[B! web][security] TokyoIncidentsã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

TokyoIncidents id:TokyoIncidents

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (6)

ã‚¿ã‚°ã®çµžã‚Šè¾¼ã¿ã‚’è§£é™¤

webã¨securityã«é–¢ã™ã‚‹TokyoIncidentsã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (13)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Spectre ã®è„…å¨ã¨ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆãŒè¨å®šã™ã¹ããƒ˜ãƒƒãƒ€ãƒ¼ã«ã¤ã„ã¦
é•·ã„è¨˜äº‹ãªã®ã§å…ˆã«çµè«–ã‚’æ›¸ãã¾ã™ã€‚ Spectre ã®ç™»å ´ã§ã€ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã«å¿…è¦ã¨ã•ã‚Œã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è¦ä»¶ã¯å¢—ãˆã¾ã—ãŸã€‚å…·ä½“çš„ã«å¿…è¦ãªå¯¾ç–ã¯ä¸‹è¨˜ã®é€šã‚Šã§ã™ã€‚ ã™ã¹ã¦ã®ãƒªã‚½ãƒ¼ã‚¹ã¯ Cross-Origin-Resource-Policy ãƒ˜ãƒƒãƒ€ãƒ¼ã‚’ä½¿ã£ã¦ cross-origin ãªãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã¸ã®èªã¿è¾¼ã¿ã‚’åˆ¶å¾¡ã™ã‚‹ã€‚ HTML ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã«ã¯ X-Frame-Options ãƒ˜ãƒƒãƒ€ãƒ¼ã‚‚ã—ãã¯ Content-Security-Policy (CSP) ãƒ˜ãƒƒãƒ€ãƒ¼ã® frame-ancestors ãƒ‡ã‚£ãƒ¬ã‚¯ãƒ†ã‚£ãƒ–ã‚’è¿½åŠ ã—ã¦ã€cross-origin ãªãƒšãƒ¼ã‚¸ã¸ã® iframe ã«ã‚ˆã‚‹åŸ‹ã‚è¾¼ã¿ã‚’åˆ¶å¾¡ã™ã‚‹ã€‚ HTML ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã«ã¯ Cross-Origin-Opener-Policy ãƒ˜ãƒƒãƒ€ãƒ¼ã‚’è¿½åŠ ã—ã¦ popup ã‚¦ã‚£ãƒ³ãƒ‰ã‚¦ã¨ã—ã¦é–‹ã‹ã‚ŒãŸå ´åˆã® cross-origin ãªãƒšãƒ¼ã‚¸ã¨ã®ã‚³ãƒŸãƒ¥ãƒ‹
TokyoIncidents 2021/11/04
web

browser

security
ãƒªãƒ³ã‚¯
Guest Blog Post: Leaking silhouettes of cross-origin images â€“ Attack & Defense
This blog post is one of several guest blog posts, where we invite participants of our bug bounty program to write about bugs theyâ€™ve reported to us. This is a writeup of a vulnerability I found in Chromium and Firefox that could allow a malicious page to read some parts of an image located on an origin it is not supposed to be able to access. Although technically interesting, it is quite limited
TokyoIncidents 2021/05/14
web

