Top new questions this week:
|
|
Today this came to my attention. When generating random secrets for e.g. JWT (in node.js the most common way is using the crypto.randomBytes() method), I have noticed a lot of people save these tokens …
|
|
After the recent LastPass security incidents (where old backup copies of users’ encrypted vaults have leaked), I was wondering if an account had MFA configured at the time, it makes a difference for …
|
|
I came across several “productivity” extensions (eg. Limit) that can block websites if you enter it into their list. Some desktop/phone apps can also block other apps. I am quite new to …
|
|
I received this error in my ModSecurity logs: ModSecurity: Warning. Matched “Operator `Eq’ with parameter `0′ against variable `REQBODY_ERROR’ (Value: `1′ ) [file “/etc/nginx/modsec/…
|
|
Premise Signal is armed with measures to instill a sense of a privacy in users by preventing undisclosed screenshooting and screencasting message threads, and by enabling the sender to set their text, …
|
|
If using asymmetric encryption, such as ES256, is there a reason why a private key could not be discarded after signing some data? For example with a JWT, or a file hash use for audit at a later date, …
|
|
I’m building a multi-tenant app that has the unusual requirement of allowing tenants to use their own choice of external systems for login/authentication ie: tenant 1 uses Azure AD, tenant 2 uses …
|
Greatest hits from previous weeks:
|
|
I went to log on to https://mail.google.com this morning and I got the following error. Is someone trying to attack me or is this just a bug? I’m on a WPA2 encrypted wireless connection using Chrome …
|
|
Is it possible to provide a subjectAltName-Extension to the openssl req module directly on the command line? I know it’s possible via a openssl.cnf file, but that’s not really elegant for batch-…
|
|
On some accounts I use my real name on-line (Google+/Facebook/Wikipedia/personal blog), others (Q&A/Gaming) I use an alias. My question is: Security and privacy wise, what can people do with my …
|
|
At some point I told a friend that it’s dangerous to reveal your birth date (kind of like your social security number or your mother’s maiden name), because it’s a crucial piece of information for …
|
|
What methods are available for testing SQL injection vulnerabilities?
|
|
I have a school laptop, every student gets one and also gets to take it home for their work. Can they see the websites you get on when you are using your WiFi at home?
|
|
If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database,…
|
Can you answer these questions?
|
|
In my place of work we have an on-prem Active Directory with ‘staff’ accounts. Each of these AD accounts has an associated company email, e.g. john@example.com Within the same AD we also have ‘…
|
|
I use OAuth2 private_key_jwt authentication scheme to authenticate clients. Also, I need to be sure that request body isn’t modified. I see two ways: In token which I use to authenticate client I can …
|
|
I use the net-ssh ruby library to connect to various servers. Around 2 months ago, a large subset of the servers we connect to stopped working, these servers belong to several major banks. We’re …
|
