Creator of @haveibeenpwned. Microsoft Regional Director. Pluralsight author. Online security, technology and “The Cloud”. Australian.
Aug 11, 2018 • 11 tweets • 4 min read
I've had a heap of people pointing me to this post by @meyerweb and I want to add some thoughts in a tweet stream. Start by reading the post because it really is excellent and should remind us all of how different things are in other parts of the world
I want to make sure people don't see this as a reason not to do HTTPS so I've had a good chat to @meyerweb and want to put a few things in context. The first is this: caching in this fashion is the very definition of a "man in the middle" and has serious privacy ramifications.
Jul 16, 2018 • 13 tweets • 3 min read
I've had a heap of press and individual queries on Australia's #MyHealthRecord over the last week. This is essentially centralised electronic health records that everyone will get unless explicitly opting out. Here's my thoughts:
Firstly, we need to acknowledge there's upsides and downsides; I want the right people to have my health info should they need it (especially in an emergency), but clearly I don't want that info falling into the wrong hands either.
Jul 1, 2018 • 15 tweets • 4 min read
Alrighty, let's tear this apart because the FUD from the CA Security Council is deafening. We'll start with this short video:
The CASC includes some of the world's largest commercial certificate authorities and is pushing hard to drive the adoption of EV certs in an era where it's increasingly hard to make any money from DV
Jun 27, 2018 • 7 tweets • 4 min read
Crunch time: Pwned Passwords is getting big so I have to look at costs. Over the last week, I've served over 54M requests to the service from a rapidly growing number of consumers.
However, @Cloudflare has fielded 92% of those for me and @AzureFunctions has only had to process just over 4M of them. It's done that in an average time under 30ms and a 50th percentile of 22ms. There have been no failures.
May 19, 2018 • 15 tweets • 5 min read
I've seen some absolutely crazy comments on the debate about changes to HTTPS indicators and EV over the last few days to the point that I've actively muted discussions that have gone off the rails. Let me shine a critical light on the whole thing:
Google is not trying to break the web by pushing for more HTTPS. Neither is Mozilla and neither are any of the other orgs saying "Hey, it would be good if traffic wasn't eavesdropped on or modified". This is fixing a deficiency in the web as it has stood for years.