security
ãƒªãƒ³ã‚¯
FLoCã¨ã¯ãªã«ã‹ - ã¼ã¡ã¼ã¡æ—¥è¨˜
1. ã¯ã˜ã‚ã« Google ãŒChrome/89ã‚ˆã‚Šãƒˆãƒ©ã‚¤ã‚¢ãƒ«ã‚’é–‹å§‹ã—ã¦ã„ã‚‹FLoC (Federated Learning of Cohorts)æŠ€è¡“ã«å¯¾ã—ã¦ã€ç¾åœ¨å¤šãã®æ‰¹åˆ¤ãŒé›†ã¾ã£ã¦ã„ã¾ã™ã€‚ æ‰¹åˆ¤ã®å†…å®¹ã¯æ§˜ã€…ãªè¦³ç‚¹ã‹ã‚‰ã®ã‚‚ã®ãŒå¤šã„ã§ã™ãŒã€ä»¥å‰ã‚ˆã‚Š Privacy Sandbox ã«å¯¾ã—ã¦å¦å®šçš„ãªè¦‹è§£ã‚’ç¤ºã—ã¦ããŸEFFã®æ‰¹åˆ¤ã€ŒGoogle Is Testing Its Controversial New Ad Targeting Tech in Millions of Browsers. Hereâ€™s What We Know.ã€ãŒä¸€ç•ªã¾ã¨ã¾ã£ã¦ã„ã‚‹ã‚‚ã®ã ã¨æ€ã„ã¾ã™ã€‚ ã“ã‚Œã¾ã§ Privacy Sandbox æŠ€è¡“ã«é–¢ã‚ã£ã¦ããŸèº«ã¨ã—ã¦ã¯ã€å„ç¨®ææ¡ˆã®ä¸ã§FLoCã¯ç‰¹ã«ãƒ¦ãƒ¼ã‚¶ã¸ã®æ³¨æ„ãŒæœ€ã‚‚å¿…è¦ãªã‚‚ã®ã ã¨æ€ã£ã¦ã„ã¾ã—ãŸã€‚ã—ã‹ã—ã€ã“ã‚Œã¾ã§ã®ãƒ‰ç›´çƒãªGoogleã®é€²ã‚æ–¹ã«ã‚ˆã£ã¦ã€FLoCã®ãƒˆãƒ©
TokyoIncidents 2021/05/07
web

security
ãƒªãƒ³ã‚¯
SMS OTPã®è‡ªå‹•å…¥åŠ›ã«ã‚ˆã‚‹ãƒªã‚¹ã‚¯ã¨ãã®å¯¾ç–
ãƒ•ã‚£ãƒƒã‚·ãƒ³ã‚°ã‚µã‚¤ãƒˆã¸ã®è‡ªå‹•å…¥åŠ›ã®ãƒªã‚¹ã‚¯ SMS OTPã¨Webã‚µã‚¤ãƒˆãŒç´ä»˜ã‹ãªã„çŠ¶æ…‹ã§ã¯ã€æ£è¦ã®SMS OTPãŒãƒ•ã‚£ãƒƒã‚·ãƒ³ã‚°ã‚µã‚¤ãƒˆã¸è‡ªå‹•å…¥åŠ›ã•ã‚Œã‚‹ãƒªã‚¹ã‚¯ãŒç”Ÿã˜ã‚‹ã€‚ç¾å®Ÿçš„ãªãƒªã‚¹ã‚¯ã¨ã—ã¦ã€Gutmannã‚‰ã¯MITMã¨çµ„ã¿åˆã‚ã›ãŸã€Œãƒã‚°ã‚¤ãƒ³ã«ãŠã‘ã‚‹2è¦ç´ èªè¨¼ã®å›žé¿ã€ã¨ã€Œã‚½ãƒ¼ã‚·ãƒ£ãƒ«ãƒã‚°ã‚¤ãƒ³ã®å½è£…ã«ã‚ˆã‚‹é›»è©±ç•ªå·ç¢ºèªã®å›žé¿ã€ã€ã€Œã‚ªãƒ³ãƒ©ã‚¤ãƒ³æ±ºæ¸ˆã«ãŠã‘ã‚‹å–å¼•èªè¨¼ã®å›žé¿ã€ã®3ã¤ã®ã‚·ãƒŠãƒªã‚ªã‚’ç¤ºã—ã¦ã„ã‚‹â·ã€‚2è¦ç´ èªè¨¼ã®å›žé¿ã«ã¤ãªãŒã‚‹ãƒªã‚¹ã‚¯ã¯ã€iOSã®è‡ªå‹•å…¥åŠ›ãŒPayPayã®å½ã‚µã‚¤ãƒˆã§ç™ºå‹•ã—ãŸå‰å›žã®æ¤œè¨¼ã§ç¢ºèªã—ã¦ã„ã‚‹ã€‚ä»Šå›žã®æ¤œè¨¼ã§ã¯Androidã®è‡ªå‹•å…¥åŠ›ãŒPayPalã®å½ã‚µã‚¤ãƒˆã§ç™ºå‹•ã™ã‚‹ã‹ç¢ºèªã™ã‚‹ã€‚ 2è¦ç´ èªè¨¼ã®å›žé¿ PayPalã®å½ã‚µã‚¤ãƒˆã¯å‰å›žã¨åŒæ§˜ã«MITMãƒ•ã‚£ãƒƒã‚·ãƒ³ã‚°ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã€ŒEvilginx2ã€ã§è¤‡è£½ã—ã€ä¸€èˆ¬åˆ©ç”¨è€…ãŒèª¤ã£ã¦ã‚¢ã‚¯ã‚»ã‚¹ã—ãªã„ã‚ˆã†ã‚¤ãƒ³ãƒã‚¦ãƒ³ãƒ‰æŽ¥ç¶šã‚’åˆ¶å¾¡ã—ãŸã€‚Android 11ã®Chro
TokyoIncidents 2021/02/08
ios

Android

web

security
ãƒªãƒ³ã‚¯
"Same-site" and "same-origin" Â |Â Articles Â |Â web.dev
"Same-site" and "same-origin" Stay organized with collections Save and categorize content based on your preferences. "Same-site" and "same-origin" are frequently cited but often misunderstood terms. For example, they're used in the context of page transitions, fetch() requests, cookies, opening popups, embedded resources, and iframes. This page explains what they are and how they're different from
TokyoIncidents 2021/01/31
web

network

security
ãƒªãƒ³ã‚¯
Smoozã‚µãƒ¼ãƒ“ã‚¹çµ‚äº†ã«å¯„ã›ã¦
202012_smooz.md Smoozã‚µãƒ¼ãƒ“ã‚¹çµ‚äº†ã«å¯„ã›ã¦ å‰ç½®ã ã“ã®æ–‡ç« ã¨ã€ãã‚Œã«å«ã¾ã‚Œã‚‹è€ƒå¯Ÿã‚„å„ã‚µãƒ¼ãƒ“ã‚¹ã¸ã®è„†å¼±æ€§å ±å‘Šãªã©ã¯malaå€‹äººã®æ´»å‹•ã§ã‚ã‚Šã€æ‰€å±žã—ã¦ã„ã‚‹ä¼æ¥ã¨ã¯é–¢ä¿‚ã‚ã‚Šã¾ã›ã‚“ã€‚ ä¸€æ–¹ã§ç§ã¯ã€ä¼æ¥ãŒé–²è¦§å±¥æ´ã‚’åŽé›†ã—ã¦ä½•ã‚’ã—ãŸã„ã®ã‹ã€æ‰€å±žã—ã¦ã‚‹ä¼æ¥ã‚„ä»–ç¤¾äº‹ä¾‹ã«ã¤ã„ã¦ã€ã‚ã‚‹ç¨‹åº¦è©³ã—ã„å½“äº‹è€…ã§ã‚‚ã‚ã‚Šã¾ã™ã€‚ ä¸€èˆ¬è«–ã¨ã—ã¦æ›¸ã‘ã‚‹ã“ã¨ã¯æ›¸ã‘ã‚‹ãŒã€(æ¥å‹™ä¸ŠçŸ¥ã‚Šå¾—ãŸçŸ¥è˜ã§é–‹ç¤ºã•ã‚Œã¦ãªã„ã‚‚ã®ãªã©)å€‹åˆ¥å…·ä½“çš„ãªã“ã¨ã¯æ›¸ã‘ãªã„ã“ã¨ã‚‚ã‚ã‚Šã€ã¾ãŸè¦³æ¸¬ç¯„å›²ã«åã‚ŠãŒã‚ã‚‹å¯èƒ½æ€§ã‚‚ã‚ã‚Šã¾ã™ã€‚ Smoozã«å ±å‘Šã—ãŸè„†å¼±æ€§2ä»¶ æœ€è¿‘ã€Smoozã¨ã„ã†ã‚¹ãƒžãƒ›å‘ã‘ã®ãƒ–ãƒ©ã‚¦ã‚¶ã‚¢ãƒ—ãƒªã«2ä»¶è„†å¼±æ€§ã®å ±å‘Šã‚’ã—ãŸã€‚ ã“ã®è¨˜äº‹ã‚’æ›¸ã„ã¦ã„ã‚‹æ™‚ç‚¹ã§ã€Smoozã®é…å¸ƒãŒåœæ¢ã•ã‚Œã¦ã„ã¦ã€ä¿®æ£ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®å…¥æ‰‹ãŒå‡ºæ¥ãªã„ã€‚ 2ä»¶ç›®ã«ã¤ã„ã¦ã¯ã¾ã è¿”äº‹ãŒæ¥ã¦ã„ãªã„ã€‚ è„†å¼±æ€§æƒ…å ±ã®é–‹ç¤ºã«ã‚ãŸã£ã¦ç‰¹æ®µã®è¨±å¯ã¯å¾—ã¦ã„ãªã„ãŒã€é–‹ç™ºå…ƒã‹ã‚‰ã‚‚åˆ©ç”¨åœæ¢ã™
TokyoIncidents 2020/12/23
browser

