Highest Voted Questions - IT Security Stack Exchange

60

votes

9 answers

How hard should I try to prevent a user from XSSing themselves?

Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to…

xss attacks

asked Apr 01 '19 at 20:04

gaazkam

5,657
11
24
38

60

votes

3 answers

Why is this certificate for Imgur only valid for one day?

I'm connected over a café WiFi and received a warning from my mobile browser. When I looked further, it seems like the certificate is only valid for one day, which seems super suspicious. It says Imgur on it, but then why is it flagged up and why…

certificates wifi

asked May 05 '18 at 15:31

AncientSwordRage

1,925
4
17
19

60

votes

3 answers

Does your ISP know what type of phone/computer you're using?

For instance do they know whether you're using an iPhone or Samsung?

network isp

asked Jan 08 '18 at 07:19

Alexander A

669
1
5
6

60

votes

9 answers

Is it urgent to revoke the access to a private repo once a person has been mistakenly granted it and become aware of this?

There has been a post on Niebezpiecznik.pl, a popular InfoSec blog, describing an interesting situation. A company mistakenly granted access to their BitBucket repo to a a random programmer. This programmer subsequently alerted various employees of…

data-leakage permissions

asked Nov 22 '17 at 12:18

gaazkam

5,657
11
24
38

60

votes

1 answer

Does KRACK mean that wifi cafes will never be safe again?

The more I read about KRACK, the more granular my questions become, and the harder it is to find answers. My understanding is that both wireless clients and WAPs need to be patched to obviate the KRACK vulnerability in any particular wifi handshake.…

wifi krack

asked Oct 23 '17 at 21:33

rahum

607
1
5
5

60

votes

2 answers

Would a digital signature have prevented the CCleaner compromise?

I read today about the CCleaner hack and how code was injected into their binary. People were able to download and install the compromised software before the company had noticed. Isn't this what digital signatures are for? Would signing the binary…

digital-signature

asked Sep 18 '17 at 13:25

user47894

60

votes

4 answers

Expert quote on entropy for uncrackable password

Could anyone point to a quote in a published work - or suggest a recognised expert who might provide a quote - which answers the following question How much entropy in a password would guarantee that it is secure against an offline guessing attack…

passwords random entropy

asked Aug 30 '17 at 11:48

Stephen Hewitt

711
1
6
6

60

votes

6 answers

Why do some sites ask for username/email and password on two separate screens?

Well, I only have two examples, but it seems to be a slowly growing thing. First, I noticed that hotmail.com/live.com started to do this - ask for the email address on the first screen, and then you have to click 'next' and then enter your…

authentication web

asked May 29 '17 at 12:57

Dan.

581
1
4
6

60

votes

6 answers

Wrong password - number of retries - what's a good number to allow?

Most sites & software seem to have a default of auto lock or time lock after 3 wrong tries. I feel that the number could be much higher - not allowing retries is mainly to prevent automated brute force attacks, I think. The likelihood of a brute…

authentication brute-force

asked Oct 09 '16 at 12:32

user93353

1,992
3
19
33

60

votes

7 answers

Closed source binary blobs in chipsets - privacy threat?

I wanted to buy a Librem Purism 13 because I care about my privacy and generally wanted a laptop to test Linux on. However, I was advised against it because it uses Intel i5 processors which contain binary blobs. From what I understand binary blobs…

privacy hardware opensource

asked Jun 05 '16 at 22:24

user113581

521
4
4

60

votes

3 answers

Is it ok to send plain-text password over HTTPS?

I understand why the password should be salted and hashed before being saved into the database, but my question is if it needs to be hashed on the browser side or just sending plain-text password over HTTPS is considered to be secure. If it is ok,…

tls authentication

asked Jan 12 '16 at 20:56

user96738

609
1
5
3

60

votes

3 answers

Is it common practice for companies to MITM HTTPS traffic?

My company has just introduced a new VPN policy whereby once connected all traffic is routed the company network. This is to allow for improved monitoring of data theft. It would appear that this policy also performs a man in the middle attack on…

tls network http man-in-the-middle corporate-policy

asked Dec 08 '15 at 10:20

Andy Smith

2,762
1
19
24

60

votes

10 answers

Why don't OS's make keystrokes available to only the current app?

Seems like a relatively obvious way to prevent (software) keylogging would be to force only the current (in-focus) app to be able to receive keystrokes. There could be a way to make explicit exceptions for macro apps etc. Querying the exception…

operating-systems keyloggers

asked Oct 11 '15 at 19:15

user66309

679
1
5
5

59

votes

8 answers

Is it safe to trust a Docker container?

When it comes to Docker, it is very convenient to use a third party container that already exist to do what we want. The problem is that those containers can be very complicated and have a large parent tree of other containers; they can even pull…

operating-systems trust docker confinement

asked May 08 '15 at 12:17

0x1gene

793
1
6
10

59

votes

2 answers

How Does A Random Salt Work?

I don't understand how using a random salt for hashing passwords can work. Perhaps random salt refers to something other than hashing passwords? Here is my thought process: The salt is used to add extra junk to the end of a password prior to…

encryption passwords salt

asked Sep 08 '14 at 14:38

Kevin DiTraglia

771
1
6
8

Most Popular