IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
131
votes
7 answers

Why is my internal IP address (private) visible from the Internet?

When visiting some websites like http://www.monip.org or http://ip-api.com, I get the following result: Your current IP Address - IP: 197.158.x.x - Internal IP: 192.168.x.x I understand that I can see my public IP address (197.158.x.x).…
Lova Andrian
  • 1,243
  • 2
  • 9
  • 7
131
votes
3 answers

This JavaScript code is injected on my hotel Wi-Fi: should I be worried?

While connected to my hotel Wi-Fi, visiting the URL http://www.google-analytics.com/ga.js results in the following content being served: var ga_exists; if(!ga_exists) { ga_exists = 1; var is_responsive = false; var use_keywords =…
foodiddy
  • 1,051
  • 2
  • 8
  • 4
131
votes
11 answers

Are password-protected ZIP files secure?

Following my answer. If I can list contents of a password-protected ZIP file, check the file types of each stored file and even replace it with another one, without actually knowing the password, then should ZIP files be still treated as…
trejder
  • 3,619
  • 5
  • 24
  • 35
131
votes
4 answers

Is there any particular reason to use Diffie-Hellman over RSA for key exchange?

I often see RSA being recommended as a method of key exchange. However, the Diffie-Hellman key exchange method appears to be secure as well. Is there any considerations one should take into account that would lead to using one algorithm over the…
user10211
131
votes
8 answers

What stops Google from saving all the information on my computer through Google Chrome?

I noticed that in Google Chrome, if I type in file:///C:/Users/MyUsername/Desktop/ it shows me all of the folders on my Desktop, and I can type open up PDFs and such in chrome just by typing in the file path. What processes and systems are in place…
Pro Q
  • 1,349
  • 2
  • 7
  • 10
131
votes
10 answers

Should I contact the manufacturer if their product allows access to other users' location information?

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness. While testing out my product, I noticed that the url was constructed as…
Lil' Bits
  • 1,143
  • 2
  • 8
  • 9
131
votes
20 answers

How should I securely type a password in front of a lot of people?

I am a manager in an office where the company does not provide a company email, so I use my personal email. Often, I will receive jobs lists by email from my general manager. How should I log in to my email in front of my co-workers so that they…
Annalise Carla
  • 1,355
  • 2
  • 9
  • 7
130
votes
5 answers

How do I use "openssl s_client" to test for (absence of) SSLv3 support?

In order to mitigate the "Poodle" vulnerability, I'd like to disable SSLv3 support in my (in this case, TLS, rather than HTTPS) server. How can I use openssl s_client to verify that I've done this?
Roger Lipscombe
  • 2,317
  • 3
  • 14
  • 20
130
votes
4 answers

What are the security reasons for disallowing the plus sign in email addresses?

My question is based on this tweet after I commented about forbidding + symbols in email addresses. The tweet says, "This is a measure we've taken for security reasons." This can be frustrating and inconvenient for people that have (or use) plus…
Matt
  • 3,212
  • 2
  • 21
  • 27
130
votes
7 answers

Why use OpenID Connect instead of plain OAuth2?

I just started to use OAuth 2.0 as a way to authenticate my users. It works great - I just use the identity/profile API of each provider to get a validated email address of the user. Now I read about OpenID Connect and am a little bit confused.…
rdmueller
  • 2,463
  • 3
  • 19
  • 17
130
votes
4 answers

Is it safe to include an API key in a request's URL?

Lately I've seen plenty of APIs designed like this: curl "https://api.somewebsite.com/v1/something&key=YOUR-API-KEY" Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP.
Incerteza
  • 2,207
  • 3
  • 16
  • 22
130
votes
11 answers

Is there any way to safely examine the contents of a USB memory stick?

Suppose I found a USB memory stick lying around, and wanted to examine its contents in an attempt to locate its rightful owner. Considering that USB sticks might actually be something altogether more malicious than a mass storage device, is there…
200_success
  • 2,154
  • 2
  • 15
  • 20
129
votes
3 answers

Recommended # of rounds for bcrypt

What is nowadays (July 2012) the recommended number of bcrypt rounds for hashing a password for an average website (storing only name, emailaddress and home address, but no creditcard or medical information)? In other words, what is the current…
Jason Smith
  • 1,571
  • 2
  • 11
  • 12
129
votes
11 answers

Can my employer see what I do on the internet when I am connected to the company network?

This is an attempt at a canonical question following this discussion on Meta. The aim is to produce basic answers that can be understood by the general audience. Let's say I browse the web and use different apps while connected to the network at…
INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
129
votes
7 answers

Let's Encrypt for intranet websites?

Many companies have intranet websites that are not reachable via the internet. Usually they just use a self-signed certificate, which causes a bad habit for the users since they get used to just pressing OK on invalid CERT warnings. Question: How…
LoukiosValentine79
  • 1,551
  • 2
  • 11
  • 13
1 2 3
99 100