web

security
ãƒªãƒ³ã‚¯
W3Cã€ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚’ä¸è¦ã«ã™ã‚‹ã€ŒWeb Authenticationã€ï¼ˆWebAuthnï¼‰ã‚’å‹§å‘Šã¨ã—ã¦ç™ºè¡¨ã€‚Chromeã€Firefoxã€Androidãªã©ä¸»è¦ãƒ–ãƒ©ã‚¦ã‚¶ã§ã™ã§ã«å®Ÿè£…æ¸ˆã¿
W3Cã€ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚’ä¸è¦ã«ã™ã‚‹ã€ŒWeb Authenticationã€ï¼ˆWebAuthnï¼‰ã‚’å‹§å‘Šã¨ã—ã¦ç™ºè¡¨ã€‚Chromeã€Firefoxã€Androidãªã©ä¸»è¦ãƒ–ãƒ©ã‚¦ã‚¶ã§ã™ã§ã«å®Ÿè£…æ¸ˆã¿ W3Cã¯3æœˆ4æ—¥ã€FIDOã‚¢ãƒ©ã‚¤ã‚¢ãƒ³ã‚¹ã®FIDO2ä»•æ§˜ã®ä¸å¿ƒçš„ãªæ§‹æˆè¦ç´ ã§ã‚ã‚‹Webèªè¨¼æŠ€è¡“ã®ã€ŒWeb Authenticationã€ï¼ˆWebAuthnï¼‰ãŒå‹§å‘Šã«ãªã£ãŸã“ã¨ã‚’ç™ºè¡¨ã—ã¾ã—ãŸã€‚ W3CãŒç–å®šã™ã‚‹ä»•æ§˜ã¯ãŠã‚‚ã«ã€è‰ç¨¿ï¼ˆWorking Draftï¼‰ã€å‹§å‘Šå€™è£œï¼ˆCandidate Recommendationï¼‰ã€å‹§å‘Šæ¡ˆï¼ˆProposed Recommendationï¼‰ã‚’çµŒã¦æ£å¼ä»•æ§˜ã¨ãªã‚‹ã€Œå‹§å‘Šã€ï¼ˆRecommendationï¼‰ã«åˆ°é”ã—ã¾ã™ã€‚ä»Šå›žã€WebAuthnãŒå‹§å‘Šã¨ãªã£ãŸã®ã«åˆã‚ã›ã¦ã€W3Cã¨FIDOã‚¢ãƒ©ã‚¤ã‚¢ãƒ³ã‚¹ã¯WebAuthnã®ä»•æ§˜ãŒæ£å¼ç‰ˆã«ãªã£ãŸã“ã¨ã‚‚ç™ºè¡¨ã—ã¾ã—ãŸã€‚ WebAuthnã¯2018
TokyoIncidents 2019/03/06
web

