EngineeringSoft U2FIn an effort to increase the adoption of FIDO U2F second factor authentication, we're releasing Soft U2F: a software-based U2F authenticator for macOS. We've long been interested in promoting better… In an effort to increase the adoption of FIDO U2F second factor authentication, we’re releasing Soft U2F: a software-based U2F authenticator for macOS. We’ve long been interested in
Some of the updates described here are explained in the Google I/O session, Secure and Seamless Sign-In: Keeping Users Engaged: Chrome 57 Chrome 57 introduced this important change to the Credential Management API. Credentials can be shared from a different subdomain Chrome can now retrieve a credential stored in a different subdomain using the Credential Management API. For example, if a password
There are a variety of strategies for protecting your important online credentials. We often hear about password managers and generators, but for me, the more important strategy is using two-factor authentication (2FA). Passwords can be guessed, phone numbers can be spoofed, but using two-factor authentication essentially requires that user be in possession of a physical device with an app like
We are happy to introduce support for Content Security Policy Level 2 (CSP2) in Microsoft Edge, another step in our ongoing commitment to make Microsoft Edge the safest and most secure browser for our customers. CSP2, when used correctly, is an effective defense-in-depth mechanism against cross site scripting and content injection attacks. This is available in the Insider Fast ring now starting wi
A example of a timing attack being performed on the web cache. The graph on the left denotes a case where the timing attack is successfully able to detect a cached image whereas the one on the right is unable to do the same. In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algo
Please leave your sense of logic at the door, thanks! DRM and Web security September 21st, 2016 by Ian Hickson in Multimedia, W3C For a few years now, the W3C has been working on a specification that extends the HTML standard to add a feature that literally, and intentionally, does nothing but limit the potential of the Web. They call this specification "Encrypted Media Extensions" (EME). It's ess
It’s universally acknowledged that it’s a bad idea to store plain-text passwords. If a database containing plain-text passwords is compromised, user accounts are in immediate danger. For this reason, as early as 1976, the industry standardized on storing passwords using secure, one-way hashing mechanisms (starting with Unix Crypt). Unfortunately, while this prevents the direct reading of passwords
The benefits of using a “content security policy” are many. Most importantly, it will stop your users from suffering any unsolicited scripts or content or XSS vulnerabilities on your website. In this article, Nicolas Hoffmann will introduce you to this technology, and he’ll explain why awareness is the most important advantage of CSP for website maintainers. A long time ago, my personal website wa
Published: July 18, 2022 Author: Dean Carr Last Updated: July 18, 2022 Horse racing bettors based in Kentucky will welcome the latest news to come from the state. The Kentucky Horse Racing Commission have made it compulsory for the Thoroughbred Idea Foundation (TIF) that bettors have their winnings paid out to the penny. Previously, Kentucky sportsbooks and all other operators in the United States
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Disclaimer: we had been told this vulnerability would be disclosed on Monday, not Friday, so this post is a little rushed and may be edited later. As disclosed to us in January and formally discussed in CERT vulnerability note VU#319816, it is possible for a maliciously-writ
Vulnerability Note VU#319816 Original Release Date: 2016-03-26 | Last Revised: 2016-03-26 npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem. npm is the default package manager for Node.js, which is a runtime environment for developing server-side web applications. There are several factors
By default, Node.js is fairly secure by itself. Although, there are definitely things you have to watch out for. If your Node web-app starts to get more and more popular, for example, you'll need to be thinking more and more about security to ensure that you're keeping your users' data safe. After seeing some questions about Node.js security around the web in the last few weeks, I figured it would
Read it now on the O’Reilly learning platform with a 10-day free trial. O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers. As a web developer, you may not want to spend time making your web app secure, but it definitely comes with the territory. This practical guide provides you with the latest information
Update 2015/5/8: 指摘頂いたタイポや誤訳などを更新しました。 2015/5/8: 構成を一部修正しました。 Intro 4/30 mozaiila のセキュリティブログに下記のようなエントリが投稿されました。 Deprecating Non-Secure HTTP | Mozilla Security Blog エントリはそこまで長くないので、ここに翻訳の全文を記載します。 そして、元エントリのライセンスである CC BY-SA 3.0 に則り、 本エントリも同じく CC BY-SA 3.0 とします。 Deprecating Non-Secure HTTP 原文: Deprecating Non-Secure HTTP 今日は、 non-secure な HTTP から、徐々に廃止していくという方針についてアナウンスします。 HTTPS が Web を前進させる手段である
このエントリでは、Time-based SQLインジェクション、すなわち時間差を利用したSQLインジェクションが意外に実用的だったという報告をします。デモ映像ありです。 はじめに Time-based SQL Injectionという攻撃があります。これはブラインドSQLインジェクションの一種で、ある条件の場合に一定時間(例えば5秒)スリープし、そうでない時との応答時間の差で情報を盗もうというものです。1回のHTTPリクエストで1ビットの情報が得られるので、それを積み重ねることによって、いくらでも情報を盗めるはずです…理論的には。 しかし、「理屈はそうでも、時間が掛かりすぎるよね」ということで、深くは追っかけていませんでした。SQLインジェクションの検査には有効でも、悪用としての実用性はあまりないと考えていたのです。 きっかけ きっかけは、以下のYahoo!知恵袋に以下の質問です。 SQL
1. はじめに ちょうど今朝 OpenSSLをはじめとした様々なTLS実装の脆弱性の詳細が公表されました。 この InriaとMSRのグループは以前からTLSのセキュリティに関して非常にアクティブに調査・検証をしているグループで、今回も驚きの内容でした。 このグループは、TLSのハンドシェイク時の状態遷移を厳密にチェックするツールを開発し、様々なTLS実装の脆弱性を発見・報告を行っていたようです。 特にFREAKと呼ばれるOpenSSLの脆弱性(CVE-2015-0204)に関しては、ちょうど修正直後の1月初めに Only allow ephemeral RSA keys in export ciphersuites で見ていましたが、具体的にどのように攻撃するのかさっぱりイメージできず、あのグループだからまた超絶変態な手法だろうが、まぁそれほど深刻じゃないだろうと見込んでいました。 今回
Lenovo製のPCの一部にSuperfishというマルウェアが標準でインストールされていることが確認され、大きな問題となっています。 [2015-11-24追記] DELL製のPCにも、「eDellRoot」とされるSuperfishと同様の問題を持つルート証明書が導入されているようです。 DellのPCに不審なルート証明書、LenovoのSuperfishと同じ問題か - ITmedia エンタープライズ Dude, You Got Dell’d: Publishing Your Privates - Blog - Duo Security Joe Nord personal blog: New Dell computer comes with a eDellRoot trusted root certificate https://t.co/chURwV7eNE eDellRootで
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
処理を実行中です
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く