The hottest Web Security Substack posts right now

Malicious browser extensions can steal sensitive information like passwords and cookies. This puts users at risk of losing their accounts and personal data.
In workplaces, these risks are even more serious because a breach can affect the whole organization and its customers. It's crucial for businesses to be aware of these dangers.
Many security professionals need better training and tools to recognize the risks of browser extensions and to protect their systems effectively.

XSS attacks can be classified into three main types: Stored XSS, Reflected XSS, and DOM-based XSS, each with unique methods of execution and potential risks.
To effectively detect and mitigate XSS attacks, it's crucial to understand common attack vectors like input fields, URL parameters, cookies, HTTP headers, and third-party scripts.
A combination of Azure Web Application Firewall (WAF) and Microsoft Sentinel offers robust protection against XSS attacks, providing tools for detection, investigation, and response.

Certificate Authorities can face incidents like misissuance or non-issuance, with misissuances often caused by human error or software bugs.
Baselining Requirements set by the CA/B forum provide rules for dealing with certificate misissuances, including the timeline for revocation.
Entrust's recent incident highlights a misissuance dilemma, where they continued misissuing certificates and refused to follow the proper revocation process, impacting thousands of Extended Validation certificates.

Google offering .zip domains sparked outrage in the cybersec community.
Intolerance for security issues can lead to positive changes in cybersecurity practices.
Challenging the status quo in cybersecurity can drive improvements over time.

The TetCon Saigon 2015 event featured topics on web security, Bitcoin, and software vulnerabilities.
Speakers discussed innovative projects and tools related to anonymous messaging, cryptocurrency, and reverse engineering.
The event catered to a variety of interests, from earning money through security loopholes to analyzing malware targeting activists.

Get a weekly roundup of the best Substack posts, by hacker news affinity:

TetCon Saigon 2015 aims to provide attendees with practical experiences and the latest research insights
One talk at TetCon Saigon 2015 will discuss the Rosetta Flash attack technique that found vulnerabilities in major websites
Another talk will highlight the importance of correctly implementing TLS, showing that spending more money does not always equate to better security measures

Padding Oracle Attacks can turn strong cryptography attacks into dangerous web attacks.
Using encryption without authentication/integrity protection can lead to vulnerabilities.
POET is a powerful tool that exploits a common mistake in how websites encrypt sensitive data.

There is a new Adobe Flash zero-day attack happening, exploiting a vulnerability that is being injected into third-party websites to redirect users to malware-laden servers.
Consider using NoScript with Mozilla Firefox to block potentially vulnerable plugins like Flash, Java, Silverlight, and QuickTime, preventing exploitation of security vulnerabilities.
A whitelist-based pre-emptive script blocking approach can be more effective in preventing security issues than traditional methods.

The protocol described involves reducing round trips needed to fetch web ads by having 4 participants.
There is a weakness in the protocol that can be exploited to serve an arbitrary ad off an important origin.
The protocol consists of two main steps: provisioning and rendering, with specifics about how ads are encrypted, loaded, and displayed.