Collaborate Disseminate
I have a question about implementing user password-based encryption in a database injunction with the Social Login feature.
User private data in my database should be encrypted in order to provide security at rest, and for that, I’m planni… Continue reading Password Based Encryption with Social Login
I’m trying to create application-layer encryption for user data in my database, using password derivation function. But there is a problem, that there must be an admin user, who can access all user’s encryption keys, for password reset functionality and some other things. I don’t like the fact that all encryption system security can be broken with just one admin password. I’ve asked for an advice here How can I improve the application administrator’s encryption keys security inside database
I was advised to compile an admin encryption key not from a password but from another source (admin computer system information, for example), so it can’t be brute-forced, and then pass it to the database server.
It is a good approach, however, this complicates admin mobility and system recovery in an event of key loss, and these requirements are mandatory to accomplish.
So, I come up with this idea:
At first glance, I don’t see any great flaws with this approach, but I couldn’t find that someone has done anything similar before, so I want to ask you to help me to validate my vision.
I am interested in the issue of establishing the security of data of users of a web application in the event of a database leak.
It was decided to use the following encryption chain:
User data is encrypted with a user symmetric key (AES)
… Continue reading How can I improve the application administrator’s encryption keys security inside database
I’m trying to write a blogpost on this challenge (it’s pretty basic, it should teach you about buffer overflows and ret2libc attacks).
The source code is the following:
#include <stdlib.h>
#include <unistd.h>
#include <stdio… Continue reading How does stack allocation work in this program? [closed]
I have OpenBSD server with OpenSSH 8.4 (protocol 2) on my virtual machine installed.
Nmap-Scan shows that there is CVE-2001-0554 vulnerability.
My question: this vulnerability is in telnetd damon. I do not understand how it is possible, as… Continue reading How can be telnetd vulnerable on OpenSSH 8.4 OpenBSD Systems?
Recently, we’ve had users complain that they forget that they have an account, try registering, and get error message that the user with such email already exists. There is a proposal to just log them in such cases. So, if the user inputs … Continue reading Should I log users in if they enter valid login info in registration form?
My site has a live broadcast embedded from another site.
[Live broadcast on the site[!
And the problem starts with the app,
That if I set to save cache files, then the live broadcast does not work because the page has already been saved on… Continue reading How do I set up a specific page in the app that will not save cache files? [closed]
I am wondering how do you do scan the Internet, like, there are a lot of tools to scan one IP, not a lot of them consecutive.
Continue reading Scanning devices with open ports on internet [closed]
I have a website which is using flash media server to communicate. Since my users often register new usernames, I’m using flash local storage to "identify" all usernames as a single computer regardless of browser they open.
Since… Continue reading How to share the same data between multiple browsers for same web site? [closed]
Let’s imagine that we have an SMS verification auth, and using random 4-digit codes,
i.e. 1234, 5925, 1342 and etc.
I’m using this random inclusive algorithm on my node.js server:
function getRandomIntInclusive(min, max) {
min = Math.c… Continue reading Which practices should i use while generating SMS codes for auth on my project?