|
|
|
Security Briefs
-
In the first version of CardSpace (the one that shipped with Vista), the focus was on building an identity selector that put the user at the center of the transaction. With v2 on the horizon, it feels like the emphasis is changing. No longer do I hear...
-
As I pointed out in my last post , in corporate federation scenarios, we don’t need to put the user at the center of the transaction. In these scenarios it’s not her personal information being shared, but rather a corporate identity that’s attached to...
-
My first introduction to this term involved reading Kim Cameron’s article , where he defined it. That article lists seven laws of identity , which make it clear that the user should be at the center whenever identity about her is revealed to a relying...
-
Today I’m wrapping up an update to the whitepaper for the .NET Access Control Service (ACS) which now includes an AtomPub management interface. I wanted to explore this a bit, and found that browsers didn’t work well since these atom documents have xml...
-
Thanks for those of you who attended my talks last week in London. The ASP.NET Attack and Defence talk covered SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). The first two have downloadable demos and labs as part of...
-
Eric is one of our newest instructors, and he’s got a new blog on our website . Here’s what he’s got to say about himself: “Eric Burke is a member of the technical staff at Pluralsight, where he focuses on WPF and Silverlight . Eric is also a Principal...
-
Passwords suck . But we're stuck with them for awhile. This little series of articles is my attempt to explore how you can implement a password store and login page that makes the best of it . A typical web app that has a user name/password store...
-
This paper by Charles Miller has been around for awhile (2002), and I only now happened across it while gathering resources for my smarter password management series . A couple of quotes will give you a feel for the practicality and style of the paper...
-
I've been thinking a lot lately about password management. I'm not talking about how a user manages the myriad of passwords she's stuck with, but rather how a system (e.g., a website) should go about accepting, storing, and protecting the...
-
I've been getting a bit behind on my blog reading. So the other day, I took it upon myself to read some older posts on some of my favorite blogs. And a couple of items resonated with me enough that I decided to take some action. This recent item from...
-
From Coding Horror , originally from CWE/SANS , this is a list that every developer should review from time to time. If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're...
-
I just fired up my first WPF project since I installed VS 2008, and intellisense wasn't working in my XAML files. Like many other graybeards, I prefer to edit XAML files in the XML editor, rather than the designer. But I can't live without intellisense...
-
I recently published Self-Cert , a tool that makes it really easy to generate self-signed certificates using the CryptoAPI. What's nice about it is that it has a .NET class library underneath it that makes it easy to do this programmatically from...
-
Mike Woodring sent me an email today. He was concerned that a website that he frequents wasn't doing such a good job storing passwords. He pointed out that by clicking a button, you could get your password emailed back to you. After talking with someone...
-
IIS is currently rejecting self-signed certs made with the Self-Cert tool . Actually, you can install the cert into IIS, but when a client connects, IIS will refuse to set up the SSL tunnel. So far I believe the problem is that my certs aren't getting...
|
|
|
|
|