AppSec Blog: Author - Johannes Ullrich

HTML5: Risky Business or Hidden Security Tool Chest?

I was lucky to be allowed to present about how to use HTML5 to improve security at the recent OWASP APPSEC USA Conference in New York City. OWASP now made a video of the talk available on YouTube for anybody interested. http://www.youtube.com/watch?v=fzjpUqMwnoI Continue reading HTML5: Risky Business or Hidden Security Tool Chest?


The Security Impact of HTTP Caching Headers

[This is a cross post from https://isc.sans.edu ] Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers [2]. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to … Continue reading The Security Impact of HTTP Caching Headers


Developer Survey for BSides London

To prepare a talk a BSides London, Chris Riley is looking for some input from developers and managers about application security. Please take a couple minutes to help him out. http://svy.mk/i5aV0N Continue reading Developer Survey for BSides London


Firefox 4 Security Features

Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server. Continue reading Firefox 4 Security Features


Some Thoughts About Passwords

Passwords don't work. Any password has a finite chance of being guessed. A good password is just less likely to be guessed then a simple password. But a strong password is not necessarily the one with many weird characters but the one that is least likely guessed. Continue reading Some Thoughts About Passwords