By @edent · bank CyberSecurity phishing scam security · 8 comments · 500 words · read ~3,370 times.
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. […]
Continue reading →By @edent · HTML javascript security ui ux · 10 comments · 400 words · read ~5,095 times.
This has to be the most infuriating bug report I've ever submitted. I went to type in my 2FA code on a website - but no numbers appeared on screen. Obviously, I was an idiot and had forgotten to press the NumLock button. D'oh! I toggled it on and typed again. No numbers appeared. I […]
Continue reading →By @edent · domains gov.uk privacy QR Codes security · 12 comments · 650 words · read ~387 times.
One of my most memorable experiences in the Civil Service1 was discussing link shortening services with a very friendly2 person from the Foreign and Commonwealth Office. I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the […]
Continue reading →By @edent · ActivityPub CyberSecurity http security · 5 comments · 400 words · read ~103 times.
It's never great to find out you're wrong, but that's how learning and personal growth happens. HTTP Message Signatures are hard1. There are lots of complex parts and getting any aspect wrong means certain death2. In a previous post, I wrote A simple(ish) guide to verifying HTTP Message Signatures in PHP. It turns out that […]
Continue reading →By @edent · CyberSecurity gdpr o2 privacy security · 7 comments · 250 words · read ~184 times.
It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number. I put in a random number, and it refused to let me in. Putting in a genuine O2 number let me […]
Continue reading →By @edent · ActivityPub cryptography http mastodon security · 3 comments · 1,150 words · read ~135 times.
Mastodon makes heavy use of HTTP Message Signatures. They're a newish almost-standard which allows a server to verify that a request made to it came from the person who sent it. This is a quick example to show how to verify these signatures using PHP. I don't claim that it covers every use-case, and it […]
Continue reading →By @edent · accessibility security usability · 3 comments · 400 words · read ~483 times.
Sometimes a client asks me a question and I'm a little stunned by their mental model of the world. A few weeks ago, we were discussing the need for better cybersecurity in their architecture. We spoke about several aspects of security, then they asked an outstanding question. "What should I buy to be secure?" It […]
Continue reading →By @edent · CyberSecurity dns domains https security · 3 comments · 350 words · read ~856 times.
You type in to your browser's address bar example.com and it automatically redirects you to the https:// version. How does your browser know that it needed to request the more secure version of a website? The answer is... A big list. The HTTP Strict Transport Security (HSTS) list is a list of domain names which […]
Continue reading →By @edent · ActivityPub CyberSecurity mastodon Responsible Disclosure security · 1 comment · 850 words · read ~169 times.
I've responsibly disclosed a small security issue with Mastodon (GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any Mastodon instance to redirect unwary users to a malicious site. What do you think happens if you visit: https://mastodon.social/@PasswordReset/111285045683598517/admin? If you aren't logged in to that instance, it will redirect you to a 3rd party site. […]
Continue reading →By @edent · mobile security sim virtual sim · 7 comments · 500 words · read ~1,834 times.
Last night I received a call from my bank. They'd detected an unusual transaction and wanted to make sure that it was legitimate. Had I recently purchased £10,000 worth of crypto in the Maldives? What?!!? No! ARGH! I started to panic. All my apes money gone! No. Wait. The other thing. I knew it was […]
Continue reading →