Mike West
@mikewe.st
web browser stuff: security, privacy, safety, etc.
Reposted by Mike West
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks
frederikbraun.de
November 27, 2024 at 7:50 AM
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Reposted by Mike West
There's a good blog post from @april.social about cookie parsing: grayduck.mn/2024/11/21/h...
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
April King — Handling Cookies is a Minefield
Discrepancies in how browsers and libraries handle HTTP cookies, and the problems caused by such things.
grayduck.mn
November 21, 2024 at 8:39 PM
There's a good blog post from @april.social about cookie parsing: grayduck.mn/2024/11/21/h...
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
Do you, like me, periodically need to produce a base64-encoded SHA-2 hash of some text? Have you found existing online generator tools to be slightly annoying in some minor way that doesn't precisely fit your workflow? Well, here's another that will annoy you in _different_ ways:
sha2.it
sha2.it
SHA2 digest generator
sha2.it
November 20, 2024 at 9:48 AM
Do you, like me, periodically need to produce a base64-encoded SHA-2 hash of some text? Have you found existing online generator tools to be slightly annoying in some minor way that doesn't precisely fit your workflow? Well, here's another that will annoy you in _different_ ways:
sha2.it
sha2.it
Reposted by Mike West
Security Signals: Making Web Security Posture Measurable At Scale
research.google
November 17, 2024 at 1:02 PM
I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? 🤷
www.rfc-editor.org/rfc/rfc9421....
www.rfc-editor.org/rfc/rfc9421....
RFC 9421: HTTP Message Signatures
This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where...
www.rfc-editor.org
November 17, 2024 at 6:02 PM
I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? 🤷
www.rfc-editor.org/rfc/rfc9421....
www.rfc-editor.org/rfc/rfc9421....
Daniel Stenberg's notes from this week's HTTP Workshop are a nice way of catching up on smart folks' thoughts about the present and future of your favorite transport protocol:
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
The 2024 HTTP Workshop
Day one. For the sixth time, this informal group of HTTP implementers and related "interested parties" unite in a room over a couple of days doing a HTTP Workshop. Nine years since that first event in...
daniel.haxx.se
November 15, 2024 at 5:40 PM
Daniel Stenberg's notes from this week's HTTP Workshop are a nice way of catching up on smart folks' thoughts about the present and future of your favorite transport protocol:
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
I set up this account, then nerdsniped myself right past the process of crafting a witty and enticing "Hello, world!" post to instead spend a few minutes trying to figure out whether Bluesky supported security keys rather than email for 2FA.
It apparently doesn't. 🤷
It apparently doesn't. 🤷
November 15, 2024 at 4:12 PM
I set up this account, then nerdsniped myself right past the process of crafting a witty and enticing "Hello, world!" post to instead spend a few minutes trying to figure out whether Bluesky supported security keys rather than email for 2FA.
It apparently doesn't. 🤷
It apparently doesn't. 🤷