Highest Voted Questions - IT Security Stack Exchange

56

votes

9 answers

How to securely send private keys

What is the recommend way and best-practice to send private keys and SSL private keys? I was thinking of zipping up the files, then using gpg: gpg -c thefile.zip The problem then becomes how do you send the passphrase used to encrypt to the other…

encryption gnupg

asked Sep 30 '15 at 18:22

Justin

1,157
3
14
20

56

votes

4 answers

How secure is 7z encryption?

I have a text file in which I store all my bank details. I compress and encrypt it with 7-Zip using the following parameters: Compression parameters: Archive format: 7z Compression level: Ultra Compression method: LZMA2 Dictionary size: 64…

encryption passwords aes password-cracking defense

asked Sep 19 '15 at 11:02

Anmol Singh Jaggi

695
1
6
8

55

votes

9 answers

Feeding /dev/random entropy pool?

Which way of additionally feeding /dev/random entropy pool would you suggest for producing random passwords? Or, is there maybe a better way to locally create fully random passwords?

cryptography passwords random

asked Nov 11 '10 at 23:41

tkit

3,332
6
29
36

55

votes

8 answers

Keeping secrets from root on Linux

I am looking for ways to harden a linux system so that even when gaining full root access (through legit or non-legit means), some secrets remain inaccessible. But first a little background. Many of the different linux security models (SELinux,…

linux hardening

asked Oct 02 '11 at 11:07

Nakedible

4,531
4
26
22

55

votes

5 answers

Should security-critical code be reused or rewritten?

Usually, in programming, reusing code is always a better idea than writing your own implementation of an algorithm. If an implementation has been around for a long time and is still used by lots of projects, it is likely to be pretty well designed…

source-code software secure-coding

asked Nov 07 '14 at 10:04

Hadrien G.

795
5
13

55

votes

13 answers

What makes it illegal to use the information learned by exploiting a bug?

According to news reports, arrests have already been made in relation to the Heartbleed bug. It sounds like this person managed to gain access to the website's database by capturing the credentials the app used to access the database. This person…

penetration-test legal

asked Apr 17 '14 at 08:52

Stephen Solis-Reyes

485
4
6

55

votes

7 answers

Open Source vs Closed Source Systems

My understanding is that open source systems are commonly believed to be more secure than closed source systems. Reasons for taking either approach, or combination of them, include: cultural norms, financial, legal positioning, national security,…

disclosure opensource

asked Jun 08 '11 at 18:10

blunders

5,072
4
28
45

55

votes

2 answers

Decrypting TLS in Wireshark when using DHE_RSA ciphersuites

How can I decrypt TLS messages when an ephemeral Diffie-Hellman ciphersuite is used? I am able to expose the premaster secret and master secret from the SSL Client. Using that, how to decrypt the messages in Wireshark?

encryption tls openssl wireshark diffie-hellman

asked May 09 '13 at 09:10

Kalai

801
2
8
5

55

votes

11 answers

How to protect my code from “insider” threats when hiring my first employee?

I quit my job to start my own SaaS product. I’m now looking to hire my first employee (another developer). I will be taking appropriate legal precautions to protect my IP, but I’m wondering what other reasonable actions that I can take to further…

insider-threats

asked Jun 28 '20 at 23:41

arao6

621
1
5
5

55

votes

2 answers

How does ssh public key authentication work?

My basic understanding is this: The (connected to) server's sshd uses the public key to encrypt some message The client's ssh or ssh-agent decrypts it and sends something back (the message's checksum? its signature?) The server's sshd verifies that…

authentication ssh

asked Oct 26 '12 at 11:22

Tobias Kienzler

7,658
11
43
68

55

votes

7 answers

Is this email asking me to sent them $100 for details on a security flaw in my website a scam?

I've just received this email. Is it a standard practice or a scam? I'm a Security Researcher running a vulnerability identification service for a small group of private clients, and I accidentally found some vulnerabilities in your…

email vulnerability

asked Apr 08 '20 at 18:35

muszek

551
1
4
6

55

votes

8 answers

If I send a plaintext e-mail using Gmail to somebody, including my PGP public key block, is that secure?

I've been trying to figure out "practical encryption" (AKA "PGP") for many years. As far as I can tell, this is not fundamentally flawed: I know Joe's e-mail address: cool_joe@gmail.com. I have a Gmail e-mail address: me_78@gmail.com. I have GPG…

encryption email pgp

asked Feb 23 '20 at 20:16

Joas

559
1
4
3

55

votes

3 answers

Where to disclose a zero day vulnerability

We discovered a vulnerability in wide range of Ricoh printers, where with a simple PostScript file sent directly, it is possible to crash the device. To recover you need physical access to the printer and an administration account to clear the queue…

disclosure zero-day

asked Sep 11 '19 at 13:43

Matteo

682
5
14

55

votes

8 answers

How can I make payments on the Internet without leaving a money trail?

For someone who values anonymity and privacy, what is the recommended way to pay on the Internet? Example: To buy a domain or a VPN or another service I know that we can use cryptocurrencies, but at some point, you need to buy cryptocurrency using a…

privacy anonymity money

asked Apr 07 '19 at 16:32

DxTx

1,403
2
9
20

55

votes

5 answers

Is it bad practice to prefix my hash with the algorithm used?

Let's say I have a database with a bunch of users in it. This user database would typically have a hashed password per user. Would it be bad practice to prefix this hash with the hashing algorithm used? For instance, instead of the hash…

passwords hash

asked Nov 08 '18 at 13:25

Mathias Lykkegaard Lorenzen

661
1
5
7

Most Popular