Collaborate Disseminate
I am presented with the following scenario:
I have a MySQL-Database with a table of users. The table has two fields: username and password. The password is stored as an unsalted hash.
An over 15 year old application uses th… Continue reading Is there a way to add salted hashing to my user authentication without breaking my former login server
Could somebody provide some positives / drawbacks of the email encryption approaches for the three platforms mentioned. I have been researching this in depth, however, I am conscious that a lot of the reports im reading have … Continue reading Email Encryption Recommendations (Egress, O365 and Forcepoint) [on hold]
I’ve tried to download a local copy of our website to play about with some minor front-end tweaks and my anti-virus flagged and prevented the download.
I used a plugin to scan WordPress and it flagged a file with this code:
… Continue reading WordPress Suspicious:PHP Help [on hold]
I’m allowing users to upload CSV files. Other users can download these files. I’m aware that CSV could be an attack vector.
Would a ClamAV (or other AV) scan offer protection against such a file?
Any scan would happen only … Continue reading Can ClamAV detect CSV Injection?
I have a customer running my application with SAML SSO. This solution supports SLO (single logout). Due to their environment, a logout does not always sign the user out of the SAML IdP. This results in clicking “Sign Out” in … Continue reading Customer asking for a sign out that does not really sign out to obscure that the user is not signed out
I use the pass password manager, and I am trying to come up with a convenient way to bootstrap new machines with access to the git repository. I also have a GPG smartcard (Yubikey) with a different keypair (I use a separate k… Continue reading Is it safe to share an encrypted GPG private key?
For example if you were filling out a sign up form to get a free credit score and they required your SSN, would it be safer/ more secure to do so with a short lived p2p connection?
I have a server that sends webhook notifications to client servers. Before the client server begins processing anything, it should be certain that the webhook originated from my server, and that it was not altered or spoofed…. Continue reading Signing webhooks with JWT — overkill with TLS?
I have a hypothetical mobile game where players don’t necessarily need to create accounts to play. Their data is keyed off of a device identifier like an advertising identifier (IDFA) or Apple’s identifierForVendor or Android… Continue reading Authenticate user based on mobile device identifier
Here are steps to setup a Google login button on a web client:
https://developers.google.com/identity/sign-in/web/sign-in
When click on the Google login button this pops up:
All the interactions are between the IDP (Googl… Continue reading Google login button – what prevents an rogue app from stealing a token?