Monday, July 17, 2017

Quick (but telling) IE vs. Chrome Comparison

The following "perfect timing" slideshow on MSN is entertaining, so my first thought was that IE would be the best browser with which to view it.  It's *MS*N after all.  Firefox is my main browser, but I like to fire up alternatives from time to time to understand the experience (well, except for Edge which still sucks).

http://www.msn.com/en-us/lifestyle/smart-living/photos-taken-at-the-perfect-time/ss-BBEzdUL?li=BBnbcA0&ocid=UE01DHP&fullscreen=true#image=1

Boy was I wrong about IE here.  It was slow, flaky, and then starting giving me "long-running script" errors and offering to stop the script for me. Even after saying yes to stop the script, the whole browser eventually locked up on me. FAIL.

Contrast that to Chrome, which was fast and worked flawlessly displaying the slideshow

I didn't try Firefox, because I have NoScript installed and just didn't want to deal with getting the slideshow to work.

Read more...

Tuesday, February 7, 2017

Let's say "TLS" instead of "SSL"

A trend I noticed within information security circles is to use the term "SSL" even when we mean "TLS".  TLS is the newer and more secure replacement for SSL.  All versions of SSL, even the latest SSLv3 flavor, are considered to be insecure at this point. 

It's habit to say "SSL".  Our infosec minds auto-translate it to "TLS", but there are interesting, concrete reasons that the IETF chose the name TLS back in 1999.  In addition, words have meaning and many people who don't eat, drink, and sleep security aren't up to speed on the nuances of this stuff.  This includes millions of IT personnel who are responsible for configuring servers in a secure manner.  It also includes newbies who are entering the infosec field every day.

Information security professionals can be arrogant.  If someone isn't as knowledgeable as them, then that person is called stupid. For example, application security experts tend to denigrate developers for writing insecure code.  That bothers me a lot.

Here's another example:

So people who don't know about SSL vs. TLS are not clever.  Nice.

Years ago I didn't know much about security.  I was a developer and appreciated the opportunity to learn from others.  So let us be technically accurate and use "TLS", even if it turns out to be a losing battle in the end.

Read more...

Friday, January 27, 2017

Webinar - Intro to Security Testing

I haven't done much blogging for a while.  I will be doing more posts this year.  At least that's one of my new year's resolutions!  Some of my posts will be original content residing here, but others will be links to articles or posts I've done elsewhere.

I'd like to start 2017 by sharing a link to the webinar I did in 2015 that is aimed at anyone who wants to dip their toes into the world of web application penetration testing.  The webinar was for the benefit of the uTest Community, and you therefore need an account to view the webinar.  It's easy and free to sign up though.

I'm proud to say the uTest community has given my webinar a stellar rating of 4.86 stars out of 5!  If you are new to the field of manual appsec testing, I'm sure you'll find it helpful.  Pro tip: install and learn Burp Suite!

The webinar is here: 
https://www.utest.com/courses/recorded-webinar-introduction-security-testing-dave-ferguson

Enjoy.

Read more...

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP