Identity and findability on the web—some personal-historical notes

November 25th, 2017

A little meditation on how it has changed for me to be a person on the web.

Read full entry »

Proposal: Default scheme-less URLs to HTTPS

October 27th, 2017

It's 2017. Most sites that I visit now support HTTPS, and even redirect to it from insecure HTTP. What does this change? I have one suggestion: Software that autolinks bare domain names as URLs should default to https:// instead of http://.

Read full entry »

An informal security assessment of Imzy (part 2)

October 25th, 2017

Welcome back. If you missed the first in this two-part series, you may wish to read the intro to that post first, because I'm just going to dive right in.

Read full entry »

An informal security assessment of Imzy (part 1)

July 6th, 2017

One of my hobbies is finding security vulnerabilities in websites—it's a relaxing way to unwind in the evening. A few months ago I asked a friend at Imzy if they'd like me to poke around. Imzy was intended as a place for online communities that don't suck. The community was in fact super nice, but unfortunately this was one of the many startups that Madeth It Not. They're shutting down soon. In any event, I had a good time and found some fun bugs.

Read full entry »

Curl, unquoted URLs, and LANGSEC

April 1st, 2017

The other day I had an unpleasant realization about curl, and how I use it. I'm going to guess most programmers have had this experience:

tim@puter:~$ curl -sS https://www.example.com/whatever?foo=bar&baz
[1] 638
bash: baz: command not found
tim@puter:~$ <!doctype html>
<html>
<head>
    <title>Example Domain</title>
...

...and immediately have the reaction "oh dammit I forgot to quote the URL", because that innocuous little ampersand is getting interpreted in bash as "run the preceding as a command in the background".

This has happened to me from time to time for years, but it was only this week that I realized how *dangerous* it is.

Read full entry »