Highest Voted Questions - IT Security Stack Exchange

86

votes

3 answers

Can phone apps read my clipboard?

Via Hacker News, I came across a Tweet implying that Facebook's iOS app routinely reads and transmits all content from the user's pasteboard. Leaving aside whether Facebook's app genuinely does this (which is a separate question), is this possible?…

privacy android phone iphone clipboard

asked Dec 30 '17 at 13:47

Mark Amery

1,797
2
13
21

86

votes

5 answers

Are all SSL Certificates equal?

After running a few tests from Qualsys' SSL Labs tool, I saw that there were quite significant rating differences between a GoDaddy and VeriSign certificate that I have tested against. Are all SSL certificates from different providers equal? If not,…

tls certificates certificate-authority

asked Apr 04 '12 at 07:21

Kyle Rosendo

4,015
4
19
17

86

votes

4 answers

What is the risk of copy and pasting Linux commands from a website? How can some commands be invisible?

Like all beginners in the land of Linux, I usually look for websites that contain some useful shell commands, mark it with my mouse, copy it (CTRL + C) and paste it into a terminal. For example, if I need to install package_name.deb sudo apt-get…

malware privacy virus

asked Feb 14 '16 at 17:27

GAD3R

2,211
3
17
38

85

votes

4 answers

What is Logjam and how do I prevent it?

I heard there is a "new" TLS vulnerability named Logjam, what does it do and how do I prevent it?

tls diffie-hellman

asked May 20 '15 at 15:21

Arperum

941
1
9
10

85

votes

7 answers

What does Amazon's S3 Server-side encryption protect against?

Amazon's S3 storage service offers server-side encryption of objects, automatically managed for the user (Amazon's Documentation). It's easy to enable so I'm thinking "why not?", but what kind of security does this really provide? I guess it…

cryptography disk-encryption

asked Nov 08 '11 at 18:01

Hank

953
1
6
4

85

votes

3 answers

Can a PDF file contain a virus?

Could a PDF file contain any type of malware?

malware pdf

asked Jul 27 '14 at 06:24

user45139

85

votes

10 answers

Why improvising your own Hash function out of existing hash functions is so bad

I'm afraid I'll have tomatoes thrown at me for asking this old question, but here goes. After reading that cooking up your own password hash out of existing hashing functions is dangerous over and over again I still don't understand the logic. Here…

passwords hash bcrypt scrypt

asked Apr 01 '13 at 01:24

George Powell

1,528
1
12
14

85

votes

7 answers

Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?

I did some research about how secure and private SMS messages are. Providers and governments can see these SMS messages in plaintext, but what is weird is that these messages are not encrypted in transit. According to my knowledge, that makes the…

encryption man-in-the-middle account-security multi-factor sms

asked Jul 06 '21 at 10:59

Mohamed Waleed

1,179
1
5
13

85

votes

5 answers

Is changing pitch enough for anonymizing a person's voice?

In every TV program where there's a person that wants to remain anonymous, they change their voice in a way that to me sounds like a simple increase or decrease in pitch (frequencies). What I'm wondering is: is the usual anonymizing method actually…

anonymity deanonymization

asked Mar 11 '20 at 14:32

reed

15,538
6
44
65

85

votes

10 answers

How and why is my site being abused?

I own a popular website that allows people to enter a phone number and get information back about that phone number, such as the name of the phone carrier. It's a free service, but it costs us money for each query so we show ads on the site to help…

ip-spoofing botnet web-crawler

asked Dec 18 '19 at 14:15

Marc

699
1
5
4

85

votes

6 answers

How can I protect my website against bitsquatting?

I've just read an article about bitsquatting (which refers to the registration of a domain name one bit different than a popular domain) and I'm concerned about how it could allow an attacker to load its own assets on my website. For example, if my…

web-application bitsquatting

asked May 08 '18 at 11:54

Benoit Esnard

13,979
7
65
65

85

votes

5 answers

Are texted 2FA security codes deliberately easy to remember?

I have 2FA setup on my bank account. When I login, I receive a six-digit code as an IM on my phone that I enter into the website. These codes always seem to have a pattern to them. Either something like 111xxx, 123321, xx1212, etc. I'm thinking that…

multi-factor

asked Dec 11 '17 at 18:11

Bob Kaufman

891
1
6
7

85

votes

3 answers

What is a Warrant Canary?

While browsing VeraCrypt's website I found its warrant canary. I tried to understand what it is and what its purpose was by reading corresponding Wikipedia article. To be honest I find it quite confusing. Can someone explain what a warrant canary is…

warrant-canary

asked May 15 '17 at 19:03

trejder

3,619
5
24
35

85

votes

7 answers

Is refreshing an expired JWT token a good strategy?

If I understand best practices, JWT usually has an expiration date that is short-lived (~ 15 minutes). So if I don't want my user to log in every 15 minutes, I should refresh my token every 15 minutes. I need to maintain a valid session for 7 days…

jwt

asked Apr 03 '16 at 11:09

Guillaume Vincent

923
1
7
9

85

votes

6 answers

How do large companies protect their source code?

I recently read the canonical answer of our ursine overlord to the question on How do certification authorities store their private root keys? I then just had to ask myself: How do large companies (e.g. Microsoft, Apple, ...) protect their valuable…

source-code protection backdoor

asked Dec 27 '15 at 20:03

SEJPM

9,540
6
37
67

Most Popular