Bypassing HSTS or HPKP in Chrome is a badidea

I saw some research published at BlackHat EU recently that detailed various ways to bypass both HSTS and HPKP in a variety of mainstream browsers. It was a novel technique and seems like a viable attack vector to bypass them, which is a big problem because both HSTS and HPKP…

Continue Reading

Malware hunting with CSP

I recently had some great fun using CSP in a way that I've been really excited to talk about. We are starting to utilise the full power of CSP reports to find a way to hunt down malware infected endpoints on a corporate network! Building on previous work I have…

Continue Reading

Tracking CAA usage

We recently saw the introduction of one of many new technologies becoming available to site owners to secure themselves in the form of Certificate Authority Authorisation, or CAA. Let's take a look at just how many sites are using it. Certificate Authority Authorisation You can read more on my blog…

Continue Reading

Our journey to a HTTPS only world

Right now the entire Internet is taking a journey and our destination is a world where the only connection used to load a site is a secure one. We've come a long way, yes, but we still have a long way to go. The beginning In the beginning the Internet…

Continue Reading