One password reset to rule them all!

on research | password reset

A company called Ecotricity recently launched a new app in the UK. They are a utility provider for your gas and electric but also run a nationwide network of charge points for electric vehicles that their new app will be used to control. Unfortunately there was a problem with the…

Testing the HSTS preload process

on HSTS | hsts-preload

My registrar had an offer on domains so I figured I'd grab one and test out the HSTS preload process as it currently stands. I want to track how easy it is to preload and how long it takes for full browser coverage in vendor preload lists.   What's preloading?…

Hybrid RSA and ECDSA certificates with NginX

on RSA | ECDSA | Let's Encrypt

NginX version 1.11.0 just became available and that means we can now serve both RSA and ECDSA certificates for maximum performance without having to drop support for older clients.   Nginx 1.11.0 As I noted a couple of days ago, the 1.11.0 release of…

Disclosing password storage policies on report-uri.io

on hashing | report-uri.io

After every breach hits the news, I, along with everyone else, receive the dreaded email asking me to reset my password. The email told me that my leaked password was 'encrypted' but gave no more details than that. Despite the fact that I can't think of any reason my password…

Testing out ECDSA certificates

on ECDSA

Let's Encrypt recently started signing certificates that use ECDSA keys so I figured I'd grab one and give it a try. ECDSA offers considerable increases in both security and performance compared to RSA and boy can you see it!   ECDSA I'm not going to do a deep dive on…