Categories
Development Security

CSRF Is Dead, Long Live SameSite=Lax! (or is it?)

In the original version my talk “Think Like a Hacker and Secure WordPress, live on stage“, I demonstrated a Cross-Site Request Forgery (CSRF) attack. While this attack worked perfectly during WordCamp Brisbane 2019, in-progress changes to Google Chrome (version 80) are bringing about the end of CSRF. (Well, sort of…) In light of this change, […]

Categories
Security

Usernames Are Not Secrets

A common misconception that I have observed a lot online is the belief that usernames should be secret, unique and hard to guess. While there are some limited cases where having a secret username is a good idea, most of the time it has no real benefit. Usernames are not secrets and should not be […]

Categories
Development Security Tutorials

Signing Git Commits With A Keybase GPG Key

A relatively unknown and underused feature of Git is the ability to cryptographically sign commits. It is an optional feature that provides a way for the author of a commit to prove ownership. It uses the author’s GPG key to leave a signature in the commit that can be checked later. If you’re a Keybase […]

Categories
Security

Mosh and UFW, without 1000 open ports

Anyone who works with Linux servers will have used SSH. It’s the stable of server management and cannot beat a GUI.The only downside with SSH is when you’re on a slow or intermittent connection, and your SSH connection keeps droppingout or locking up. It’s not fun at all…