Most Popular

1500 questions
248
votes
4 answers

SSL3 "POODLE" Vulnerability

Canonical question regarding the recently disclosed padding oracle vulnerability in SSL v3. Other identical or significantly similar questions should be closed as a duplicate of this one. What is the POODLE vulnerability? I use…
tylerl
  • 82,665
  • 26
  • 149
  • 230
248
votes
7 answers

Should I use CSRF protection on Rest API endpoints?

Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints without discussing if it is actually necessary. …
Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
247
votes
18 answers

Passwords being sent in clear text due to users' mistake in typing it in the username field

Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing their passwords in the username field, either in…
Lex
  • 4,257
  • 4
  • 20
  • 27
246
votes
4 answers

What is the difference between authorized_keys and known_hosts file for SSH?

I am learning the basics of SSH protocol. I am confused between the contents of the following 2 files: ~/.ssh/authorized_keys: Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the…
Ankit
  • 2,673
  • 4
  • 15
  • 9
244
votes
14 answers

My college is forcing me to install their SSL certificate. How to protect my privacy?

My college administration is forcing us to install Cyberoam Firewall SSL certificate so that they can view all the encrypted traffic to "improve our security". If I don't install the certificate than I won't be able to use their network. What are…
svetaketu
  • 2,151
  • 2
  • 10
  • 5
242
votes
6 answers

Is Telegram secure?

There is a new WhatsApp-killer application called Telegram. They said that it's open source and that it has a more secure encryption. But they store all the messages in their servers and WhatsApp doesn't store any messages in any server, only a…
ilazgo
  • 2,753
  • 4
  • 13
  • 10
241
votes
5 answers

What is the difference between https://google.com and https://encrypted.google.com?

Is it there any difference between the encrypted Google search (at https://encrypted.google.com) and the ordinary HTTPS Google search (at https://google.com)? In terms of security what were the benefits of browsing through encrypted Google…
BlueBerry - Vignesh4303
  • 5,097
  • 13
  • 34
  • 63
241
votes
12 answers

Is single quote filtering nonsense?

Penetration testers found out that we allow single quotes in submitted data fields, and want us to apply rules (input validation) to not allow them in any value. While I'm aware that single quotes are popular for SQL injection attacks, I strongly…
Peter Walser
  • 1,781
  • 2
  • 11
  • 9
240
votes
11 answers

Why is Math.random() not designed to be cryptographically secure?

The JavaScript Math.random() function is designed to return a single IEEE floating point value n such that 0 ≤ n < 1. It is (or at least should be) widely known that the output is not cryptographically secure. Most modern implementations use the…
forest
  • 65,613
  • 20
  • 208
  • 262
238
votes
10 answers

Is "the oft-cited XKCD scheme [...] no longer good advice"?

I was stumbling around and happened onto this essay by Bruce Schneier claiming that the XKCD password scheme was effectively dead. Modern password crackers combine different words from their dictionaries: [...] This is why the oft-cited XKCD scheme…
Nick T
  • 3,392
  • 4
  • 21
  • 28
238
votes
7 answers

All 0s (zeros) in a bank card's CVC code

My bank card recently expired. I got a new one and this one turned out to be "lucky": its CVC code was 000. For a few months I used it extensively, both online and offline, without any difficulties - until the day when I entered my card details on…
Vlad Nikiforov
  • 2,023
  • 2
  • 7
  • 9
237
votes
13 answers

Where do you store your personal private GPG key?

So, I want to start using pass, but I need a GPG key for this. This application will store all of my passwords, which means it's very important that I don't lose my private key, once generated. Hard disks break, cloud providers are generally not…
Florian Margaine
  • 2,495
  • 3
  • 13
  • 10
236
votes
3 answers

Why did I have to wave my hand in front of my ID card?

I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person…
Tom K.
  • 7,965
  • 3
  • 30
  • 53
234
votes
7 answers

Why would you not permit Q or Z in passwords?

Jetblue's password requirements specify that, among other stringent requirements: Cannot contain a Q or Z I can't fathom a logical reason for this, unless it were say, extremely common for the left side of keyboards to break, but then you wouldn't…
Mark Mayo
  • 1,903
  • 3
  • 12
  • 10
234
votes
8 answers

What is the difference between SSL vs SSH? Which is more secure?

What is the difference between SSH and SSL? Which one is more secure, if you can compare them together? Which has more potential vulnerabilities?
Am1rr3zA
  • 3,083
  • 4
  • 18
  • 14