Skip to main content
Exact Realty Blog

security

2023


Privacy Pass: The Revolution in CAPTCHA Mitigation and User Privacy

·14 mins
The traditional approach to human verification, CAPTCHAs, is facing significant challenges due to evolving bot technology and user dissatisfaction. These mechanisms, although once effective, are now becoming both inadequate and inconvenient, compromising security and posing privacy concerns. The emergence of Privacy Pass, a groundbreaking solution developed by Cloudflare, seeks to counter these issues. Functioning initially as a browser extension, Privacy Pass provides a platform for users to authenticate their humanity without compromising their privacy. The system works on HTTP protocols, giving users anonymous tokens for identity verification. The solution is now moving towards standardization for native browser support, addressing one of its former limitations. The process involves the user receiving a challenge, engaging in a protocol with the issuer, and then providing the token to the originating request. Although there are existing challenges, such as its dependence on specific vendors, Privacy Pass presents a promising solution to CAPTCHA-related problems, striking a balance between security, user experience, and privacy. With collaborations among researchers, industry leaders, and privacy advocates, Privacy Pass signifies a substantial leap forward in mitigating automated threats, thus redefining the future of online verification.

Understanding Identity and Access Management (IAM)

·15 mins
Identity and Access Management (IAM) is a critical component of cybersecurity, especially in business environments. IAM, in simple terms, is a framework of policies, practices and procedures to ensure that the right users have access to the right resources and systems at the right time. This article discusses IAM, its technical and business implications and how organisations can implement it to ensure secure and efficient access to their systems.

Opaque IDs: the ultimate protection against enumeration attacks

·11 mins
IDs in APIs and applications might be exploited to gain unauthorised access to other data or otherwise disclose information by means of various attacks, such as timing attacks and enumeration attacks. For instance, an attacker can use sequential IDs to guess the existence of IDs and perform enumeration attacks. Authenticated Encryption with Associated Data (AEAD) encryption and opaque IDs can be used as a means of neutralising these attacks.

2022


Effectively mitigating CSRF

·12 mins
Cross-Site Request Forgery (CSRF) is an attack in which an external site makes a request to another site on behalf of a user without consent. This attack often relies on an existing session on the target site, which the attacker hijacks for their own purposes. Various CSRF prevention and mitigation techniques exist such as the SameSite attribute, CSRF tokens and header validation.

Modern and robust hotlink protection in 2022

·12 mins
Hotlinking refers to the practice of third-party web properties loading resources directly from your server. Unauthorised hotlinks are generally undesirable, not only because they can facilitate reproducing your content without permission. Web standards and browsers have come a long way in the last few decades, and they now include all of the tools needed for effective protection against hotlinking.

Types of Execution Environments, Attestation and SGX

·18 mins
Execution environments are the combination of hardware and software components that can be used to execute and support applications, typically comprising a processing unit, memory, input and output ports and an operating system. Because application execution requires an execution environment, applications are ultimately limited by any constraints placed onto them by their execution environment. Traditionally, computing is done in execution environments that not only permit the loading and execution of arbitrary programs but may also themselves be manipulated in arbitrary ways. As it is impossible for such environments to make any verifiable assertions as to their state, they are inherently untrustworthy.