IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
58
votes
2 answers

What should end-users do about Heartbleed?

What should a website operator do about the Heartbleed OpenSSL exploit? mainly talks about what people running websites should do about Heartbleed. What should end-users of websites be doing? Do they need to change their passwords? If so, should…
Andrew Grimm
  • 2,100
  • 2
  • 20
  • 27
58
votes
4 answers

Does Heartbleed mean new certificates for every SSL server?

If you haven't heard of the Heartbleed Bug, it's something to take a look at immediately. It essentially means that an attacker can exploit a vulnerability in many versions of OpenSSL to be able to gain access to a server's private key. It is not a…
Naftuli Kay
  • 6,745
  • 9
  • 47
  • 76
58
votes
6 answers

How do I deal with companies that call and ask for personal information?

Several times I get a phone call from a company- my bank, utility companies etc. Many times they are just cold calling me, but once or twice they were calling for legitimate reasons (ie, something to do with my account). The problem is, all these…
Shantnu
  • 747
  • 1
  • 5
  • 8
58
votes
5 answers

How do you get a specific .onion address for your hidden service?

.onion addresses normally should be made of a base32 string of the first 80 bits of the SHA1 hash of the private key of the server (see .onion address specification). Today I ran into a service which clearly doesn't have an arbitrary address:…
user9651
58
votes
6 answers

Why does DocuSign require that your password "must not contain the characters <, > or spaces."?

DocuSign requires that your password "must not contain the characters <, > or spaces." Is this not an odd requirement? Despite being a leader in online document signing, my gut tells me there's something odd under-the-hood.
carrier
  • 633
  • 3
  • 7
58
votes
8 answers

Should I log users in if they enter valid login info in registration form?

Recently, we've had users complain that they forget that they have an account, try registering, and get error message that the user with such email already exists. There is a proposal to just log them in such cases. So, if the user inputs valid…
Назар Топольський
  • 689
  • 4
  • 4
58
votes
12 answers

Is it possible to make a video that is provably non-manipulated?

Suppose a student takes an exam at home. Since home-exams are prone to cheating, the student wants to be able to prove that he/she did not cheat. So the student puts cameras in the room, which videotape the room during the entire exam. Now, if the…
Erel Segal-Halevi
  • 1,105
  • 2
  • 9
  • 11
58
votes
3 answers

For SameSite cookie with subdomains what are considered the same site?

For the samesite cookie attribute I'm not clear on if I set a cookie with domain .example.com from sub.example.com with the samesite attribute, if it will be considered the same site as other.example.com. Cookie behavior is different than CORS and…
derduher
  • 683
  • 1
  • 5
  • 6
58
votes
7 answers

How can caller ID be faked?

My late brother was contacted by someone on landline number operated by a carrier in Australia and which displayed on caller ID. I traced the number to a company and though they did call him on a number of occasions from this number over a couple of…
stumped
  • 549
  • 1
  • 4
  • 4
58
votes
2 answers

Is HTTP compression safe?

The CRIME attack taught us that using compression can endanger confidentiality. In particular, it is dangerous to concatenate attacker-supplied data with sensitive secret data and then compress and encrypt the concatenation; any time we see that…
D.W.
  • 98,860
  • 33
  • 271
  • 588
58
votes
1 answer

Does a client certificate identify the owner to unrelated websites?

If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it? I once visited an ssl diagnostic site that immediately reported back information from one of my client…
user13097
  • 453
  • 4
  • 6
58
votes
4 answers

Effectiveness of Security Images

Do security images such as those presented upon logging into banks provide any tangible security benefits, or are they mostly theater? Per my understanding, if somebody is phishing your users, it's also trivial for them to proxy requests from your…
Stephen Touset
  • 5,774
  • 1
  • 23
  • 38
58
votes
10 answers

How can I convince my boss that storing third party passwords in plaintext is a bad idea?

Keeping things vague - I work at a company that handles compliance issues for our clients. Very often, this means we need to log onto their various accounts for various entities. We store their username and password, both to make it easier for them…
Selkie
  • 715
  • 1
  • 5
  • 8
58
votes
7 answers

Email received regarding Security flaw in website

I received an email to techsupport@websitename.com (pretty generic email) saying that there was a security flaw in my website etc. etc My initial reaction was that this was a scam. (How/why did they find our site.) However, they didn't seem to be…
Welz
  • 695
  • 2
  • 6
  • 10
58
votes
4 answers

Is the OWASP recommendation regarding localstorage still valid?

I am currently working on an Application which is a single page application built with Angular. It is served over HTTPS, using HSTS. For authentication, we are using Auth0. The Auth0 documentation recommends storing the access token in…
JMK
  • 2,486
  • 7
  • 28
  • 39
1 2 3
99 100