Collaborate Disseminate
OpenID Connect defines a special use case for self-issued.me and it’s registered overseas to what I assume is a fictional name.
What is the risk of someone owning this domain w.r.t. OpenID Connect?
self-issued.me
Domain Name: SELF-ISSUE… Continue reading Who is the special OpenID Connect URL "self-issued.me" issued to, and is it a risk?
Is CSRF or XSS is possible on a phone… using PhoneGap, a Webview, or specifically a "Chrome Tab" or iOS equivalent.
I believe in theory this is possible, and mitigation is needed, but looking for examples of previous exploits n… Continue reading Are phone apps vulnerable to XSS or CSRF? (Webview, Phonegap, chrometab)
From what I can tell, Apple Watch apps act like a remote control to a nearby iPhone using Bluetooth or BLE.
Conversely Android watches have the ability to run full applications, and therefore have a local storage component.
Some regula… Continue reading What are the privacy and infosec risks with Apple Watches and Android Wear?
I just deployed DNSSEC at val-id.com and getvalid.com
Since DNSSEC is a requirement of DANE, and I have a CA-based certificate, can I show my support for DANE-based deployments by publishing my CA-based cert into DNS?
My co… Continue reading With DNSSEC, is there any benefit in DANE for a CA- issued Cert?
There are a few interesting Bluetooth door locks on the market that use version Bluetooth 4.0 however there seems to be a few issues with this
E0 Encryption flaws
Risks during pairing
Attacks unique to operating environment (temperature… Continue reading What risks are there with a Bluetooth based door lock, and are there any mitigations?
This document describes how there are 3 ways to constrain a SmartCard certificate
The Enhanced Key Usage field defines one or more purposes for which
the public key may be used. RFC 5280 states “in general, [sic] the EKU
extension … Continue reading How do I constrain Windows Smartcards for AD Authentication so that "anyExtendedKeyUsage" is not implied?
Windows seems to be saving my credentials for a variety of applications (terminal servers, etc) and I’d like to purge this data.
How can I backup and purge this data?
Continue reading How do I clear cached credentials from my Windows Profile?
I’ve heard that many DOS attacks and general “black hat hacking” attempts occur over the TOR network. Is it possible for me to dynamically block source IP’s by their presence in a BotNet or similar list?
How effective would this in thwar… Continue reading Block all BotNets and TOR addresses from accessing our site
An untrained end user who uses a mobile web browser is vulnerable to phishing and can’t easily verify the the authenticity (or security) of a website among other issues. Also, it is very easy to prevent even a knowledgeable user from dete… Continue reading Is a mobile app more secure for mobile use than the "normal" website?
This answer describes how DNSSec might permit “Zone walking”… where a bad guy can extract all the DNS records from a DNSSec enabled zone. NSEC3 is an update that prevents this. (See bottom of this article)
How can I determine (external… Continue reading How can I tell if a DNSSec zone is protected using NSEC3 (versus NSEC)