Protecting Sensitive Data

March 12, 2017

If you are building a service that stores sensitive data, your number one concern should be how to protect it. What IS sensitive data? There are some obvious examples, like medical data or bank account data. But would you consider a dating site database as sensitive data? Based on a recent leaks of a big […]

1

Issues With Electronic Machine Readable Travel Documents

February 3, 2016

Most of us have passports, and most of these passports are by now equipped with chips that store some data, including fingerprints. But six months ago I had no idea how that operates. Now that my country is planning to roll out new identity documents, I had to research the matter. The chip (which is […]

0

Should We Look For a PRISM Alternative?

May 3, 2015

I just watched Citizen Four, and that made me think again about mass surveillance. And it’s complicated. I would like to leave aside the US foreign policy (where I agree with Chomsky’s criticism), and whether “terrorist attacks” would have been an issue if the US government didn’t do all the bullshit it does across the […]

0

The Hash Challenge

January 8, 2015

The facebook discussion about my previous blogpost went off-topic and resulted in an interesting challenge. One of the commenters (Stilgar) was not convinced that passwords hashed with MD5 (or SHA) are so easy to crack if there is salt. So he posted a challenge: “I’ll post the hash of a “password” which is going to […]

4

In Favour of Self-Signed Certificates?

December 18, 2014

Today I watched the Google I/O presentation about HTTPS everywhere and read a couple of articles, saying that Google is going to rank sites using HTTPS higher. Apart from that, SPDY has mandatory usage of TLS, and it’s very likely the same will be true for HTTP/2. Chromium proposes marking non-HTTPS sites as non-secure. And […]

9

Verifying Secure Password Storage Externally

February 25, 2014

Many websites (including big ones like Adobe, Yahoo, LinkedIn, Gawker, etc.) store user passwords insecurely. Either in plain text, or encrypted (reversible), or using a broken or brute-forceable hash function. Many websites continue to be built with poor password storage mechanism. So what? Well, if the database leaks somehow (and it obviously happens, see the […]

6

Login Tokens In Email Links

April 26, 2013

Your system is probably sending some emails. Sometimes these emails contain links to the public part of the site, sometimes they have links to the authentication-protected part. Either way, if the email is sent to registered users (as opposed to just subscribed emails) you should not make the user type in username and password. Even […]

12

A Guide To Authenticating Users With Mozilla Persona

December 1, 2012

Having only twitter and facebook authentication so far, I decided to add Mozilla Persona to the list for my latest project (computoser, computer-generated music). Why? I like trying new things Storing passwords is a tough process, and even though I know how to do it, and even have most of the code written in another […]

7

Bcrypt. It’s The Bare Minimum.

August 23, 2012

The other day I read this Arstechnica article and realized how tragic the situation is. And it is not this bad because of the evil hackers. It’s bad because few people know how to handle one very common thing: authentication (signup and login). But it seems even cool companies like LinkedIn and Yahoo do it […]

6

Securely Storing Facebook / OAuth Access Tokens

March 31, 2011

Facebook and all OAuth applications (facebook is sort-of OAuth) provide access tokens for applications to do things on behalf of users. I’ll not go into details of how to obtain them and how to use them, but in most cases you would want an eternal token – i.e. one that can be used for offline […]

18