The security of websites was always an important topic, and in my opinion it’s still a bit neglected by some developers. We have plenty of new tools, browsers try to protect their users more and more, but still, it’s important for a developer to be clear with some basic concepts. Basics Hash Hashing algorithms are basically one way functions, where (typically) the hash(x) call is quick and easy, but its inverse is very slow and expensive - even impossible.

WebAuthn uses public key cryptography (asymmetric) instead of passwords or SMS texts for registration, authentication and 2FA.

• Protection against phishing: webauthn signatures changes with the origin, so it won’t work on “similar” webpages (with different domain name).
• Reduced impact of data breaches: it does not really matter if the public key is stolen.
• Invulnerable to password attacks: much harder to crack it by “brute force” than passwords.

• 2019, https://matrix.org/
• not the movie, but the “matrixed communication”
• open standard: spec
• non-profit Matrix.org Foundation
• decentralized
• end-to-end encryption
  • olm, megolm
  • based on Signal’s double ratchet
  • extended to support encrypted rooms
• messaging (IM, rooms, bots, even IoT devices)
• signaling (for WebRTC, VoiP, video calls)
• bridging to other IM networks (XMPP, Slack, IRC, Discord, Facebook, …)
• HTTPS+JSON based by default, but a much lighter UDP based demo was already created for ~100bps (!) networks

Why?

• DoS - Denial of Service attacks
• Brute Force attacks
  • collect customer email addresses (signup)
  • reveal username/password pairs (login)
  • send emails (contact us, gift card)

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Data (from untrusted source) gets into the application, then this data is later displayed in the website without being properly validated/sanitized/escaped.

Modern browsers apply the same-origin policy to some resources, meaning they refuse to load or restrict access to resources coming from other origins than the loaded website. Servers can implement CORS to describe which origins are permitted to load their resources.

For some HTTP requests, browsers issue a “preflight” request (HTTP OPTIONS) to check whether the resource is available for the given origin.

PGP: Pretty Good Privacy

GPG: GNU Privacy Guard

PGP

• from 1991
• cryptographically sign/verify, encrypt/decrypt files, emails, etc.
• OpenPGP standard, RFC 4880
• key “verification” via fingerprints, Web of trust
• public/private keys