security
ãƒªãƒ³ã‚¯
æ¬¡ä¸–ä»£Webã‚«ãƒ³ãƒ•ã‚¡ãƒ¬ãƒ³ã‚¹ 2019 æŒ¯ã‚Šè¿”ã‚Š
nwc.md æ¬¡ä¸–ä»£Webã‚«ãƒ³ãƒ•ã‚¡ãƒ¬ãƒ³ã‚¹ 2019 æŒ¯ã‚Šè¿”ã‚Š ã“ã®æ–‡ç« ã«é–¢ã—ã¦ã‚‚æ‰€å±žçµ„ç¹”ã¨ã¯é–¢ä¿‚ã®ãªã„å€‹äººã®è¦‹è§£ã§ã™ æ‰€æ„Ÿãªã© æœ¬å½“ã«å…¨ãæ‰“ã¡åˆã‚ã›ã‚’ã—ã¦ã„ãªã„ã®ã§ã€è©±é¡ŒãŒåˆ†æ•£ã—ãŒã¡ã ã£ãŸã‹ã‚‚ã—ã‚Œãªã„ã€‚ ã›ã£ã‹ãã®æ‰€å±žçµ„ç¹”ã¨ã¯ç„¡é–¢ä¿‚ã®ãƒ¬ã‚®ãƒ¥ãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãªã®ã§ã€å…·ä½“åã‚’ä¸Šã’ã¦ã‚¬ãƒ³ã‚¬ãƒ³æ²»å®‰ã®æ‚ªã„ã“ã¨ã‚’è¨€ã†ã¤ã‚‚ã‚Šã ã£ãŸã®ã ã‘ã©ã€ç›´å‰ã«ã€Œå…·ä½“çš„ãªä¼æ¥åã¯é¿ã‘ã¾ã—ã‚‡ã†ã€ã¨è¨€ã‚ã‚Œã¦è‹¥å¹²é æ…®ã—ãŸã€‚ ãƒžã‚ºã„ã“ã¨ã‚’ã‚¬ãƒ³ã‚¬ãƒ³ã—ã‚ƒã¹ã‚‹è¦šæ‚Ÿã§æ¥ãŸã®ã§ã€é˜²åˆƒãƒ™ã‚¹ãƒˆã‚’ç€ã¦ã„ã‚‹ãŒã€ç‰¹ã«å‡ºç•ªã¯ç„¡ã‹ã£ãŸã€‚ãƒˆã‚¤ãƒ¬ã«ã‚‚è¡Œã£ãŸã€‚ æœ¬å½“ã¯è©±ã™äºˆå®šã ã£ãŸãƒˆãƒ”ãƒƒã‚¯ã«ã¤ã„ã¦ã€ã„ãã¤ã‹ã¯ã€åˆ¥é€”private gistã«æ›¸ãã€‚ è©±ã—ãŸè©±é¡Œã®å‚è€ƒæƒ…å ± CDNè¨å®šã®è©±ã€request collapsing ã¨ã„ã†åå‰ã®æ©Ÿèƒ½ https://tech.mercari.com/entry/2017/06/22/204500 http://www.it
TokyoIncidents 2019/01/16
web

security
ãƒªãƒ³ã‚¯
ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã«ä¾å˜ã—ãªã„èªè¨¼ã€ŒWebAuthnã€ã‚’Chrome/Firefox/EdgeãŒå®Ÿè£…é–‹å§‹ã€W3CãŒæ¨™æº–åŒ–ã€‚Webã¯ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã«ä¾å˜ã—ãªã„ã‚ˆã‚Šå®‰å…¨ã§ä¾¿åˆ©ãªã‚‚ã®ã¸
Googleã€Mozillaã€ãƒžã‚¤ã‚¯ãƒã‚½ãƒ•ãƒˆãŒã€ŒWebAuthnã€ã®å®Ÿè£…ã‚’é–‹å§‹ã€‚ã“ã‚Œã«ã‚ˆã£ã¦ã€ŒFIDO2ã€ã®æ™®åŠãŒæœŸå¾…ã•ã‚Œã€Webãƒ–ãƒ©ã‚¦ã‚¶ã‹ã‚‰æŒ‡ç´‹èªè¨¼ã‚„é¡”èªè¨¼ãªã©ã§ç°¡å˜ã«Webã‚µã‚¤ãƒˆã¸ã®ãƒã‚°ã‚¤ãƒ³ã‚„æ”¯æ‰•ã„ã®æ‰¿èªã¨ã„ã£ãŸæ“ä½œãŒå®Ÿç¾ã•ã‚Œãã†ã ã€‚ å¤šãã®Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã¯ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®èªè¨¼ã«ãƒ¦ãƒ¼ã‚¶ãƒ¼åã¨ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®çµ„ã¿åˆã‚ã›ã‚’ç”¨ã„ã¦ã„ã¾ã™ã€‚ ã—ã‹ã—ãƒ¦ãƒ¼ã‚¶ãƒ¼åã¨ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®çµ„åˆã‚ã›ã‚’ç”¨ã„ã‚‹æ–¹æ³•ã«ã¯ã•ã¾ã–ã¾ãªå•é¡ŒãŒæŒ‡æ‘˜ã•ã‚Œã¦ã„ã¾ã™ã€‚èº«è¿‘ãªã¨ã“ã‚ã§ã¯ã€å®‰å…¨ãªãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚’ç”Ÿæˆã™ã‚‹ã“ã¨ã®æ‰‹é–“ã‚„ã€å®‰å…¨æ€§ã‚’é«˜ã‚ã‚‹ãŸã‚ã«ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®ä½¿ã„å›žã—ã‚’é¿ã‘ã‚ˆã†ã¨ã—ãŸçµæžœç™ºç”Ÿã™ã‚‹å¤šæ•°ã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚’ç®¡ç†ã™ã‚‹ã“ã¨ã®æ‰‹é–“ãªã©ãŒã‚ã’ã‚‰ã‚Œã¾ã™ã€‚ ãã—ã¦ã“ã†ã—ãŸãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®ä¸ä¾¿ã•ãŒçµæžœã¨ã—ã¦ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®ä½¿ã„å›žã—ã‚’å¼•ãèµ·ã“ã—ã€ã„ãšã‚Œã‹ã®ã‚µã‚¤ãƒˆã§ä¸‡ãŒä¸€ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ãŒæµå‡ºã—ãŸå ´åˆã«ã¯ãã‚Œã‚’åŸºã«ã—ãŸãƒªã‚¹ãƒˆåž‹æ”»æ’ƒãŒæœ‰åŠ¹ã«ãªã£ã¦ã—ã¾ã†ã€ãªã©ã®çŠ¶æ³
TokyoIncidents 2018/04/17
web

