Porn domain not that sexy: no rush to have .xxx
While their is a huge hype surrounding .xxx domains and companies rushing to buy them to protect their brand, it seems that registration data disagree with this. My analysis of the 50000 most popular websites in the world shows that only 24% of them actually registered their .xxx domain.
Read More...
Some insights about password shapes
Back in September 2010 at ESORICS, I presented Kamouflage, a new kind of password manager based on the following premise: an attacker cannot perform an offline attack on a password manager if he does not know how to test the success of his decryption. An attacker will not know whether his decryption is successful in Kamouflage, because every decryption returns a set of passwords that looks plausible. Accordingly, the security of the entire scheme is based on our ability to create decoy password sets that look real. (If you would like the full description of how Kamouflage works, you can download the paper/slide from here.) In order to come across as compelling decoys, the Kamouflage passwords must mimic passwords that human users create every day. To figure out how users construct their passwords, I extensively analyzed leaked password databases. Today, I would like to share with you some insights that I discovered about password “shapes.” More specifically, I will discuss some of the interesting metrics I computed from the RockYou database, which is, as far as I know, the largest password database ever leaked, with 32 million passwords!
Read More...
45% of the popular websites use a javascript framework
By crawling Alexa top 100 000 websites I found out that 45% of them use a Javascript framework and among those who use a framework 28% of them use Jquery.
Read More...
Web Security Trends 2010
Over the last few months, with Jason and Baptiste we have gathered a lot of statistics about the web security to get a better understanding of how the situation evolves and where doing research will be the most effective. While some of these statistics have already been used in our papers or for our web security class (CS241), many of them are still undisclosed. Since this kind of statistics seems to trigger a lot of interest based on the feedback I received while giving a talk or a lecture , I thought they will make a great first post for my blog rebirth. Overall we gathered statistics in three different direction: server security, browser security and web security awareness.
Read More...
