The Amazon Key Security Nightmare

In case you haven’t heard, Amazon recently rolled out “Amazon Key.” This service allows delivery persons to leave packages inside your home. I’m sure I’m largely preaching to the choir here, but I can’t let this one go unanswered. I want to talk about Amazon Key security, and some of the problems it creates. Continue reading “The Amazon Key Security Nightmare”

The Ultimate Security & Privacy Gift Guide

I thought I would do something I’ve never done before: write up a privacy gift guide ahead of Black Friday and Cyber Monday. Privacy people are hard to shop for. We don’t use Amazon’s Wish List because it’s creepy. Obviously we won’t tell you over SnapChat and Facebook isn’t going to recommend anything because we don’t use it. Since you probably already know what you want, share this privacy gift guide with someone that doesn’t know what you want! Because, you know…privacy. Continue reading “The Ultimate Security & Privacy Gift Guide”

HTTPS Certificate Fingerprinting

I’ve talked a lot about HTTPS (and we talked about it in podcast Episode 054), but no one really explains how to make sure your connection is really valid. In some situations I have wanted to look beyond the green padlock icon. This concern has grow with reports of various public Wi-Fi services intentionally breaking HTTPS connections. Hardware manufacturers have shipped devices with what amounts to pre-installed malware for the same purpose. I’ve written about this before but I thought it was worth doing a video on HTTPS certificate fingerprinting.

HTTPS – What it is and Isn’t

Before we go into that, let’s talk briefly about why HTTPS is important. Most people know that it’s important, but not many people know why. An HTTPS (Hypertext Transfer Protocol [Secure]) connection is one that is encrypted from your device to the website you are visiting. The encryption is ridiculously strong AES-128. These connections, if established properly, are (currently) impossible to break…assuming the correct “handshake” has been made and and you haven’t been served a bogus certificate. Making sure you haven’t been served a phony cert requires HTTPS certificate fingerprinting as described in the video.

The encryption a proper HTTPS connection offers is excellent. I always recommend using HTTPS versions of sites and running HTTPS Everywhere in your browser. It is not a substitute for a VPN, however. HTTPS does not protect your packet headers. The URLs to which your browse to are completely exposed in these headers, as is your true IP address. I consider this a strong layer of security, but only a layer in a much bigger picture.

Without further ado, check out the video!

HTTPS Certificate Fingerprinting

The website I talked about in the video:

Operational-Security Official URL Update

This is just a quick announcement to say that the URL for what I have been calling “” is officially I am attempting to consolidate my rather confusing set of URLs, and lower my own cost by reducing the number of HTTPS certificates and domains I maintain.

Unfortunately this is going to create a bit of headache for some of you. If you have linked to blog posts at “…” (or added them as bookmarks or favorites) you will probably find many of these links broken. For that I apologize. All new posts and updates will appear at the new URL. Thank you for your patience!