/Security

Common Authentication Implementation Risks And How To Mitigate Them

- James Hickey tl;dr: Data breaches are more common than ever. Ensuring a secure authentication system is critical to your trust with customers. Whether you build or buy your auth solution, this article offers insights into secure practices that can help keep you and your customers safe.

featured in #467

What Is Aleo, The Privacy-First Blockchain?

- Brenner Schlueter tl;dr: Aleo's data security uses zero-knowledge tech to keep information safe while enabling seamless online services. It's a game-changer for developers.

featured in #460

How I Made A Heap Overflow in Curl

- Daniel Stenberg tl;dr: Daniel discusses a significant security flaw in curl, which he describes as the "worst security problem found in curl in a long time." The vulnerability stems from a heap overflow issue related to how curl handles SOCKS5 proxy connections with overly long hostnames. Daniel explains the technical intricacies of the flaw, its origins, and the subsequent fix.

featured in #456

Shamir Secret Sharing

- Max Levchin tl;dr: “This is the story of a catastrophic software bug I briefly introduced into the PayPal codebase that almost cost us the company (or so it seemed, in the moment.) I’ve told this story a handful of times, always swearing the listeners to secrecy, and surprisingly it does not appear to have ever been written down before. 20+ years since the incident, it now appears instructive and a little funny, rather than merely extremely embarrassing.”

featured in #436

How We Roll: Multifactor

- Colin Sidoti tl;dr: Colin explains the implementation of multifactor authentication (MFA) at Clerk. Clerk provides a self-serve flow for users to configure MFA, and developers can customize it with hooks. SMS OTP is optional due to security concerns, allowing users to disable it at both the application and user levels. Clerk ensures adherence to best practices for a robust MFA system.

featured in #435

Zenbleed

- Tavis Ormandy tl;dr: “If you remove the first word from the string "hello world", what should the result be? This is the story of how we discovered that the answer could be your root password!”

featured in #434

Why Even Let Users Set Their Own Passwords?

- Hugo Landau tl;dr: Hugo argues for a rethink of the way we handle passwords, pointing out the contradictions and shortcomings of current practices. They suggest that issuing high-entropy, randomly generated passwords to users, similar to API keys or TOTP, may be more secure than the current standard of user-created passwords.

featured in #433

How Passwordless Works

- Alan Parra tl;dr: This post explains how passwordless can be implemented using modern technologies such as WebAuthn, while at the same time providing a better user experience and security than the traditional password-based approach.

featured in #423

Break Glass, Not Rules: Ensuring Compliance in Emergency Code Changes

- Dave Gaeddert tl;dr: In "break glass" scenarios, code review often gets skipped. But many compliance frameworks like SOC2 require that all changes get reviewed. PullApprove tracks these unreviewed pull requests as "bypassed" and facilitates a post-merge review process.

featured in #419

Testing A New Encrypted Messaging App's Extraordinary Claims

tl;dr: The author used reverse engineering and decompilation tactics to view the inner-workings of an encryption app that was making “wild” claims, comparing its novel encryption protocol against established encrypted messaging apps.”

featured in #414