Most Popular

1500 questions
421
votes
10 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?
Morten
  • 4,363
  • 3
  • 15
  • 7
417
votes
14 answers

How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?

I've often heard it said that if you're logging in to a website - a bank, GMail, whatever - via HTTPS, that the information you transmit is safe from snooping by 3rd parties. I've always been a little confused as to how this could be possible.…
Joshua Carmody
  • 4,465
  • 4
  • 15
  • 11
407
votes
5 answers

Why is 'Bearer' required before the token in 'Authorization' header in a HTTP request?

What exactly is the difference between following two headers: Authorization : Bearer cn389ncoiwuencr vs Authorization : cn389ncoiwuencr All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer'…
Anmol Gupta
  • 4,171
  • 2
  • 10
  • 5
367
votes
6 answers

What is certificate pinning?

I'm superficially familiar with SSL and what certs do. Recently I saw some discussion on cert pinning but there wasn't a definition. A DDG search didn't turn up anything useful. What is certificate pinning?
366
votes
22 answers

I found that the company I work for is putting a backdoor into mobile phones

I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval. We are not using this option, and it is probably there by mistake. But the people who are responsible for…
anonymousquery
  • 2,991
  • 2
  • 13
  • 4
311
votes
25 answers

Should I let my child's school have access to my kid's personal laptop?

My kid is starting 6th grade and the school requires him to get a laptop and bring it to school. Now the school IT department wants to install some software on the laptop and is asking for administrative access. They want to install Office, Outlook,…
Sushil
  • 2,099
  • 2
  • 8
  • 10
310
votes
16 answers

SQL injection is 17 years old. Why is it still around?

I'm no techie and would like your expertise in understanding this. I recently read a detailed article on SQLi for a research paper. It strikes me as odd. Why do so many data breaches still happen through SQL injection? Is there no fix?
Ishan Mathur
  • 2,603
  • 2
  • 10
  • 9
309
votes
3 answers

CRIME - How to beat the BEAST successor?

With the advent of CRIME, BEAST's successor, what possible protection is available for an individual and/or system owner in order to protect themselves and their users against this new attack on TLS?
Kyle Rosendo
  • 4,015
  • 4
  • 19
  • 17
308
votes
9 answers

What makes Docker more secure than VMs or bare metal?

I recently had a discussion with a Docker expert about the security of Docker vs. virtual machines. When I told that I've read from different sources that it's easier for code running within a Docker container to escape from it than for a code…
Arseni Mourzenko
  • 4,674
  • 6
  • 22
  • 30
306
votes
7 answers

Is it normal for auditors to require all company passwords?

My company is currently engaged in a security audit framed as a pentest. They've requested all admin passwords for every one of our services and all source code of our software. They want logins for Google Apps, credit card processors, GitHub,…
Zachary Iles
  • 2,181
  • 2
  • 10
  • 9
304
votes
8 answers

How to find live hosts on my network?

I am trying to find the live hosts on my network using nmap. I am scanning the network in Ubuntu using the command sudo nmap -sP 192.168.2.1/24. However, I am unable to find the live hosts. I just get the network address of my own PC as live. When I…
TheRookierLearner
  • 4,242
  • 8
  • 25
  • 28
300
votes
20 answers

How can someone go off-web, and anonymise themselves after a life online?

With data mining tools like Maltego and other correlation tools for large data sets, if we conduct any transactions online assume that these can all be collated to build a good picture of what we do, buy, read etc (hence Google etc). If a normal…
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
299
votes
10 answers

Why is Gbt3fC79ZmMEFUFJ a weak password?

On https://passwordsgenerator.net/, it says Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the…
EuRBamarth
  • 2,291
  • 2
  • 7
  • 6
297
votes
7 answers

What's the rationale behind Ctrl-Alt-Del for login

Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I'm wrong) before the password can be typed in? From a usability point of view, it's a bad idea as it's adding an extra step in…
Count Zero
  • 2,899
  • 3
  • 17
  • 14
295
votes
6 answers

How does Google know where I am?

Whenever I open the Google Maps app on my Android mobile phone, Google always seems to know my location, and it is very accurate (usually it places me on the map even in the correct room). Also, this happens even if both WiFi adapter and GPS are…
MNLR
  • 2,237
  • 3
  • 11
  • 10