Author Archives: LamonteCristo

Can a website’s privacy policy be made more effective by incorporating it into company bylaws?

Posted on by

I’m concerned primarily about the US, but also UK and Germany.

Is there any way to give a privacy policy greater trust, and more effectiveness, by somehow binding it to a company’s bylaws with the state?

Continue reading Can a website’s privacy policy be made more effective by incorporating it into company bylaws?

Is there any security difference between login via iFrame, Pop-up, or redirect?

Posted on by

There seems to be a number of techniques to authenticate a person on the web. Most commonly there are

Javascript Pop-ups (Google, Firefox Persona, Disqus, etc)
HTTP Redirects (OAuth, Facebook)
IFrames, with sandboxing set … Continue reading Is there any security difference between login via iFrame, Pop-up, or redirect?

How can I prove that I adhere to stated privacy policy? What audits are effective for voluntary compliance?

Posted on by

I have a website and mobile app that doesn’t store data or PII.

Suppose I’m not subject to any special privacy laws. How can I voluntarily submit myself to an audit to ensure that I’m acting true to my word?

What regulati… Continue reading How can I prove that I adhere to stated privacy policy? What audits are effective for voluntary compliance?

How does "Unlock your Mac with Apple Watch" work? What should I consider in the Enterprise?

Posted on by

MacOS on 2013 and newer Macs have the following setting at the bottom in system preferences:

Question

How does “Allow your Apple Watch to unlock your Mac work?

From what I’ve seen, it has a dependency on iCloud, as m… Continue reading How does "Unlock your Mac with Apple Watch" work? What should I consider in the Enterprise?

What are the correct Nuget commands to see if newer packages (with security fixes) are available?

Posted on by

I need to scan a number of website’s packages.json and see what Nuget updates are available, and to determine if any security vulnerability was patched by that version.

I understand that security information may not be immed… Continue reading What are the correct Nuget commands to see if newer packages (with security fixes) are available?

How does the use of Microsoft-branded Azure products affect my privacy policy?

Posted on by

I have an existing on premise infrastructure which I’m considering moving to Azure. On that platform, there are products that enhance my security, presumably by collecting metadata (IP, session, etc).

Right now I have a priv… Continue reading How does the use of Microsoft-branded Azure products affect my privacy policy?

In the context of FIDO U2F, when is a new ephemeral key reused, or cached?

Posted on by

I’m reading this paper from Yubico on Universal Second Factor
and OpenID Connect and see the description about ephemeral keys

I’m confused on when a ephemeral key is used, and under what conditions they are cached.

From the Yubico document.

Page 7:

U2F does have a trust chain similar to the certificate authorities found in traditional PKI, but this
is not tied directly to the key pairs issued by the U2F device. Instead, this trust chain is tied the
device’s identifier certificates. These device certificates are used alongside the ephemeral keys
to identify the device itself (or a batch of devices), allowing knowledgeable RPs to make
informed decisions about which device manufacturers they are willing to accept.

Page 9

Why would such caching systems be widely used when they clearly subvert a fundamental
aspect of the security components? A system that constantly prompts a user for the same PIN
again and again is likely to be ignored or rejected by users annoyed at the constant prompting.
The use of a credential cache is often considered a reasonable tradeoff. However, the U2F
design avoids having to make this tradeoff decision in the first place by explicitly declaring that
the ephemeral keys are used to identify the device alone.

Continue reading In the context of FIDO U2F, when is a new ephemeral key reused, or cached?