Highest Voted Questions - IT Security Stack Exchange

128

votes

3 answers

What's the purpose of DH Parameters?

For a Diffie–Hellman (D-H) key exchange (TLS) the server generates a prime p and a generator g, which is a primitive root modulo p. When setting up a webserver with SSL/TLS (e.g. nginx) one can use a directive ssl_dhparam dhparam4096.pem The…

tls diffie-hellman

asked Jul 19 '15 at 15:30

Ben Richard

3,136
5
17
18

128

votes

3 answers

Should I be worried of tracking domains on a banking website?

Finland's largest bank OP (former Osuuspankki) has added tracking domains (all three owned by Adobe) in their website redesign: These domains are loaded when signed in: 2o7.net demdex.net omtrdc.net Is this considered acceptable? What information…

privacy banks tracking

asked Jul 29 '17 at 19:39

user598527

1,313
2
10
16

127

votes

2 answers

SSH Key: Ed25519 vs RSA

A lot of people recommend using Ed25519 instead of RSA keys for SSH. The introduction page of Ed25519 (http://ed25519.cr.yp.to/) says: [..] breaking it has similar difficulty to breaking [..] RSA with ~3000-bit keys [..] So speaking only of security…

cryptography ssh rsa ecc

asked May 25 '15 at 21:59

Ben Richard

3,136
5
17
18

127

votes

5 answers

Should SSL be terminated at a load balancer?

When hosting a cluster of web application servers it’s common to have a reverse proxy (HAProxy, Nginx, F5, etc.) in between the cluster and the public internet to load balance traffic among app servers. In order to perform deep packet inspection,…

tls network firewalls

asked Feb 06 '13 at 19:55

Matt Goforth

1,273
2
9
5

127

votes

8 answers

Why is storing passwords in version control a bad idea?

My friend just asked me: "why is it actually that bad to put various passwords directly in program's source code, when we only store it in our private Git server?" I gave him an answer that highlighted a couple of points, but felt it wasn't…

account-security source-code credentials threat-modeling insider-threats

asked Aug 15 '18 at 11:05

d33tah

6,514
8
39
61

127

votes

2 answers

How is the Heartbleed exploit even possible?

I have read about the Heartbleed OpenSSL vulnerability and understand the concept. However what I don't understand is the part where we pass 64k as the length and the server returns 64kb of random data because it does not check whether we really…

tls openssl vulnerability heartbleed

asked Oct 10 '16 at 20:03

Talha Sayed

1,001
2
8
8

126

votes

3 answers

Session Authentication vs Token Authentication

I am trying to get a handle on some terms and mechanisms and find out how they relate to each other or how they overlap. Authenticating a theoretical web application and mobile application is the focus. The focus is on the exact difference between…

authentication cookies session-management token

asked Feb 16 '15 at 09:04

Hoax

2,755
4
14
11

126

votes

5 answers

Is it a bad idea for a firewall to block ICMP?

This question was inspired by this answer which states in part: The generic firewall manifest file finishes off by dropping everything I didn't otherwise allow (besides ICMP. Don't turn off ICMP). But, is it truly a good practice for a firewall to…

network firewalls icmp

asked Oct 17 '12 at 01:57

Justin Ethier

1,968
3
15
20

126

votes

2 answers

How do ASLR and DEP work?

How do Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) work, in terms of preventing vulnerabilities from being exploited? Can they be bypassed?

exploit aslr dep shellcode

asked Aug 12 '12 at 15:13

Polynomial

133,763
43
302
380

125

votes

8 answers

Are there technical differences which make Linux less vulnerable to virus than Windows?

What makes Linux so different than Windows in terms of anti-virus needs? My question is not if I should get an anti-virus for my Linux. I perfectly understand why an AV is important. I would like to understand if there are conceptual (technical)…

windows linux antivirus vulnerability

asked Aug 05 '15 at 18:59

user69377

125

votes

10 answers

How critical is it to keep your password length secret?

Is keeping your password length secret critical to security? Does someone knowing that you have a password length of say 17 make the password drastically easier to brute force?

passwords brute-force

asked Jun 23 '15 at 14:01

Crizly

2,607
4
18
29

125

votes

7 answers

Is using Git for deploying a bad practice?

I tend to use Git for deploying production code to the web server. That usually means that somewhere a master Git repository is hosted somewhere accessible over ssh, and the production server serves that cloned repository, while restricting access…

webserver apache source-code

asked Nov 14 '13 at 07:37

Septagram

1,353
2
9
5

125

votes

7 answers

My ISP uses deep packet inspection; what can they observe?

I found out that my ISP does deep packet inspection. Can they see the contents of HTTPS connections? Wouldn't having HTTPS ensure that they can't see the contents being transferred? And can having a VPN protect me against deep packet inspection by…

privacy vpn internet isp

asked Mar 27 '17 at 17:33

cppanonhelp666

1,233
2
8
6

125

votes

10 answers

Does an ISO27001 audit require users to reveal their passwords?

My company's system administrator is asking for our passwords for an ISO audit and my VP IT operations support says it's mandatory for ISMS (ISO27001). Can someone confirm if this is true?

passwords password-management iso27001

asked Mar 09 '17 at 06:32

v_sukt

1,312
2
7
12

125

votes

4 answers

How does ransomware get on people's computers?

I've noticed increased frequency of ransomware questions around Stack Exchange. Some of the people I remotely know had their devices recently infected as well. I'm starting to be concerned. When people ask me how to avoid viruses, I typically tell…

attack-prevention ransomware

asked Apr 13 '16 at 08:43

Tomáš Zato

1,236
3
11
16

Most Popular