Mastodon

Weekly Update 138

10 May 2019

After a mammoth 30-hour door-to-door journey, I'm back in the USA! It's Minnesota this week and I've just wrapped up a couple of days of Hack Yourself First workshop followed by the opening keynote at NDC followed by PubConf. All great events but combined with the burden of travel, all a bit tiring too (plus, it turns out that emails don't stop coming in when you're busy...) There's a real crypto theme to this week's update courtesy of some of the contents in my keynote, a really ridiculous article on PC Mag I came across and a lovely meeting with a few of the folks from Let's Encrypt. There's also a follow-up to the video I promised to include in this blog post...

After recording this piece, I went and checked what had changed on that PC Mag article about certs. As expected, it turns out it was just promotional content on Sectigo, specifically changing the name from Comodo and also changing some of the content. Here's a diff of the archive.org version from earlier this month versus today:

Gotta keep that "good reputation"! Still in the PC Mag article:

  1. "you're probably best off clicking away from [sites using DV certs] as fast as you can"
  2. "most modern web browsers will indicate that an EV certificate is being used by showing a green Uniform Resource Locator (URL) bar"
  3. "You usually get what you pay for"

To be clear too: archive.org shows a few edits of that article in October and November last year then nothing until the 6th of May which is the day I tweeted this:

You can see why this sort of thing is so frustrating to folks like Scott and I; imagine what it's like for people actually trying to figure out what certificate they should acquire! Anyway, all that and more in this week's update:

Listen on Apple Podcasts
Get it on Google Play
Download via RSS

References

  1. I'm doing another Hack Yourself First workshop in New York next week (we've still got tickets available for that one, kicks off on Monday!)
  2. PC Mag did an absolute hatchet piece on certificates full of disinformation and clearly motivated by commercial desires (I've linked to my tweet as the ensuing discussion makes for "entertaining" reading)
  3. Some people remain insistent on arguing about Let's Encrypt's success to the fullest extent possible (but they're easily debunked arguments, which brings me to the next point...)
  4. Let's Encrypt certs are now used by 38% of the Alexa Top 1M sites serving content over HTTPS (that's based on Scott's nightly crawler stats)
  5. There's some real upsides to having phishing sites served over HTTPS (that's Scott's piece from Jan last year)
  6. Varonis is sponsoring my blog this week (they're talking about insider threats again, courtesy of the course I made for them ?)
Weekly update
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Upcoming Events

I often run private workshops around these, here's upcoming events I'll be at:

Must Read

Don't have Pluralsight already? How about a 10 day free trial? That'll get you access to thousands of courses amongst which are dozens of my own including:

  1. OWASP Top 10 Web Application Security Risks for ASP.NET
  2. What Every Developer Must Know About HTTPS
  3. Hack Yourself First: How to go on the Cyber-Offense
  4. The Information Security Big Picture
  5. Ethical Hacking: Social Engineering
  6. Modernizing Your Websites with Azure Platform as a Service
  7. Introduction to Browser Security Headers
  8. Ethical Hacking: SQL Injection
  9. Web Security and the OWASP Top 10: The Big Picture
  10. Ethical Hacking: Hacking Web Applications