This blog is about web technologies and games with a focus performance and security
July 2016

Here are the 5 ways I bulletproof my credit cards against identity theft, and you can use them yourself very easily. As a bonus, at the end of the post I have added an experimental step to defend against the recent chip downgrading attack.

June 2016

Every year, close to 600,000 sites are hacked. Given the scale of the problem, notifying users to prevent harm and webmasters so they can clean up their sites is critical to combat hacking. This post looks at the effectiveness of the current warning strategies used by Google and their long-term impact.

April 2016

As an experiment we dropped nearly 300 USB sticks on the UIUC campus to assess if USB drop attacks work and see if concerns about USB security were justified. We found out that at least 48% of the drive were plugged. This blog post summarizes how we ran the study, highlights the key findings, looks at what motivates people to plug in USB sticks, and discusses possible mitigations to improve USB security.

April 2016

This post provides an in-depth analysis of the lessons we learned while protecting Gmail users and their inboxes. We felt it was about time to share the key lessons we learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them. To that effect, with the help of various Gmail safety leaders and long-time engineers, I distilled these lessons into a 25-minute talk for Enigma called “Lessons learned while protecting Gmail”. While such a short talk is great at providing an overview, it forces you to leave out details that provide deeper insights. This blog is, therefore, meant to fill this gap by sharing a more complete explanation for the lessons that need one and it complements my talk on the subject.

March 2016

This blog post recounts how moving this site to a fast joyful responsive design with a lot of images improved session duration by 104% and decreased bounce rate by 53%

February 2016

Big data weaponization and malware-based espionage are usually associated with governments; however, they don’t own a monopoly on such activities. Also, online poker uses big data to profile user behavior. Players search for fish (bad players) and they use malware to spy on and rip off infected players at the (online) poker table. This blog post is a brief tour of some of the darkest aspects of online poker.

January 2016

This post summarizes which equipement the FBI use to seize the content of servers and laptops despite many of them use full disk encryption and which defenses exist.

January 2016

This post looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack. While our research on the state of email delivery security indicates that this attack is less pervasive than the TLS downgrade attack discussed in a previous post, it is equally effective at defeating email in-transit encryption. This post explains how this attack works, how it can be mitigated and to what extent it also affects the security of a website.

January 2016

Follow these ten easy steps to improve your online security and privacy quickly.

December 2015

Over the last two years, the number of encrypted emails received by Gmail has almost doubled, as I reported earlier on the Google security blog. This very encouraging trend is sadly accompanied with an increase of SMTP TLS downgrade attacks, which prevent encryption of emails in transit as discussed in our research paper on the state of email transport security. This blog post explains how such an attack is performed and why there is no simple “patch” for it.

Be in the Know

Join thousands of readers who receive my latest blog posts in their inbox.
No spam I promise and you can unsubscribe anytime.
Elie Bursztein © 2017
About Me

Recent entries