Collaborate Disseminate
A lot of services offer authentication with FIDO2, such as Twitter, but only allow the user to set one "security key". This is problematic in case the key is lost or breaks. The ideal solution would be to allow a user to set up m… Continue reading How to set up two YubiKeys to have the same secret?
I’ve recently had a situation in which a recommendation for an easy-to-use, hard-to-misuse cryptographic library for Java was required. The first choice was Google’s Tink, since it was designed specifically for that purpose. Given it’s ass… Continue reading Are libhydrogen’s Gimli permutations production ready?
Scenario
I have a website secret.example.com, which contains information which must not be disclosed to third parties. In order to protect the information, TLS client authentication was chosen. Whether or not a client is authorized depends… Continue reading Is this nginx config suitable to enforce proper authorization?
I’ve recently tested a web application and found out that it was vulnerable to Stored XSS attacks. However, a peculiar behavior left me a bit puzzled. When I inserted John <script>alert(1)</script>Doe, my browser showed that th… Continue reading How is it possible that a <script> tag was injected, but not executed?
Yubico offers the YubiKey Nano, a 2FA key designed to be left inside the device more or less permanently.
While it does add comfort to be able to just leave it plugged in, what risks would there be if the device was stolen with this st… Continue reading What is the risk of having a 2FA key permanently plugged into my device?
In a .NET application, communication between client and service can be implemented using various different bindings, NetTcpBinding being one of them.
The class defines an attribute named Security, which, according to this article, default… Continue reading Why does Wireshark not recognize WCF traffic as TLS encrypted?
Imagine a web server running on 93.184.216.34, usually reachable via the public DNS entry example.com. Web servers usually allow the distinction of multiple “virtual” servers, based on the Host header received via the HTTP request.
Now im… Continue reading Can the Host Header be used to hide the existence of a service?
A web application only sets the HSTS header in responses to requests to /assets/*. Any other response does not include the HSTS header.
While it does seem insecure at first, any browser opening the index page will quickly follow up loadin… Continue reading What are the dangers of not setting the HSTS header on every response?
Kerberos is an authentication protocol that is famously built using only symmetric ciphers.
As a direct result of this, there are several attacks possible, such as
AS-REP Roasting
AS-REQ Roasting
Kerberoasting
Silver Tickets
Golden Tick… Continue reading Are there any reasons for Kerberos being based on symmetric cryptography?
Tamper-Evident devices and measures are devices which in some way indicate that an event not intended by the developer or manufacturer has occurred. Examples of tamper-evident devices are stickers that leave specific residue or are destroy… Continue reading Are there any standards or guidelines tamper-evident devices can adhere to?