Highest Voted Questions - IT Security Stack Exchange

62

votes

4 answers

Is there a way to make sure my government does not swap out SSL certificates?

I was recently wondering whether there exists a way to make sure my government is not swapping out SSL certificates in order to intercept the traffic. I know almost all browsers are complaining in case of a self-signed certificate. But what prevents…

tls certificates man-in-the-middle certificate-authority government

asked Jan 03 '19 at 09:04

roman

691
1
5
8

62

votes

5 answers

What are the risks of buying a used/refurbished computer? How can I mitigate those risks?

I bought a used computer that appears to be wiped clean, but can I be sure?

hardware

asked Nov 26 '18 at 04:05

PBeezy

1,741
2
10
11

62

votes

5 answers

Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?

A while ago, I was opening Facebook app on Android and then I got the message "Session expired. Please log in again.". I then tried logging in with my current password and was success to log in my account. Before, long time ago, when I created this…

authentication passwords account-security facebook social-media

asked Sep 28 '18 at 14:07

MattCat15

701
1
5
6

62

votes

5 answers

Possible to use both private key and password authentication for ssh login?

It seems that they are mutually exclusive, as disabling one gives me the other, and vice versa. Two-factor auth for my ssh servers sounds really nice, so is there any way to accomplish this?

passwords ssh server

asked Jul 31 '12 at 17:46

chrisdotcode

723
1
6
6

62

votes

5 answers

How did I get this email without a "To" field?

I got an empty email in my language (Hebrew) with only a title that can be translated to I am still waiting for your feedback (original: עדיין מחכה למשוב שלך) Since my gmail handle multiple accounts (by forward and by user\pass) I tried to figure…

email spam

asked Jan 16 '18 at 13:51

YoniXw

739
1
5
7

62

votes

3 answers

When using AES and CBC, is it necessary to keep the IV secret?

If I encrypt some data with a randomly generated Key and Initialization Vector, then store all three pieces of information in the same table row; is it necessary to encrypt the IV as well as the Key? Simplified table structure: Encrypted data Key…

encryption aes storage nonce

asked Jul 10 '12 at 15:43

Stu Pegg

723
1
5
6

62

votes

11 answers

Why is TCP more secure than UDP?

While reading MS SDL (Microsoft Security Development Lifecycle) presentations I found a recommendation to replace UDP with TCP in applications because TCP is more secure than UDP. But both of them are only transport layers, nothing more. So why is…

tcp udp

asked Jul 20 '17 at 12:27

sluge

1,085
1
10
9

62

votes

2 answers

Why is credit card information not stolen more often?

Nowadays there are a lot of hacked websites with stolen login information. In many cases the website states that no credit card data and/or payment information was stolen. Why is that? What I assume is: That both, the database storing the payment…

databases credit-card data-leakage

asked Dec 22 '16 at 09:07

tim

851
7
13

62

votes

12 answers

How long should the maximum password length be?

The minimum password length recommended is about 8 characters, so is there any standard/recommended maximum length of the password?

passwords password-policy entropy

asked Nov 12 '10 at 04:22

Mohamed

1,404
1
11
14

62

votes

10 answers

Is there such a thing as a "Black Box" that decrypts Internet traffic?

I have been reading about the Snoopers charter bill that was passed in the UK this week. It mentions a "Black Box" which is cited here: ‘Black boxes’ to monitor all internet and phone data. It states it works like so: When an individual uses a…

encryption man-in-the-middle decryption black-box

asked Nov 23 '16 at 13:48

User1

3,031
5
23
30

62

votes

6 answers

If I use a VPN, who will resolve my DNS requests?

Will they be resolved by my VPN provider, or by my original ISP (if left on "automatic" settings)? Would I have to manually configure a dns server, to make sure my requests will not be resolved by my ISP (constituting a privacy risk)?

vpn dns

asked Apr 18 '12 at 08:46

user7848

62

votes

3 answers

What kind of attack is prevented by Apache2's error code AH02032 ("Hostname provided via SNI and hostname provided via HTTP are different")?

I saw in my Apache2 server logs messages like [ssl:error] [pid 28482] AH02032: Hostname xxx.yyy.zzz.www:443 provided via SNI and hostname xxx.yyy.zzz.www provided via HTTP are different One of these error message was triggered by a request from…

tls http attacks vulnerability apache

asked Aug 16 '16 at 13:16

Sir Cornflakes

1,678
1
11
18

62

votes

7 answers

Is it safe to install malware in a VM

Is it safe to install malware in virtual machines? I would like to investigate malware, but I don't want to infect my own computer. Can I install the malware in a VMWare VM, maybe even without network access, without risking the integrity of my host…

malware virtualization

asked Mar 09 '12 at 09:10

Erik

1,065
1
8
10

62

votes

4 answers

Can HSTS be disabled in Firefox?

For pentesting/VA, it is, of course, imperative to always be able to see the HTTP site of a target. If present, HSTS conflicts with this need. Without using a proxy to address the problem (e.g. Burp), is it possible to natively disable HSTS in…

firefox hsts

asked Oct 09 '15 at 11:41

Cheekysoft

1,297
1
9
12

61

votes

6 answers

Why do security experts like Snowden use email services like Lavabit and Hushmail rather than self-hosted email?

Why would anyone like Edward Snowden rely on 3rd party services like Lavabit or Hushmail to host his email? I mean it's very easy to set up a self-hosted email server. What you need: Rent VPS (even better: home server) & Domain (May take up to 2…

email privacy

asked Jul 02 '15 at 21:47

Florian Schneider

1,073
2
9
11

Most Popular