Semper fudge.

Tag: security

Implementing Public Key Pinning

While HPKP — which helps reduce the attack surface for man-in-the-middle attacks against HTTPS traffic — is only supported in a very small handful of recent Chrome and Firefox builds, it never hurts to get ahead of the curve. Especially when it comes to your site’s security.

WPScan Licensing

It looks like the WordPress security tool WPScan is looking to move away from the GNU GPL license for their software. That’s rather unfortunate, but after reading about companies trying to repackage and sell WPScan as their own work, I totally get where they’re coming from.

Chasing these companies takes time, sometimes a whole day of emails back and forth arguing the intricacies of the GNU GPL while they try and weasel their way out of complying to our license. This takes a lot of my time away from the important stuff, working on WPScan and the WPScan Vulnerability Database. Because of this I decided to add a clause to the license. If you want to sell WPScan you can pay for a commercial license, otherwise you can use it under the GNU GPL.

After a few months with this license it was pointed out to me that the GNU GPL does not allow these kind of clauses. What some individuals and companies decided was a ‘loophole’.

Their new (proposed) license has been posted as a Gist — which I’ve embedded below — and the developers are welcoming feedback.

If you’re schooled in Public/Open Source software licenses and are interested in the future of WordPress security tools, go leave a comment!

MyFitnessPal doesn’t use HTTPS

When logged into MyFitnessPal, all of the pages transmit over insecure HTTP. Everything you eat, your body measurements, your daily activity, and any activity imported from third party services are all transmitted insecurely over HTTP. If you’re on a public wi-fi network, anyone can easily intercept this private health information.

Even worse, if you manually change the logged-in URL from insecure HTTP to secure HTTPS, MyFitnessPal forces you back onto insecure HTTP.


Ew. Guess it’s time to switch to Lose It! then…

P.S. HTTP Shaming is full of some pretty surprising — and utterly heinous — behavior from companies & organizations that should know better. 


While JSDetox is great for ripping through JavaScript malware, it doesn’t really handle obfuscated PHP. Fortunately, the gang at Sucuri has set up DDecode to process (and act as a sort of a pastebin for) those nasty little bits of PHP code.

Powered by WordPress & Theme by Anders Norén