Listen to that sound!!! 😮🏎💨 The Red Arrows are here ✈️

Awesome viewing for FP3 today!! 😎

This weekend is going to be MEGA!!
😎🏎💨🍾🥂🎉 Time for a walk around the paddocks!

I converted my car to Flex-Fuel over the weekend! First long trip today and it’s performed flawlessly running on a high concentration of ethanol! 🌽🏎💨

The only hardware required was an Ethanol Content Analyser and the rest was done in software. Here’s the hardware kit: The ECA itself is installed on the main feed from the Low Pressure Fuel Pump on top of the fuel tank. It’s an inline sensor that reads the fuel as it passes through.

Given the sanctions against Russia, it seems that CAs are now ceasing issuance for Russian domains and even going so far as to revoke certificates previously issued for Russian domains. Here are some for a Russian bank revoked by Thawte CA: crt.sh/?id=5828347935 Several others have been reported:
crt.sh/?id=5828347935
crt.sh/?id=6218871547
crt.sh/?id=4582341817
crt.sh/?id=2713661323

Welcome to Reykjavík, should I resist? 😎 Driving out of the city with @stebets, this place is mega!! ❄️🔥🇮🇸

I'm considering changing the grading criteria on @securityheaders to allow an A+ grade with a CSP that contains unsafe-inline in the style-src directive. What are your thoughts? This is largely because I've not seen any significant threats posed by inline styles, and, even popular frameworks like Angular require unsafe-inline in the style-src directive: angular.io/guide/security…

@fastly have been working on building their own Certificate Authority called Certainly. Their request to be included in the Mozilla Root Store was made in Aug last year [1]. Nothing unusual about that, but becoming a new Root CA is a *long* process..

[1] bugzilla.mozilla.org/show_bug.cgi?i… I've you've attended our TLS/PKI Training [2], you'll know all about this process, but it will take a few years before the new Root CA is widely trusted.

[2] feistyduck.com/training/pract…
cc: @feistyduck @ivanristic

It's been a while since I've had chance to sit down and produce a report on the security of the Top 1 Million sites, but thanks to @Venafi's support, the crawler project lives on and a brand new report is out! venafi.com/blog/crawler-r… It takes a lot of resources to gather this data and a lot of time to analyse it all and write the report, so genuinely, it wouldn't have happened without them. There hasn't been a report for 18+ months so let's take a look at what changed! 😎

Currently trying to sign in to AWS but it's borked so I decided to take a look around and found a buggy CSP. They have defult-src 'none' and then specify allowed hosts, values in direct contradiction with each other.

I'm laughing and crying at the same because this is actually how it works 🤣😭

https://twitter.com/JohnONolan/status/1277934977754132480

I also recall @zeeg once talking about customers on a $50/mo sub wanting custom legal terms / NDAs / security reviews etc... but I can't find the tweet. It'd take us years to recoup the cost of onboarding them.

🚨🚨🚨 5 minutes until the Let's Encrypt R3 intermediate expires 🚨🚨🚨

29 September 2021 19:21:40 UTC TANGO DOWN 😅

Working with @spazef0rze is never dull... 🤣 Sadly, this change did not pass our stringent review process.

I bought a phone from a large retailer here in the UK and they shipped a faulty unit. These things happen, so I return it for a refund and they got it on 6th Aug: They had no other phones of the same spec anyway so they said they were going to refund me. By 13th Aug, still no refund.

Are you using CSP on your website? You might be getting a patent infringement notice! Buckle up 😎 scotthelme.co.uk/i-turned-on-cs… We're already working with the @EFF who will hopefully be able to support the cause here, but we need to know about other websites that have received this letter.

@BritishGasHelp @srobertson92 A few things to help you out from your friendly British security researcher:

1) Shorter passwords are easier to remember which is what makes them weak and easy to guess. This means it's more likely someone else will have access to it, not less likely. @BritishGasHelp @srobertson92 2) Allowing someone to have an easy to remember 8-10 character password doesn't mean you need to prevent someone else from having an ultra-secure 64 character password. It's possible for both of these things to coexist, and they should.

There's been a lot of discussion about OCSP again recently after the Apple incident caused by Big Sur. I've written up some details about what happened and thoughts for what we could/should do about it: scotthelme.co.uk/deja-vu-macos-… Apple published a support article to address the concerns raised, here are the details and my update based on their comments: scotthelme.co.uk/deja-vu-macos-…

I'm not sure what's more worrying, that CAs have continued to issue certificates for >398 days or that I'm not surprised that it's happened... 🤷‍♂️

https://twitter.com/Scott_Helme/status/1300813526030839808

Imagine buying a new certificate that looks like this!
NET::ERR_CERT_VALIDITY_TOO_LONG

The @ubnt fairy came and I couldn’t be more excited! 😝 So here we go with the build! First up was the rack, I wanted one with wheels because of where it’s going (space restricted and can’t go on the wall). Couldn’t see one I like with wheels so I gave mine wheels!

Let's Encrypt identified a bug in their CAA checking and disabled issuance for 2h 12m whilst they patched: community.letsencrypt.org/t/2020-02-29-c… As a result of this, Let's Encrypt will be revoking quite a large number of certificates: community.letsencrypt.org/t/revoking-cer…

As entertaining as the whole EV thing is in some respects, I do sit back and question my own knowledge and views in the background too. A very common thing that keeps coming up in defence of EV, is phishing. I did some reading and here are a few interesting things. Every piece of data I've looked at so far, including PhishLabs and the APWG, show that phishing is on the rise and it's a massive problem. I believe and hope that everyone will agree with that, but there are interesting stats around phishing on HTTPS.