Collaborate Disseminate
It seems that some HackerOne reports such as https://hackerone.com/reports/1884372 claim that having HAProxy statistics page visible to the world is a security vulnerability.
Since HAProxy default stats enable configuration is always read-… Continue reading Why would publishing read-only HAProxy statistics page be considered a security vulnerability?
Answers to question RSA key length vs. Shor’s algorithm suggest that e.g. 2048 bit RSA encryption would be trivially broken with 4099 qubit quantum computer using Shor’s algorithm (best known implementation of the algorithm requiring 2n+3 qubits).
Is this really true? If I’ve understood correctly, the number of gates (logically quantum operations) needed would be around log(2^2048)^2×log(log(2^2048))×log(log(log(2^2048))) which is roughly 2.9×10⁷. Considering that not even classical computers can execute any operations with 2.9×10⁷ gates using single piece of input data it really doesn’t make sense to assume that such a high number of gates could be operated by quantum computer in non-trivial time.
I would assume that for quantum computer to execute one step executing the Shor’s algorithm would need to pass (logically) one input through all those gates which would be analogous to classical computer executing enough computer code to pass one 2048 bit input through 2.9×10⁷ gates. Because information cannot travel faster than speed of light and gates have non-zero dimensions, this cannot happen in trivial time. And if you use photons for qubits in the quantum computer, wavelength probably sets minimum dimensions for a gate regardless of manufacturing abilities.
And if you need any error correction between the gates, that will require extra space and hence increase latency, too.
In addition, if I’ve understood correctly, to actually factor big numbers with Shor’s algorithm you need to use classical computer to generate a random guess and Shor’s algorithm will then use that guess to maybe emit the data need to compute the factors. How many guesses on average you would actually need for factoring numbers used in 2048 bit RSA?
Has there been research about potential practical runtime of a big physical quantum computer trying to execute Shor’s algorithm for factoring big numbers? Does that really support the interpretation that you can simply ignore the processing time regardless of the size of the numbers?
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active use… Continue reading I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
We have a web service where logged in users can create web page content and write custom CSS for their pages. All the HTML goes through a whitelist parser and doesn’t allow any executable content. All the CSS is put through a whitelist par… Continue reading Is it safe to allow CSS filter: url(data:<SVG SOURCE HERE>)?
The “Affinity” of Android tasks seems really complex to handle. The StrandHogg vulnerability uses tricks with “Affinity” to render itself inside an another app.
The information that I’ve found this far does not provide exact details of vu… Continue reading What was the original intent for the feature that StrandHogg uses?
We’re running a web service in Europe, secured with TLS and we’re using private keys generated on our private hardware.
We would like to use CloudFlare for DDoS protection and caching reverse proxy.
However, putting my tinfoil hat on, I’m … Continue reading Can I use CloudFlare if I want to avoid NSA and FISA secret orders?
I’m writing a web app that already uses TLS encrypted connections (HTTPS), Secure; HttpOnly session cookie, HMAC-SHA1 CSRF token, requires correct Referer header to avoid Login CSRF and changes session id during login to avoid basic sessio… Continue reading How to avoid session fixation (Login CSRF) by MitM attack without HSTS?