Web-Performance Blog
It’s official: the CA/Browser Forum has voted to approve Ballot SC-081v3, which will significantly reduce TLS certificate lifespans over the next few years. This is a major shift in the web security landscape that will affect millions of website operators.
I was trying to figure out how to sign PowerShell scripts with a self-signed certificate. This is a simple step-by-step guide on how you can provision your own certificate for testing and sign and verify PowerShell scripts.
If you plan to use a publicly trusted code signing certificate, this is however not the exact process as you should be using an HSM to secure your certificate.
This is a quick bit: I recently had to add a reCAPTCHA key to a website. However, the keys provided did not work directly and I saw the Invalid key type error.
ERROR for site owner: Invalid key type
In my case, this could be fixed by reissuing the key, switching from a version 3 key to a version 2 key.
A 2023 UC Irvine study titled “Dazed and Confused: A Large-Scale Real-World User Study of reCAPTCHAv2” revealed startling findings about Google’s reCAPTCHA system, suggesting it has become more of a data harvesting tool than an effective security measure. The research, which analyzed 3,600 users over 13 months, found that CAPTCHAs not only fail to prevent bot traffic effectively (with bots often outperforming humans), but have also collectively wasted an estimated 819 million hours of human time—equivalent to 1,182 lifetimes—while generating up to $888 billion in value for Google through tracking cookies and valuable AI training data. The study concluded that reCAPTCHA has essentially become “a tracking cookie farm for profit masquerading as a security service,” raising serious questions about the widespread use of this purported security tool.
I recently had to upgrade my Linux tiny VM from Ubuntu 23.04 to 24.04.1 LTS. However, as I waited too long, a simple do-release-upgrade no longer worked in January 2025.
An upgrade from 'lunar' to 'noble' is not supported with this tool.
On January 20-24, 2025, we have the World Economic Forum in Switzerland. Last year this caused various DDoS attacks on Swiss websites. If this year we see DDoS activity again is yet unknown. Being only days away from the forum taking place, we might soon see if Switzerland is again in focus of NoName057(16) or other actors.
Since the update to macOS Sequoia, you might encounter an error in your browser, specifically in Chrome, when trying to access a resource on your local network, such as a NAS, Plex, or anything else you host yourself.
ERR_ADDRESS_UNREACHABLE 
In the realm of website management and cybersecurity, effective communication regarding vulnerabilities is crucial. This is where security.txt comes into play an standard designed to simplify the process of reporting security issues.
Wordfence is a comprehensive security plugin designed specifically for WordPress websites. It offers a range of features, including firewall protection, malware scanning, and real-time threat intelligence to safeguard sites from malicious attacks. With its user-friendly interface, Wordfence provides detailed reporting and alerts, allowing website owners to monitor and respond to potential security threats effectively. Additionally, the plugin includes options for user blocking, login security, and two-factor authentication to enhance overall site protection.
Wordfence is also well-known for its security research and for maintaining a vulnerability database.
Hardenize is an interesting alternative to Mozilla’s HTTP Observatory, which scans your website and security perimeter. It provides you with a free and public scorecard that is also shareable via a link. Achieving a good score is a strong indicator that you care about security and demonstrates your commitment to it publicly.
In light of the recent supply chain attack on the polyfill.io CDN, a GitHub account and domain were taken over by a malicious actor, who began injecting harmful JavaScript into thousands of websites. If websites load JavaScript, this script can operate in the first-party context and may perform a range of actions, including logging form data, capturing cookies, and modifying the website as desired. This poses an extreme risk if you do not trust the source completely.
One way to mitigate this risk is by using Subresource Integrity (SRI), which allows you to pin a remote JavaScript file to a specific hashed fingerprint of its content. This makes loading remote resources significantly safer by blocking the loading if the content of the remote JavaScript content changed.