Information Security

HSTS preload list: Pending Submission

So I finally got around to setting up headers for a 301 redirect HSTS for my site. What does that mean? It means that hopefully some time soon, chronology.no will be added to Chrome’s  HTTP Strict Transport Security (HSTS) preload list, i.e. it will be hardcoded into Chrome as being an HTTPS only site.

In simpler terms: From now on, you’ll only be able to access any resources under the domain chronology.no using https, i.e. with encryption and authentication.

Great! Now all I need is a little more content on my site!

PS: You can check if the submission has been accepted here.

MasterCard’s new biometric security

I came across this announcement today. Apparently Master Card is applying biometrics in an attempt to make online shopping faster and safer. My impression of the current state of biometrics is that it is not great. Some technology may be considered reliable (a relative term in any case), but it is generally expensive, and typically consists of invasive things like retina scanning, which requires a person to physically lean close or right up to a specialized piece of equipment. General consumer technology like the fingerprint scanners on phones and the like are easily fooled, and may give a false sense of security.

So what is Master Card using? Well according to articles from biometricupdate.com and mobileworldlive, they’re experimenting with fingerprint scans and short video shots of faces (facial recognition) as replacements for passwords when authenticating payments. CNN Money has this video demonstrating the facial recognition solution.

The motivation behind this is to make security less of a hassle for customers, to keep them from abandoning purchases at the final step. I think this  is an interesting and admirable effort, and the solutions seem pretty cool. A number of questions come to mind though:

Continue reading

Getting into InfoSec

Over the last year or so, I’ve grown more interested in information security, both technical aspects like cryptography and pen testing, and more organizational issues, like governance, risk management and compliance.

This is obviously a huge field with lots of challenges, and one in which come constantly and quickly. I’m adding this category to my site as a place to muse over and share some of the things I read and learn along the way.