The hottest Web Security Substack posts right now

ty is a very fast new type checker and LSP that gives instant editor features like go-to-definition, completions, and automatic imports, though its type checking is still beta and misses some cases.
Django is moving toward modern CSRF protection using Sec-Fetch-Site/Origin headers so apps can avoid embedding CSRF tokens in forms, making CSRF handling more transparent and reducing token errors over time.
toad is a new terminal AI chat UI that works with many LLM providers and offers code highlighting, editable history, and command completion to give a smooth, developer-friendly chat experience.

Reported percentages of vegetarians by country can be wildly inconsistent, so surprising rankings often reflect different surveys and measurement challenges rather than true differences.
A domain can end up on anti-spam blocklists even without sending email or hosting malware, and the removal/verification process can be opaque and hard for individuals to navigate.
Generic drug names are built from meaningful prefixes and suffixes that hint at drug class and mechanism (e.g. -ib for inhibitors, -vir for antivirals), yet there’s no single, easy-to-use comprehensive reference or visualization for the full naming system.

XSS attacks can be classified into three main types: Stored XSS, Reflected XSS, and DOM-based XSS, each with unique methods of execution and potential risks.
To effectively detect and mitigate XSS attacks, it's crucial to understand common attack vectors like input fields, URL parameters, cookies, HTTP headers, and third-party scripts.
A combination of Azure Web Application Firewall (WAF) and Microsoft Sentinel offers robust protection against XSS attacks, providing tools for detection, investigation, and response.

Malicious browser extensions can steal sensitive information like passwords and cookies. This puts users at risk of losing their accounts and personal data.
In workplaces, these risks are even more serious because a breach can affect the whole organization and its customers. It's crucial for businesses to be aware of these dangers.
Many security professionals need better training and tools to recognize the risks of browser extensions and to protect their systems effectively.

Certificate Authorities can face incidents like misissuance or non-issuance, with misissuances often caused by human error or software bugs.
Baselining Requirements set by the CA/B forum provide rules for dealing with certificate misissuances, including the timeline for revocation.
Entrust's recent incident highlights a misissuance dilemma, where they continued misissuing certificates and refused to follow the proper revocation process, impacting thousands of Extended Validation certificates.

Get a weekly roundup of the best Substack posts, by hacker news affinity:

Google offering .zip domains sparked outrage in the cybersec community.
Intolerance for security issues can lead to positive changes in cybersecurity practices.
Challenging the status quo in cybersecurity can drive improvements over time.

Padding Oracle Attacks can turn strong cryptography attacks into dangerous web attacks.
Using encryption without authentication/integrity protection can lead to vulnerabilities.
POET is a powerful tool that exploits a common mistake in how websites encrypt sensitive data.

There is a new Adobe Flash zero-day attack happening, exploiting a vulnerability that is being injected into third-party websites to redirect users to malware-laden servers.
Consider using NoScript with Mozilla Firefox to block potentially vulnerable plugins like Flash, Java, Silverlight, and QuickTime, preventing exploitation of security vulnerabilities.
A whitelist-based pre-emptive script blocking approach can be more effective in preventing security issues than traditional methods.

TetCon Saigon 2015 aims to provide attendees with practical experiences and the latest research insights
One talk at TetCon Saigon 2015 will discuss the Rosetta Flash attack technique that found vulnerabilities in major websites
Another talk will highlight the importance of correctly implementing TLS, showing that spending more money does not always equate to better security measures

The TetCon Saigon 2015 event featured topics on web security, Bitcoin, and software vulnerabilities.
Speakers discussed innovative projects and tools related to anonymous messaging, cryptocurrency, and reverse engineering.
The event catered to a variety of interests, from earning money through security loopholes to analyzing malware targeting activists.

The protocol described involves reducing round trips needed to fetch web ads by having 4 participants.
There is a weakness in the protocol that can be exploited to serve an arbitrary ad off an important origin.
The protocol consists of two main steps: provisioning and rendering, with specifics about how ads are encrypted, loaded, and displayed.