Craig Francis – WindowsTechs.com

Attack on a string created by a developer

Posted on June 4, 2021 by Craig Francis

Go and Java have "compile time constants", and JavaScript will soon get a feature that allows "Distinguishing strings from a trusted developer from strings that may be attacker controlled" via isTemplateObject.
These al… Continue reading Attack on a string created by a developer→

Risks with OpenSSL verifying a signature with un-trusted PEM encoded public key

Posted on February 3, 2020 by Craig Francis

If a website user wants to use WebAuthn, they will start by creating a credential, where their authentication device provides a public key.

This key is encoded, and sent back to the server to store against their account.

Later, when the … Continue reading Risks with OpenSSL verifying a signature with un-trusted PEM encoded public key→