How to easily try out TUF + in-toto

I’ve been speaking quite a lot with quite a lot of people about the benfits of in-toto and TUF together. Indeed, my reaction after saying “hey, you don’t need TUF to use in-toto”, is “but they do go really well together”. I’ve done it so much that by now I have a very well rehearsed canned answer as to why they go well. It was only a matter of will and free time (look ma! I’m a Doctor now!), before I decided to dust off this blog and probably share why it matters and — more importantly — how you can see it for yourself in four easy steps.

Read More

Creating a web-enabled USB drived with WebUSB

I got caught in the crossfire of adapting one of my projects (PolyPasswordHasher, if you’re curious) to support two factor authentication recently. One of the goals that I had prepared for the summer was to have an actual demo website in which someone could register a yubikey and log in to a website using PPH + HOTP (I’ll leave the reason as to why HOTP out of this post) without too much hassle.

Read More

Looking at the Git landscape through SHATTERED glass

A recent blogpost from Google and CWI showed us what many had suspected would happen soon: a practical attack on SHA-1 could be successfully carried out. Although this is an important milestone for the history of cryptographic hash algorithms (if that’s even a thing), the practical implications are more nuanced. As it is with the emerging trend of branded vulnerabilities — (this one is called shattered) — the details are lost in a sea of PR-littered vacuity and witty names for vulnerabilities.

Read More

subscribe via RSS