Security – Amanda Unvarnished

· 7 Iyyar 5781 (Monday 19 April 2021) · 1 minute to read

Proposal: Treat FLoC as a security concern (Make WordPress Core)

Google is rolling out Federated Learning of Cohorts (FLoC) for the Chrome browser. TL;DR: FLoC places people in groups based on their browsing habits to target advertising. Why is this bad? As the …

I’m responding to this on my own site because I can’t get the interface on the Make blog to do the click right when attempting to reply over there.

I 100% agree with this proposal. Users can only choose to opt in or out if they’re able to make an informed decision about this, and for better or worse, they can’t do that. I’m pretty sure Google will market this as some sort of user-beneficial feature, assuming they tell non-technical users anything at all about this. WordPress, according to its own “bragging”, (I’m using that loosely), powers something like 40% of the web. We can’t continue as a project to pretend we have no impact on it.

read

VPN – a Very Precarious Narrative

Amanda CAARSON

· 3 Nisan 5779 (Monday 8 April 2019) · 1 minute to read

VPN - a Very Precarious Narrative by Dennis Schubert

A very long article about commercial VPNs, their marketing strategies, and the truth behind their privacy and security claims.

[…] another worrying aspect of today’s market of VPN services is the large amount of misinformation end users are exposed to, which makes it hard for them to properly tell apart vague and bold claims typical of product advertisement campaigns with actual facts.

That quote is four years old, and just as relevant today as it was when it was written. The article I’m linking here does a really good job explaining what a VPN (virtual private network) is and what it is not, and it makes sure to use as few technical terms as possible. It also goes into detail about what a VPN is good for, not just what they’re not good for.

read

XSS in hidden input fields

Amanda CAARSON

· 22 Kislev 5779 (Friday 30 November 2018) · 1 minute to read

XSS in hidden input fields

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a

I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.