security
ãƒªãƒ³ã‚¯
JWT.IO - JSON Web Tokens Introduction
NEW: get the JWT Handbook for free and learn JWTs in depth! What is JSON Web Token? JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a publ
TokyoIncidents 2017/07/12
JSON

web

security
ãƒªãƒ³ã‚¯
http://agilecatcloud.com/2015/09/30/cookies-can-bypass-https/
TokyoIncidents 2015/09/30
web

security
ãƒªãƒ³ã‚¯
HTTPS åŒ–ã™ã‚‹ Web ã‚’ã©ã†è€ƒãˆã‚‹ã‹ - Block Rockinâ€™ Codes
Update 2015/5/8: æŒ‡æ‘˜é ‚ã„ãŸã‚¿ã‚¤ãƒã‚„èª¤è¨³ãªã©ã‚’æ›´æ–°ã—ã¾ã—ãŸã€‚ 2015/5/8: æ§‹æˆã‚’ä¸€éƒ¨ä¿®æ£ã—ã¾ã—ãŸã€‚ Intro 4/30 mozaiila ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ–ãƒã‚°ã«ä¸‹è¨˜ã®ã‚ˆã†ãªã‚¨ãƒ³ãƒˆãƒªãŒæŠ•ç¨¿ã•ã‚Œã¾ã—ãŸã€‚ Deprecating Non-Secure HTTP | Mozilla Security Blog ã‚¨ãƒ³ãƒˆãƒªã¯ãã“ã¾ã§é•·ããªã„ã®ã§ã€ã“ã“ã«ç¿»è¨³ã®å…¨æ–‡ã‚’è¨˜è¼‰ã—ã¾ã™ã€‚ ãã—ã¦ã€å…ƒã‚¨ãƒ³ãƒˆãƒªã®ãƒ©ã‚¤ã‚»ãƒ³ã‚¹ã§ã‚ã‚‹ CC BY-SA 3.0 ã«å‰‡ã‚Šã€ æœ¬ã‚¨ãƒ³ãƒˆãƒªã‚‚åŒã˜ã CC BY-SA 3.0 ã¨ã—ã¾ã™ã€‚ Deprecating Non-Secure HTTP åŽŸæ–‡: Deprecating Non-Secure HTTP ä»Šæ—¥ã¯ã€ non-secure ãª HTTP ã‹ã‚‰ã€å¾ã€…ã«å»ƒæ¢ã—ã¦ã„ãã¨ã„ã†æ–¹é‡ã«ã¤ã„ã¦ã‚¢ãƒŠã‚¦ãƒ³ã‚¹ã—ã¾ã™ã€‚ HTTPS ãŒ Web ã‚’å‰é€²ã•ã›ã‚‹æ‰‹æ®µã§ã‚ã‚‹
TokyoIncidents 2015/05/05
web

