Stripe Elements data sequence diagram

Stripe.com’s Stripe Elements is a great way to handle payment card information in a way that slows down cybercreeps. It’s secure because customers only enter card numbers into Stripe-furnished iframes, never into forms on the site taking payments via Stripe. Here is the sequence diagram for how Stripe Elements handles data flow

All secrets leak sooner or later. Ozzie’s Clear proposal does not limit damage when they leak.

Ray Ozzie, of Lotus Notes fame and more recently a Microsoft executive, has made a proposal–called Clear–to allow governments to get access to the contents of encrypted phone handsets and other mobile devices. It tasks the device manufacturers with operating a key escrow system and responding to government warrants to give out keys to individual … Read more

Yubico FIDO U2F key quick review

A few days ago I ordered some Yubico FIDO U2F security keys, after reading that they are a useful way to help secure various online accounts and keep intruders out. These used to cost US$20 each singly and $18  each in bulk.  The current (Dec 2020) product costs $24.50. They arrived, packaged inconspicously, promptly after … Read more

Strict liability for leaks of secrets

Can we learn anything from the past few years of leaked secrets? Sure, we can learn that some big-shot executives and elected officials are lazy and feckless. We can learn that software is brittle and needs diligent patching. We can learn that a determined person trying to exfiltrate data has a HUGE advantage over the … Read more

Should I encrypt columns in my web application’s database?

Somebody asked whether it’s a good idea to encrypt database columns in a web application. My answer: “It probably won’t help much.” Why? Figure out your threat model Best practice: figure out your threat model before you spend time and money securing your system. If you build complex security measures without a clear idea of … Read more

Cybercrooks stole my data from Equifax! What now? Credit freezes.

On September 7th, 2017, the credit bureau Equifax announced that cybercriminals broke in to its company servers sometime in mid-May 2017 and stole copies of information like Social Security Numbers, driver’s license numbers, birth dates, and home addresses for as many as 143 million residents of the US. The total population is about 329 million, … Read more