Collaborate Disseminate
Threat actors are creating lookalike domains (ex. Telecom.com to te1ecom.com), and using those to phish users for credentials (not employees). They’re getting the MFA tokens, too.
What could be done so that the client-side code couldn’t be… Continue reading How to prevent credential stealing of customers via phishing and domain squatting
I am designing a cloud based PKI infrastructure which issues and manages TLS certificates for telemetry devices and data server. Each customer will install multiple telemetry devices and a data server in his/her premise. Data server collec… Continue reading Trust segregation in PKI
If TLS communication uses ciphers that does not support forward secrecy[FS] (like RSA key exchange ciphers), confidentiality of the past communication is compromised if the private key is compromised. But will the integrity also gets compr… Continue reading How integrity is compromised if forward secrecy is not enabled in TLS communication?
My understanding is that, threat modelling is used at the design stage to identify the possible threats, prioritize them and help in identifying security requirements/security controls. Vulnerability assessment is done during development a… Continue reading What is difference & link between threat modelling and vulnerability assessment?
I am working at an organisation where the wifi information shows that the network is open, but it requires me to fill in authentication details when I connect to it.
A snapshot of it attached herein.
I am unable to understand how it is be… Continue reading Network Open Still password protected [closed]
I have a private CA which provides certificates for three types of IoT devices (Type1, Type2 and Type3). On the IoT device certificate’s subject DN, which attribute can be used for specifying this type information? Is there any existing us… Continue reading Which attribute in DN is commonly used to specify the class/type/usage of certificate/end-entity?
If the OCSP signing is delegated explicitly to another entity and that delegated OCSP responder is compromised, how to revoke the certificate and convey the revocation information to a client? We need CRL for this?
Continue reading How revocation status of delegated OCSP responder is verified at the client side?
Is it necessary to periodically re-key end entity SSL certificates apart from typical scenarios like Key lost/key compromise? What benefits does it provides in terms of security and others? Is there any guidelines for that period?
I have a network like shown in this image.
A group of devices in a site talk to a remote cloud server through a gateway device. The gateway device can authenticate itself to the cloud.
But do these end devices need to authenticate with th… Continue reading Do we need device authentication in intranet of things?
We have a web front end server with TLS 1.0 enabled for web application in IIS.
This WFE communicates internally with external workflow manager server through fqdn and TLS 1.0
If we enable TLS 1.2 in WFE server, will the co… Continue reading TLS 1.0 and TLS 1.2 enable simultaneously