The Journey to Universal HTTPS

The Journey to Universal HTTPS

|
Recently I was reading the book “The Box: How the Shipping Container Made the World Smaller and the World Economy Bigger”. I was struck by how many pieces and components had to fit together to achieve this big change, and ... Read More

Whose credentials are they? Mine, or yours?

|
I've been spending a bunch of time lately thinking about usernames and passwords, and other types of credentials, and concept of "ownership".When you get a credit card, on the back it typically says something like - "Your card is issued and serviced by XYZ Bank pursuant to a license from ... Read More

Why do people expect so much more from mobile platforms?

|
Reading Veracode's recent post: Mobile Security – Android vs. iOS, which is an infographic comparing Android and iOS security, I'm left with a few questions, some of which I posted as a comment on their site.While the graphic does a good job of summarizing the notable differences between these two ... Read More

Malware prevalence != Infection rates

|
There have been a number of presentations of late that have tried to document howend-users get infected with malware.Both Google's malware report and a recent report from CSIS purport to tell us how people get malware, based on how what malware they detect most frequently online, and what exploits it ... Read More

No Browser is an Island

|
Jeremiah wrote today about web browsers and opt-in security. I think he gets it mostly right (and hey, he pointed at a paper I co-authored so I'm biased) but I think it also misses the mark a little.Once upon a time there were only two major web browsers, and their ... Read More

Poll Time – What One Problem in Web Security Do You Want to Fix?

|
It is poll time. Doing a little planning and trying to figure out what people view as the biggest architectural weaknesses on the web security wise. I'm mainly focused on things within HTTP and HTML/JS/CSS themselves, not things at the TLS layer.There is a small poll on the right hand ... Read More

A quick clarification on HSTS (HTTP Strict Transport Security) policy on non-standard ports

|
Been having an interesting blog comment and twitter discussion with John Wilander.He wrote a post and some tweets and even filed a Mozilla bug against the HSTS behavior in FF-4.I posted this to his blog, but thought I'd post it here too.Essentially there is some confusion about how HSTS works, ... Read More

New Role – Internet Standards and Governance

|
Not that I expect everyone to watch my job title changes, but I recently made one and figured I'd go ahead and blog about what I'm working on these days.For the past 2+ years I've been running the Secure Development Program at PayPal. This involves rolling out secure development methodology, ... Read More

Bank Fraud Detection Must Balance False Positives and False Negatives

|
Krebs posted this morning about commercial bank customers again and Gunnar also picked up on the theme.In Krebs piece he quotes the customer saying:"When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, ... Read More

Laws of Supply and Demand Still Apply in Software Development

|
I read Gunnar's post the other day "Still Waiting to Meet a Developer Who Wants to Write Insecure Code" and he echoed something I've also been saying for a long time. In all of the training events I've ever done, times I've worked with developers, I've rarely met a developer ... Read More