|
@__agwa | |||||
|
The CT Honeypot has important implications for how web applications should be designed. #CertificateTransparency (1/4) twitter.com/MelindaShore/s…
|
||||||
|
||||||
|
Andrew Ayer
@__agwa
|
5. stu 2018. |
|
Many webapps are installed in an unconfigured state, and you visit the app through the browser to set an admin password. This was always a race against attackers, but in the past you'd usually win. Thanks to CT, attackers learn about and probe new hostnames within minutes. (2/4)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
5. stu 2018. |
|
Unless you visit the app to configure it right away, attackers will find it, take it over, and use it for malware, phishing, spam, etc. (3/4)
|
||
|
|
||
|
Andrew Ayer
@__agwa
|
5. stu 2018. |
|
If you're designing a webapp, have the initial admin password be configured out-of-band rather than through the browser. If you know of a webapp that sets the initial admin password through the browser, file a bug, citing the CT Honeypot research. (4/4)
|
||
|
|
||