Archive | security RSS feed for this section

Two misconceptions about HTTPS

17 Aug

Although HTTPS is the default protocol to secure websites and web services, it seems that it is often badly understood. These are two points which often crop up in forums.

Continue reading

Advertisements

Avoiding SQL injections using stored procedures and access privileges

8 Feb

In the previous article I showed that the only way to be sure no one messes with your query is to use prepared statements because the statement is precompiled and not alterable afterwards. For people who don’t like to use prepared statements due to the added complexity, or people who worry about the overhead of prepared statements for one time queries there is another solution: stored procedures.

Continue reading

Avoiding SQL injections

3 Nov

Building (unsafe) queries

You would think that SQL injections are something of the past by now, as they are a well understood and easy to explain exploit. Though in reality a lot of existing and new code is still written without much thought of protecting against them. This is not so surprising as security practices are often presented as something extra rather than being strictly enforced from the start. Additionally web pages and books are seldom up to date given the fast changing nature of software development.
Continue reading

The cloud might be good for something after all

1 Mar
Another day, another rant about how developers underestimate potential crackers. While I actually wanted to write a review about developing on Mac OS X vs Windows, or the fresh install I did of Windows 8, once again I’m surprised by the naiveness of some developers when it concerns security measures in software.

Continue reading

How not to protect your software

14 Feb

I wrote my first (completed) software package 14 years ago. It was an animation program for creating 2.5D cut-out animation. Once it was ready for distribution, I needed a way to keep users from copying the software. Naively I opted for a simple key registration mechanism which was defeated not long after its release, and a crack was out in no time.

Misconceptions about network security

6 Feb
When looking for a secure Flash protocol for our audio and video call transcoding server we preferred supporting RTMPE (and the tunnelled version RTMPTE) since this was more lightweight than the SSL versions. However users didn’t want to use these protocols, and preferred Adobe’s media protocol over HTTPS and SSL (both called RTMPS, though the latter one is also known as native RTMPS). They read online (even on wikipedia) that the RTMPE version were not secure. It is hard to argue with users when they have already read the “truth” on internet. While there certainly are issues with the protocol when you don’t know what you are doing, it showed that users have a lot of misconceptions about security.