. The BBC have covered this story, I hope they take notice and sort their shit out.

How to use LetsEncrypt with Multiple Domains on Nginx and Ubuntu image/svg+xml

There are many reasons to set up SSL hosting for your domain, top of all would be that Google is now giving SEO priority to sites that utilize SSL. Regardless of the benefits, it can be a bit intimidating to set up SSL, not to mention expensive. LetsEncrypt is a service that provides free SSL certificates to everyone so we’re going to cover the very basics of how to do this. Don’t worry, it’s pretty painless.

A good step-by-step guide to get up-and-running with Let’s Encrypt on Ubuntu with Nginx.

Let’s Encrypt – Defending Our Brand image/svg+xml

Some months ago, it came to our attention that Comodo Group, Inc., is attempting to register at least three trademarks for the term “Let’s Encrypt,” for a variety of CA-related services. These trademark applications were filed long after the Internet Security Research Group (ISRG) started using the name Let’s Encrypt publicly in November of 2014, and despite the fact Comodo’s “intent to use” trademark filings acknowledge that it has never used “Let’s Encrypt” as a brand.

Comodo Group, Inc. is a business and like all businesses, they exist to make money. That said, I think their behaviour is pretty shitty. I guess they’re worried that they cannot compete with Let’s Encrypt and so have chosen dirty tactics as a form of defense/attack. Seems idiotic to me.

Anyhow, I hope Let’s Encrypt are successful, they’re doing great work and deserve support.

360 million reasons to destroy all passwords image/svg+xml

If you think about this for a moment, you’ll realize that your password does not actually matter. The only thing that matters is that you have access to the email address that’s associated with your account.

Thanks to the password reset functionality that every website uses, every website already supports passwordless login — they just don’t call it that.

I’m not sure that password reset systems are as convenient as just entering a password, but maybe that’s the point. The widespread use of passwordless login systems would certainly reduce the problem of users who opt for lazy passwords, such as “password1”, “password2” etc. That said, if the same users were to continue using lazy passwords for their email, they’d still be screwed.

Passwords suck.

What Hackers Do With Compromised WordPress Sites image/svg+xml

We often talk to site owners who are surprised that their sites are targeted by attackers. Most of them assume that if there isn’t any juicy data to steal, like credit card numbers, that compromising their site is a worthless exercise. Unfortunately they are wrong. Aside from data, a compromised site’s visitors can be monetized in various malicious ways. The web server can be used to run malicious software and host content and the reputation of the domain name and IP address can be leveraged.

Some interesting stats here. Spoiler alert: I’m not surprised to see “defacing” at no.1, it’s the classic reason to hack a site, but it’s interesting that “SEO spam” is not too far behind. I guess there is money to be made in the black hat SEO world, so I’d expect it to rank top at some point in the future.

Let’s Encrypt — Leaving Beta image/svg+xml

Since our beta began in September 2015 we’ve issued more than 1.7 million certificates for more than 3.8 million websites. We’ve gained tremendous operational experience and confidence in our systems. The beta label is simply not necessary any more.

This is great news. I’ve been using a number of certificates from this service and while I have no doubt that the service is here to stay, it’s always nice to know that a service provider has enough confidence in their systems to remove the “beta” label.