Well, another year is drawing to a close already and it doesn't seem like very long since I was writing my last Year in Review post for 2016. This year has passed by so incredibly quickly, largely due to just how much I've done! Here's a quick recap for 2017 and a couple of insights into what's in store for 2018!

Report URI

By far one of the biggest things on my list for this year has to be Report URI and some of the amazing things that have happened.

First and foremost has to be the launch of the commercial service after more than 2.5 years of running it for free. You can read all the details in my blog on The Next Steps for Report URI but the higlights were bringing Troy Hunt on as an investor and launcing our commercial product to grow it into a sustainable business. Alongside that I've looked at analysing massive traffic volumes on the service and we're now processing over 5,000,000,000 reports per month for our customers following another major update earlier in 2017. I'm really looking forward to where Report URI will go through the rest of 2017 and into 2018 and I'm putting every spare moment of time I have into running the service, improving it and delivering new features. We definitely have some exciting ideas that we will be launcing in 2018!

Security Headers

Another great success this year, Security Headers has seen steady growth in visitors and regular sponsors after I launched the sponsorship offering in late 2016. If you are interested in sponsoring the site, we get a high volume of traffic from a technical audience, get in touch.


As 2017 draws to a close we've smashed through 9,000,000 scans on the service and I'm really happy with how things are working out. Of course the grading has been tweaked to keep it up to date and realistic in our ever changing industry and I'm still running my regular crawls of the Alexa Top 1 Million that started out looking at the Security Headers grades of those sites. You can see the Feb 2017 and Aug 2017 reports, why I gave up on HPKP and the raw data from my crawler fleet which I now publish every day!

Media Appearances

One of the things I've been really excited about throughout 2017 is my increased exposure in the media. I've spent many months and years trying to establish a presence in the wider community as a reliable source of information and seeing that recognised in the form of media engagement is a great feeling, a sign that the hard work is starting to pay off! Some of the things I've been up to this year still amaze me even now, looking back, so here's a quick recap of some of the highlights:

I spent a little over a week in Las Vegas with the BBC where we filmed at BlackHat, BSides Las Vegas and DEF CON for 2 episodes of the BBC's flagship technology show, Click.

The hacker theme in Las Vegas all came about after I was asked to independently verify the security claims of a company called Nomx earlier in the year. Regular readers will remember Nomx, who claimed to have made the world's most secure communications protocol, and how things were not that great. I published my research that I conducted alongside Professor Alan Woodward and the subsequent findings and response from the company went from a simple independent verification to a full TV episode on Click (UK IP required) exposing them.


Following on from the Nomx and Vegas shows I've also filmed two other TV shows this year that are set to air in Jan and Mar 2018. The first was with ITV and we took over a restaurant to demonstrate how much data is available online by using OSINT to build a portfolio on people sat in the other room.




The second show was with the BBC and was another live performance of the same thing but in front of a 300 person audience! This one was filmed and will be broadcast next year too and I particularly enjoyed hiding WiFi Pineapples throughout the building!





For both of these shows I got to work alongside the awesome Zoë Rose and there could be even better things on the horizon already for 2018...




News Articles

Another awesome development this year was regular requests for comments or quotes in media articles. From just the big ones that I've been keeping track of I have over 52 mentions in articles across large outlets, more than 1 per week! You can see all of my media appearances in my media archive.



Throughout 2017 I've continued to deliver The Best TLS Training in the World via Feisty Duck. The course is authored by Ivan Ristic and there's been an increasing demand for TLS specific training throughout 2017 and I'm expecting and hoping that trend will continue into 2018. In 2017 I've delivered 59 days of training and workshops across 9 different countries!





2017 was another great year for my speaking and I managed to fit in 13 speaking engagements across 7 different countries! 2017 also saw the first year that I did a keynote talk to open a conference, which was a pretty daunting prospect but went really well. One of the awesome things about travelling so much with both my training and speaking is some of the places I get to visit.






A year full of training and speaking also means a year full of travel too, it's kind of the necessary evil to do all of the funs things in the nice places. I have to say the jet-set lifestyle looks quite glamorous from the outside but business travel is a lot bloody harder than it looks, let me tell you! This year I've racked up 43 rail journeys and 39 flights, excluding personal trips, in total, which is quite some time spent on the road.



Oh, and there was also 1 helicopter!!



This year has been another great year for blog posts with 52 blog posts published, managing to average a blog post every, single, week! There have been some geat ones too, ones I've enjoyed writing, ones that got a lot of media attention and ones that talked about cutting edge security on the web.

In 2018 we really need to look at how Revocation is Broken and consider things like OCSP Expect-Staple (which I wrote a spec for) and OCSP Must-Staple to tackel that.

In 2017 we got really Tough on Cookies and looked at how CSRF is dead.

Another big thing coming in 2018 that I can't wait for is Certificate Transparency which is going to massively change the CA ecosystem. Coupled with Certificate Authority Authorisation that I'm now tracking the usage of we are also expecting the end of HPKP.

I announced this year how I was giving up on HPKP and not long after that Chrome announced they were going to deprecate the feature, effectively sounding the death knell for the standard.

On the security research front how could we possible overlook Nomx who responded so spectacularly poorly to the discolsure they actually ended up with a whole episode of BBC Click about them! Later in the year we also heard about Sarahah, a messaging app that was less than secure.

Finaly to close out the year I had my Feb and Aug scans of the Alexa Top 1 Millions sites and I'm expecting the trends to continue upwards throughout 2018 as we continue our journey to an HTTPS only world!

Looking forward to 2018

2018 is going to be another amazing year. I already have training and speaking engagements booked throughout the year. If Report URI continues to grow as it is then we can look forward to having a healthy and profitable business. Security Headers sponsorship slots are selling out quick and I have loads of articles lined up for next year already and a few TV appearances and filming already lined up! 2017 has been epic and I can't wait for the even more epic 2018!