security
ãƒªãƒ³ã‚¯
Heartbleedè„†å¼±æ€§ã¨ã€ãã®èƒŒå¾Œã«ã‚ã‚‹Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚¢ãƒ¼ã‚ãƒ†ã‚¯ãƒãƒ£ã®ä¸€èˆ¬çš„æ¬ é™¥ã«ã¤ã„ã¦
â– Heartbleedã®ãƒªã‚¹ã‚¯ã¨å–„å¾Œç– Heartbleedã¯ã€æ”»æ’ƒè€…ãŒä¸€å®šã®æ¡ä»¶ã‚’æº€ãŸã™OpenSSLãŒå‹•ä½œã—ã¦ã„ã‚‹ã‚µãƒ¼ãƒã®ã€ä»»æ„ä½ç½®ã®ãƒ¡ãƒ¢ãƒªã‚’å¤–éƒ¨ã‹ã‚‰èªã¿å‡ºã™ã“ã¨ãŒã§ãã¦ã—ã¾ã†ã¨ã„ã†è„†å¼±æ€§ã§ã™ã€‚å…·ä½“çš„ã«ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ãªãƒªã‚¹ã‚¯ãŒæƒ³å®šã•ã‚Œã¦ã„ã¾ã™ã€‚ ç§˜å¯†éµã®æ¼æ´©ã«ã‚ˆã‚‹ã€å½ã‚µã‚¤ãƒˆã®å‡ºç¾ï¼ˆã‚ã‚‹ã„ã¯ä¸é–“è€…æ”»æ’ƒï¼‰ ç§˜å¯†éµã®æ¼æ´©ã«ã‚ˆã‚Šã€ï¼ˆéŽåŽ»ã®ã‚‚ã®ã‚’å«ã‚€ï¼‰ãƒ‘ã‚±ãƒƒãƒˆã‚ãƒ£ãƒ—ãƒãƒ£ã®è§£èª ã‚µãƒ¼ãƒã®åŒä¸€ãƒ—ãƒã‚»ã‚¹ãŒè¡Œã£ãŸå‡¦ç†ã«é–¢é€£ã™ã‚‹ï¼ˆä»–ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚„ã‚»ãƒƒã‚·ãƒ§ãƒ³ã‚ãƒ¼ã‚’å«ã‚€ï¼‰ãƒ‡ãƒ¼ã‚¿ã®æ¼æ´© æ¼æ´©ã—ãŸç§˜å¯†éµã‚’ç”¨ã„ãŸæ”»æ’ƒã«ã¯ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’å½ã‚µã‚¤ãƒˆã¸èª˜å°Žã§ããŸã‚Šã€ãƒ‘ã‚±ãƒƒãƒˆã®çµŒç”±ç‚¹ã‚’ç®¡ç†ã—ã¦ã„ã‚‹ãªã©ã®ã€çµŒè·¯ä¸Šã®è¦ä»¶ãŒå¿…è¦ã«ãªã‚Šã¾ã™ã€‚ä»–ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒ‡ãƒ¼ã‚¿ã®æ¼æ´©ã«ã¤ã„ã¦ã¯ã€çµŒè·¯ä¸Šã®è¦ä»¶ã¯ä¸è¦ãªä¸€æ–¹ã€æ”»æ’ƒã®å®Ÿæ–½ã«è¿‘ã„ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§ã‚µãƒ¼ãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã—ãŸãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒ‡ãƒ¼ã‚¿ã—ã‹æ¼ã‚Œãªã„ã€ã¨ã„ã†é•ã„ãŒã‚ã‚Šã¾ã™ã€‚ ã©ã“ã¾ã§å¯¾ç–ã‚’æ–½ã™ã¹
TokyoIncidents 2014/04/11
ç¾åœ¨ã®å•é¡Œç‚¹ã¨ä»Šå¾Œã®æ–¹å‘æ€§ã«ã¤ã„ã¦ã®è€ƒå¯Ÿ

ssl

security

web
ãƒªãƒ³ã‚¯
1