Share this page!

Scott Helme Profile picture
Twitter logo
23 Aug, 21 tweets, 8 min read
Are you using CSP on your website? You might be getting a patent infringement notice! Buckle up 😎 scotthelme.co.uk/i-turned-on-cs…
We're already working with the @EFF who will hopefully be able to support the cause here, but we need to know about other websites that have received this letter.
If you're legally and/or technically minded, perhaps you could take a look over the letter being sent out: drive.google.com/file/d/1p63IJ6…
There are more details in the longer "Patent Infringement Outline", including a few interesting... descriptions... of how a web browser and web server work! drive.google.com/file/d/12yXB1o…
I used my Crawler.Ninja project to look for sites using a CSP nonce and I came up with 1,400+ with a quick query. There are likely many more due to limitations in the crawler: drive.google.com/file/d/1fOnMs3…
You can also join the discussion on HN: news.ycombinator.com/item?id=282744…
Quite a few people have suggested this, so maybe we can ask @eastdakota if this would qualify for Project Jengo? I'm not aware of any action with the US patent yet, but the patent exists!
Prior art for a CSP Nonce back in 2005? 😇
Discussions at @mozilla back in Jan 2011:
Also early 2011:
I've now got a copy of the 'Scriptlock Integration Guide' which details how the product works and how to integrate it into your site. I'd be interested in some views on this: drive.google.com/file/d/1othVhW…
Well, it seems this issue isn't over after all, or at least the company haven't let it go... They did apologise and gave a nice story to @TheRegister, but it seems they're now targeting me:
The apology tweets have been deleted and none of the companies I've spoken to have received this apology letter yet either. Not only that, I've had a couple of complaints sent directly to me too!
The first one is for sharing a copy of the letter the company sent out. The complaint was made under the GDPR as the signature in the letter "constitutes personal biometric data" of Mr W. Coppock! I need to redact the signature or remove the letter: drive.google.com/file/d/1p63IJ6…
The second was a DMCA takedown notice served to Google for the Patent Infringement Outline PDF that I also shared. Google have removed the file: drive.google.com/file/d/12yXB1o…
The Patent Infringement Outline is still publicly available on the original link from their own website, however, so if you'd like to see it, you can still head over there: scriptlock.com/resources/pate…
Also, the Internet Archive have crawled and archived a copy of the PDF file here: web.archive.org/web/2021082405…
There are also 3 additional copies, just in case:
web.archive.org/web/2021082505…
web.archive.org/web/2021082614…
web.archive.org/web/2021082802…
IANAL but "Fair Dealing" in the UK allows for "Criticism, review and reporting current events" and "Fair Use" in the US allows "criticism, comment, news reporting, teaching, scholarship, and research". It seems like the DMCA takedown was made in bad faith and I'll be fighting it.
Turns out he went after my tweets too but @Twitter didn't see an issue so they remain! 🤣
@Twitter There's a document here filed 20 Jul 2011 that contains the same signature and is a matter of public record, so I don't know why he's so bothered about this one 🤷‍♂️
…te.company-information.service.gov.uk/company/076508… Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Scott Helme

Scott Helme Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Scott_Helme

Scott Helme Profile picture
16 Nov 20
@BritishGasHelp @srobertson92 A few things to help you out from your friendly British security researcher:

1) Shorter passwords are easier to remember which is what makes them weak and easy to guess. This means it's more likely someone else will have access to it, not less likely.
@BritishGasHelp @srobertson92 2) Allowing someone to have an easy to remember 8-10 character password doesn't mean you need to prevent someone else from having an ultra-secure 64 character password. It's possible for both of these things to coexist, and they should.
@BritishGasHelp @srobertson92 3) Weak passwords do not protect customer data, they do the opposite and put customer data at risk. We should be encouraging stronger passwords and the use of password managers.
Read 7 tweets
Scott Helme Profile picture
16 Nov 20
There's been a lot of discussion about OCSP again recently after the Apple incident caused by Big Sur. I've written up some details about what happened and thoughts for what we could/should do about it: scotthelme.co.uk/deja-vu-macos-…
Apple published a support article to address the concerns raised, here are the details and my update based on their comments: scotthelme.co.uk/deja-vu-macos-…
Apple will introduce "A new encrypted protocol for Developer ID certificate revocation checks" but are we talking OCSP over HTTPS or something else?
Read 5 tweets
Scott Helme Profile picture
2 Sep 20
I'm not sure what's more worrying, that CAs have continued to issue certificates for >398 days or that I'm not surprised that it's happened... 🤷‍♂️
Imagine buying a new certificate that looks like this!
NET::ERR_CERT_VALIDITY_TOO_LONG
Here's the certificate, they definitely missed the deadline:
Validity
Not Before: Sep 1 00:16:16 2020 GMT
Not After : Sep 1 00:16:16 2022 GMT

crt.sh/?id=3318010380
Read 9 tweets
Scott Helme Profile picture
16 Apr 20
The @ubnt fairy came and I couldn’t be more excited! 😝
So here we go with the build! First up was the rack, I wanted one with wheels because of where it’s going (space restricted and can’t go on the wall). Couldn’t see one I like with wheels so I gave mine wheels!
Next was unboxing and damn Ubiquiti know how to package stuff. It’s like opening Apple products but better. I mean just look at how they package *screws*!!
Read 24 tweets
Scott Helme Profile picture
3 Mar 20
Let's Encrypt identified a bug in their CAA checking and disabled issuance for 2h 12m whilst they patched: community.letsencrypt.org/t/2020-02-29-c…
As a result of this, Let's Encrypt will be revoking quite a large number of certificates: community.letsencrypt.org/t/revoking-cer…
The total number is 3,048,289 and you can download the list of serial numbers that will be affected here: letsencrypt.org/caaproblem/
Read 30 tweets
Scott Helme Profile picture
16 Aug 19
As entertaining as the whole EV thing is in some respects, I do sit back and question my own knowledge and views in the background too. A very common thing that keeps coming up in defence of EV, is phishing. I did some reading and here are a few interesting things.
Every piece of data I've looked at so far, including PhishLabs and the APWG, show that phishing is on the rise and it's a massive problem. I believe and hope that everyone will agree with that, but there are interesting stats around phishing on HTTPS.
Look at this Netcraft data on certificate issuance to phishing sites, that's quite a remarkable trend and indicates a shift of phishing sites moving from HTTP to HTTPS.
source: news.netcraft.com/archives/2017/…
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @Scott_Helme has new unrolls!

Check out other threads from @Scott_Helme!

Read all threads by @Scott_Helme

:(