|
|
|
Browse Blog Posts by Tags
-
Thanks for those of you who attended my talks last week in London. The ASP.NET Attack and Defence talk covered SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). The first two have downloadable demos and labs as part of my input validation module series. I don’t yet have...
-
I've been thinking a lot lately about password management. I'm not talking about how a user manages the myriad of passwords she's stuck with, but rather how a system (e.g., a website) should go about accepting, storing, and protecting the password she chooses to use with that system. Face...
-
From Coding Horror , originally from CWE/SANS , this is a list that every developer should review from time to time. If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're not familiar with, or that piques your interest...
-
I recently published Self-Cert , a tool that makes it really easy to generate self-signed certificates using the CryptoAPI. What's nice about it is that it has a .NET class library underneath it that makes it easy to do this programmatically from managed code as well. The code is currently using...
-
Mike Woodring sent me an email today. He was concerned that a website that he frequents wasn't doing such a good job storing passwords. He pointed out that by clicking a button, you could get your password emailed back to you. After talking with someone at the website, he discovered that at least...
-
IIS is currently rejecting self-signed certs made with the Self-Cert tool . Actually, you can install the cert into IIS, but when a client connects, IIS will refuse to set up the SSL tunnel. So far I believe the problem is that my certs aren't getting an Authority Key Identifier extension, (CertCreateSelfSignCertificate...
-
It's a bit of a pain to create self-signed certs using MAKECERT. So here's a GUI-based tool that uses a combination of the .NET Framework and the CryptoAPI to create self-signed X.509 certificates. And it's factored so that you can use the underlying library standalone - you can easily create...
-
Today I spent some time exploring WLID's new SDK that allows you to support WLID authentication in a website of your own. I got it working pretty quickly in a test website, and it works quite nicely. So now I'm a bit curious. There's a section in the Introduction to Windows Live ID that talks...
-
Over the last couple of years, I've worked on websites that support both HTTP and HTTPS, and it's always tricky to find a balance between security and usability. Dominick wrote an excellent article about this awhile back, suggesting that allowing ASP.NET to make the choice between HTTP and HTTPS...
-
For those who didn't attend PDC, the Zermatt identity framework has been re-code-named Geneva Framework so that it fits in with the Geneva family of products : Geneva Framework : a .NET class library called Microsoft.IdentityModel (basically it's an updated Zermatt) Geneva Server : This is essentially...
-
Chris Sells used to poke fun at me when we worked together in my former life . He used to call my security class, "Essential Access Denied". His point was a good one: when they aren't applied carefully, security countermeasures often just get in the way of getting work done. I don't...
-
I've always looked at security questions used to automate user password recovery with quite a bit of skepticism . What's the point of requiring strong passwords if you allow anyone to reset the password on an account by answering a (potentially inane) question? And just how many good security...
-
I'm about to embark on a mission to get Zermatt integrated into pluralsight.com as our single-sign-on solution, and a big part of that is getting our Community Server installation wired into that. I'm curious if anyone else has seen any work being done in this area, or if I'll be the first...
-
We recently updated our website and some links have broken as a result. Here's the place you should go to get the latest version of Password Minder: http://mercury.pluralsight.com/tools.aspx Sorry for any inconvenience!
-
Updated on Nov 26, 2008: Zermatt has been renamed to Geneva, and links have changed. See this post for details. For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity...
|
|
|
|
|