Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #1

The websec digest gives you a strictly filtered overview of noteworthy incidents, interesting technologies and upcoming events. The most important event of this issue is the Yahoo! hack, which turns out to be a consequence of gross negligence.

Unless you’ve been hiking through the rainforest, you must have heard about the Yahoo! hack, which is considered the largest data breach of all time. Yahoo! quickly pointed to state-sponsored attackers, but as Bruce Schneier points out, it seems that they simply neglected security, and were hacked by a criminal hacker group.

Earlier this week, Mozilla followed up on earlier allegations of misconduct by the Chinese CA WoSign. Apparently, WoSign has been backdating SHA-1 certificates, has secretly obtained ownership of the Israeli CA StartCom (and denied it), and doesn’t take its validation process too serious. Because of that, Mozilla is proposing a timeout period of a year, in which newly issued certs by WoSign and StartCom will not be trusted.

On to some positive news. In June, two Google engineers gave an awesome talk at AppSec EU about CSP. They explained how an overly lax CSP policy can be vulnerable to potential bypass attacks, and why Google decided to replace whitelists with the strict-dynamic keyword. Last week, Google has released its CSP Evaluator, which analyses your CSP policy and notifies you of any vulnerabilities.

To stay in the sphere of HTTPS, Wired has announced that they successfully completed their HTTPS migration. Wired pledged to go full HTTPS earlier this year, but quickly ran into mixed-content issues with their legacy content. It took a bit of time and undoubtedly a lot of effort, but they managed to flip the HTTPS switch after all. Congratulations to them for sticking with it!

And to conclude, some exciting news from Microsoft. They announced that the next version of Windows 10 will isolate the Edge browser into a lightweight virtual machine, making it more difficult to break out of the browser and take control of the machine. Hopefully, this approach will have significant security benefits, and can be extended to other browsers and programs as well!

Finally, a few announcements about past and upcoming events. As usual, you can find more information on my speaking page.


Comments & Discussion