Cross-Site Request Forgery is dead!

After toiling with Cross-Site Request Forgery on the web for, well forever really, we finally have a proper solution. No technical burden on the site owner, no difficult implementation, it's trivially simple to deploy, it's Same-Site Cookies. As old as the Web itself Cross-Site Request Forgery, also known as CSRF…

Continue Reading

OCSP Expect-Staple

OCSP Expect-Staple is a new reporting mechanism to allow site owners to monitor how reliable their OCSP Stapling implementation is. With live feedback coming direct from the browser, you can build confidence before enforcing OCSP stapling with OCSP Must-Staple. Fixing revocation I don't need to talk about how broken revocation…

Continue Reading

OCSP Must-Staple

Revocation checking is broken and has been for some time. Whilst some vendors have sort of worked around this with proprietary solutions, there is little that the smaller sites can do. OCSP must-staple to the rescue! Revocation checking In the early days of the web we had Certificate Revocation Lists,…

Continue Reading

Bug bounties and extortion

As the popularity of my services like report-uri.io and securityheaders.io has increased they've started to attract more attention. Most of this is good but I've recently started to experience something a little concerning. Bug bounties I want to start off by saying that I think bug bounties are…

Continue Reading