Collaborate Disseminate
(found on reddit)
[translation: the website is programmed to reject the login if it is the correct password and if it is the first login attempt]
Assume that the scheme is to reject the first correct login attempt – because otherwise it d… Continue reading Is it viable to defend against brute force attacks by rejecting correct passwords?
This is a general pattern that occurs in various security- and privacy-conscious applications…
The DuckDuckGo browser, for example, won’t let me show my browsing history. It does seem to store it, however, since it shows visited links in… Continue reading Why do apps such as the DuckDuckGo browser or Signal seem to try to protect my own data from me?
From answer to question Can a hacker, that knows my IP address, remotely access accounts I have left logged in on my computer? :
IP addresses are not very dangerous when a malicious user knows them. This is somewhat of a myth caused by sc… Continue reading Does knowing my IP address allow someone to find my home address? [duplicate]
It appears that every forum, wordpress blog and other such website is regularly visited by bots, who use it to post shady advertisements.
I am curious how do bots seek such websites?
I understand – correct me if I’m wrong – that once a bot… Continue reading how do bots seek forums, blogs and other "spammable" websites? [closed]
As far as I’m aware, a locked iOS is considered very safe. No one, who does not know the PIN cannot unlock the phone. While the PIN seems weak on the first glance (4 digits?) it is actually strong, because enough failed attempts = data is … Continue reading How does iOS / Android device encryption work?
AJAX Security Cheat Sheet § Always return JSON with an Object on the outside says:
Always have the outside primitive be an object for JSON strings:
Exploitable:
[{"object": "inside an array"}]
Not exploitable:
{"o… Continue reading Why does OWASP recommend to never return JSON arrays not wrapped in objects?
It is typically recommended to enable 2FA wherever possible. Moreover, it is typically recommended to enable not just any 2FA method, but Yubikeys in particular.
Yubikeys are considered to be the strongest available 2FA method. They are ni… Continue reading How do Yubikeys improve security if I am typically also forced to enable other, weaker 2FA methods?
https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/ <- apparently certain car companies state in their privacy policies that they collect info… Continue reading How do cars collect ‘genetic information’? [closed]
Is it unsafe to use environmental variables for secret data?
^^ according to that question and answers:
Environment variables are a poor (though perhaps passable, as per Forest’s comment) way to store secrets;
The preferred way is to use … Continue reading How to securely pass secrets if I’m deploying my app n the old school way, rather than using Docker, Heroku, cloud etc?
My understanding is that:
SVGs offer far greater functionality if they are directly embedded in a site’s HTML code via the <svg> tag than if they are linked to via the <img> tag
For example, if the <svg> tag is used, it… Continue reading Is it practically possible to use SVGs to their full potential while still enjoying all protections offered by Content Security Policy (CSP)?