Security Archives - The Pending Draft

Eric Meyer on Content/Ad Blocking

September 22, 2015

Eric Meyer’s primer on Content Blocking is spot-on.

The ads that are at risk now are the ones delivered via bloated, badly managed, security-risk mechanisms. In other words: what’s at risk here is terrible web development.

Granted, the development of these ads was so terrible that it made the entire mobile web ecosystem appear far more broken that it actually is, and prompted multiple attempts to rein it in. Now we have content blockers, which are basically the nuclear option: if you aren’t going to even attempt to respect your customers, they’re happy to torch your entire infrastructure.

I used an Ad Blocker on desktop for a long time now, but i also have many sites set to “do not block”. These are basically all sites that respect me and treat me as a human being. And if you are a publisher, ad-provider or anyone else working in this industry and don’t respect your customers, i couldn’t care less if you’re going downhill from here and i would suggest you to go back to the drawing board as fast as you can.

Or, as Kontra eloquently phrased it on Twitter:

Then Users: Please DoNotTrack me AdTech+Publishers: Screw you Now AdTech+Publishers: Please DoNotAdBlock me Users: Screw you

— Kontra (@counternotions) September 20, 2015

Eric Meyer – Content Blocking Primer

WIRED: Researchers Create First Firmware Worm That Attacks Macs

August 4, 2015

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

A firmware worm that completely hides itself from the system and can spread through peripherals like Ethernet Adapters is a pretty scary thought if you ask me.

Hopefully hardware vendors will remove those vulnerabilities as fast as possible.

WIRED: Researchers Create First Firmware Worm That Attacks Macs

Facebook’s new chief security officer wants to set a date to kill Flash

July 14, 2015

Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.

— Alex Stamos (@alexstamos) July 12, 2015

Yes please!

The Verge: Facebook’s new chief security officer wants to set a date to kill Flash

Reasons to switch to HTTPS

July 11, 2015

A collection of 10 reasons why a switch to HTTPS is a good idea, for any page.

Today, however, there are more reasons than ever to switch to HTTPS — even for a news site, corporate site, or any site that doesn’t consider itself at the top of the security food chain. HTTPS adoption grew 80% last year alone, much faster than previous years, but we’re still very far from encryption being the norm.

If you’re not convinced HTTPS is right for you, or need ammo to convince your peers and bosses, here are 10 good reasons to go HTTPS.

Up until now, i was a bit hesitant to flip the switch on my own and also on client pages, mostly because i have no idea where to start and the certificates aren’t cheap. But i’m looking forward to the possibilities with upcoming free initiatives like Let’s Encrypt, which should be available by September 2015.

10 Reasons To Use HTTPS

Improving Code Quality

July 9, 2015

If you’re building things with WordPress, it’s important to deliver quality code. Especially if it’s going to be released to the public or used by a client. There’s a good post on the WPMUDEV Blog covering many aspects from HTML/CSS, JavaScript or PHP to the WordPress Coding Standards or Accessibility.

It’s a great starting point if you are unsure how to improve your code but also a good reminder for experienced developers.

Stop Cowboy Coding: 10 Tips for Improving the Quality of Your WordPress Themes and Plugins

History of WordPress Security

June 19, 2015

WPMUDEV has an interesting post about the History of WordPress Security. It’s also a good reminder to read through the WordPress.org Security white paper.

A History of WordPress Security Exploits and What They Mean For Your Site

Chris Wiegman at LoopConf on “Securing Your Code”

May 21, 2015

An interesting talk by Chris Wiegman about code security for WordPress Developers.

Securing Your Code – WordPress Security for Developers

Using Nonces to prevent Request Forgery

March 29, 2015

Put simply, CSRF is when bad guys try to trick users (usually someone with access to the WordPress dashboard) into doing something they didn’t intend to do.

This article on CSS-Tricks is the second in a series of articles about WordPress Frontend Security. In this one Andy Adams explains CSRF (Cross-Site Request Forgery) and what nonces are, how they are used in WordPress and why it’s so important that you use them.

CSS-Tricks on WordPress Frondend Security – CSRF and Nonces

CSS-Tricks – An introduction to WordPress Escaping

March 24, 2015

If you’re a WordPress developer that writes HTML/CSS/JS (which is 100% of theme developers and 99% of plugin developers), you need to know the basics of front end security for WordPress. WordPress gives you all the tools you need to make your theme or plugin secure. You just need to know how and when to use each tool.

CSS-Tricks published a good introduction to Escaping in WordPress and why it is so important. There’s no excuse anymore to not make your front end code secure.

Introduction to WordPress Front End Security: Escaping the Things

CSS-Tricks – Moving to HTTPS on WordPress

March 8, 2015

If you intend to make the move to https, there are a bunch of things you need to think about so that you don’t get any warnings and everything works smoothly. Chris Coyier shared the steps he took on CSS-Tricks to take it “HTTPS everywhere” with many WordPress specific tipps.

CSS-Tricks – Moving to HTTPS on WordPress