Collaborate Disseminate
How does one balance security and usability when using nonces on a website?
Imagine a website where the same nonce is embedded in the page, and stored in the browser session.
If I were to replace the nonce on every page load then:
The use… Continue reading Balancing security with usability when using nonce for CSRF protection
Matt Burgess tries to only use passkeys. The results are mixed.
Continue reading On Passkey Usability
I have been looking around at various encryption schemes, and I haven’t found anything exactly like what I want in terms of user experience.
If what I want isn’t a thing, I assume it’s been thought of, but other approaches won out. So can … Continue reading Why doesn’t file/folder encryption work the way I imagine it should? Can I have the UX I want? Tell me what’s wrong with this idea
Imagine a web app that, on the login page, has a password field which does not allow user input, but just displays a client-only generated password that is reasonably strong, with a button to re-generate the password.
In this approach, ins… Continue reading Why don’t applications suggest passwords themselves?
I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:
Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware…
Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about.
From Ross Anderson’s blog:
We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic. We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages…
Join us on Wednesday, September 8 at noon Pacific for the Industrial Design Hack Chat with Eric Strebel! At Hackaday, we celebrate all kinds of hardware hacks, and we try …read more Continue reading Industrial Design Hack Chat
Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:
Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well…
Problem
Consider a standard sign-up form (user enters an email address, we send a confirmation link).
Even limiting that form per IP (or even globally per hour), I’m concerned about abuse:
Our real-world reputation would be harmed if someo… Continue reading Let user send an email to register to prevent outgoing mail abuse
Valued at over $60 billion and used by millions each day for work and staying in touch with friends and family, the COVID-19 pandemic has helped make Zoom one of the most popular and relevant enterprise applications. On one level, its surge to the top can be summed up in three words: “It just works.” […] Continue reading Zoom UX teardown: 5 fails and how to fix them