The other day I was reading about yet another DNS vulnerability. Vulnerabilities in DNS have been well known since 2008, and since 2010 we’ve had an excellent solution, DNSSEC. DNSSEC addresses many of the most common DNS vulnerabilities on the internet today (including this most recent vulnerability). For most, setup is very simple. Unfortunately, DNSSEC is an opt-in technology. So, it’s a good time to remind all my Internet friends that today’s a good day to double-check if you have DNSSEC enabled, and if you don’t, to make plans to enable it.

Original Ars Technica Story

This is, unfortunately, a big deal. Not just for the users of YubiKeys, but also for anything using Infineon crypto chips. Infineon makes the crypto chips in a ton of devices, including TPMs, smart cards, passports, credit cards, and SIM cards. I suspect there will be more fallout from this, as additional devices are found to be using the same cryptographic library.

There are two important mitigations:

Recently, eSentire published some interesting research on successfully phishing users even when they’ve configured phishing resistant MFA (like a FIDO2 Passkey or a smart card). For organizations deploying Phishing Resistant MFA (PR-MFA), like a FIDO2 Passkey, be it for internal user authentication or customer logon, there are some important takeaways.

Much of my public work has disapeared into the depths of the internet, but I found a few things still lurking around.

I was recently listening to Security Now!’s coverage of the EU’s QWAC proposal. There’s much debate regarding the EU’s role in the global PKI ecosystem, when it dawned on me there’s a far simpler solution that should (hopefully) address everyone’s concerns.

12 years ago I started paying for LastPass Premium. Today, I canceled my subscription, migrated my data to a different service, and deleted my account.