Check Users Passwords during Registration/Login

Troy Hunt has published the hashes of 306,000,000 passwords that have been breached. And exposed it as a web service.

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

Awesome!

This lets you tell a user if a given password has appeared in a breach. You send the service a hash of the password, and Troy’s web service responds if that hash has appeared in a breach.

Why is that useful? You can pro-actively inform users if their password has been breached (and recorded in haveibeenpawned) at either registration or login. You may want to block users from using that password, or you could just warn them.

Continue reading “Check Users Passwords during Registration/Login”

Advertisements
Check Users Passwords during Registration/Login

This server could not prove that it is … its security certificate is from [missing_subjectAltName]

Yesterday, I had a working development site suddenly start throwing SSL errors:

The error message was:

This server could not prove that it is [Server Name] its security certificate is from [missing_subjectAltName]

Huh? What broke this?

Well, it turns out that Chrome had updated to Chrome 58, which removed support for the “Common Name” field. Instead, we’re supposed to use the “Subject Alternative Name” (SAN) field. That’s unfortunate; the IIS ‘Create Certificate Request‘ option we’d used resulted in a certificate with no Subject Alternative Name field. That could be a result of how it was handled – I didn’t create the certificate – but it looks like Windows MakeCert doesn’t handle Subject Alternative Names, so I wouldn’t be surprised if this is a general Windows issue.

The SSL cert continued to work without a SAN just fine in IE, but Firefox and Chrome now demand it, and so were throwing SSL errors.

Now, it seems that the Subject Alternative Name is what we’re actually supposed to use, and that publicly trusted certs have used both fields for years – but in our development server, using our own CA, that wasn’t the case.

See How to Request a Certificate With a Custom Subject Alternative Name.

This server could not prove that it is … its security certificate is from [missing_subjectAltName]

Minifying JS – Skip removing line numbers?

I’m a big fan of App Insights, and I’m loving it’s increasing integration with Visual Studio. To me, it’s just great.

However, I did find myself laughing a bit at this. App Insights was recording JavaScript errors from a (third party’s) .JS file.

appinsights

This is showing an error on Line 93. The thing is, the file has been minified – and all the code in the file is on line 93.

Hmm. All this would save is a couple of hundred bytes over the wire. I’m just not sure it’s worth it for most of the projects I work on. I think having the new-lines still in (albeit otherwise minified).

To be honest, we’d save more space by stripping out the 92 lines of Licensing information above the code. I’m not sure that that shouldn’t reside in a text file, and just have a comment referencing the licence information.

Minifying JS – Skip removing line numbers?

Interesting Links – The Unwise Cakes Edition

My interesting links email is something I send out to my colleagues, well, when I’ve found stuff of interest.

Interesting Links – The Unwise Cakes Edition

Interesting Links – The ‘Oh God, not Mongo’ edition

My interesting links email is something I send out to my colleagues, well, when I’ve found stuff of interest.

“On two occasions I have been asked, ‘Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?’ I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.”
– Charles Babbage

To be honest, I now believe we should not be building sites which aren’t served over HTTPS. It’s more secure, faster, ranked higher in Google search results, and Chrome won’t mark it as insecure. ‘Nuff said.

Interesting Links – The ‘Oh God, not Mongo’ edition

Subresource integrity (SRI) – and why it needs failover.

When building websites, significant performance gains can be made by using files from a Content Delivery Network (CDN). CDNs usually have nodes much more local (physically) to a visitor, and common files used across many sites (such as jQuery, bootstrap, etc.) may even be already in the visitor’s cache.

However, if you’re using a file from a CDN, well, you don’t really control it. Someone could change it, for honest or nefarious reasons – and your site would still load that resource and try to use it. Continue reading “Subresource integrity (SRI) – and why it needs failover.”

Subresource integrity (SRI) – and why it needs failover.