Top new questions this week:
|
|
Assume that I never check the server fingerprint when logging in to an SSH server. This means that certain configurations of SSH can be impersonated. For example, I can log into a server that only has …
|
|
Please walk through how an attacker can intercept Chrome’s connection to 127.0.0.1:999, as suggested by the warning below. This warning is consitently displayed across many versions of Chrome in many …
|
|
Context A small web application with REST API and postgres as db, that has users, documents and teams. A user can do basic CRUD operations on document. A user is always a part of a team. A team is …
|
|
So I understand the purpose of regenerating a session ID after a state change such as authenticating, i.e to prevent session fixation. What I’m not clear on is why this would be necessary after a …
|
|
My relative received an email from a bill they were expecting to pay. So they paid said bill. Only problem is: it was a spoofed email, and the real bill only came in later. I checked the email on the …
|
|
The risks of supply chain attacks on software libraries is well documented, however, I have not seen much on OS packages/dependencies. How important is it to both 1) pin OS dependencies (apt,rpm,etc.) …
|
|
Pre-Shared Key (PSK) with simple symmetric encryption is a popular way of solving both client and server authentication when SSL cannot be used for some reason (for example, can’t trust or deal with …
|
Greatest hits from previous weeks:
|
|
Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I’m wrong) before the password can be typed in? From a usability point of view, it’…
|
|
I have a public key generated with ssh-keygen and I’m just wondering how I get information on the keylength with openssl?
|
|
If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database,…
|
|
My friend connected to WIFI and after 5 minutes he told me which sites I had actually been browsing, and who I chat with. My question is: how do I defend myself against this, and also how did he do …
|
|
Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints …
|
|
My phone number is 456-123-XXXX (American phone number + area code). Over the past few months I get fairly regular spam calls from other numbers also beginning with 456-123-XXXX, where the last four …
|
|
I pay my neighbors to use their WiFi. They have listed me as Guest with a separate password from theirs. Is there any way to prevent them from seeing the sites I’ve visited? My browser history clears …
|
Can you answer these questions?
|
|
QUIC is protected by TLS 1.3. TLS 1.3 generates many keys, to include an Exporter Master Secret — is this the key that is used to start the key generation process within QUIC? If not that, is there …
|
|
Let’s imagine that I leave a Mac with wireless peripherals in a public space like a co-working space that might end up with other wireless devices nearby or physical access (say, at nighttime). My …
|
|
References: Yubico’s Take on U2F Key Wrapping www.yubico.com/blog/yubicos-u2f-key-wrapping/ Key generation developers.yubico.com/U2F/Protocol_details/Key_generation.html Discoverable …
|
