Collaborate Disseminate
Say there is a frontend mobile app and a backend server (let’s call this service MyApp) which hosts an API for the mobile app to connect to. The backend server makes any needed requests to third party APIs and only send what’s needed to th… Continue reading Is it impossible to protect an API from data redistribution?
Cybersecurity layperson here.
I recently got an email from Facebook giving me an account recovery code that I didn’t request. I assume this means that someone else did request it, either because they have a similar Facebook login to me and… Continue reading How should I respond to an unrequested Facbook recovery code followed by an unexpected logout from the associated email account? [closed]
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
httpClientBuilder.setSSLContext(sslContext).se… Continue reading How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
When I’m talking with prospective clients, I like to ask: which department owns customer identity? Everyone immediately looks towards a different team. While every team touches customer identity at some point, the teams that own it differ from organiza… Continue reading Who owns customer identity?
EJBCA is open-source PKI and CA software. It can handle almost anything, and someone once called it the kitchen sink of PKI. With its extensive history as one of the longest-standing CA software projects, EJBCA offers proven robustness, reliability, an… Continue reading EJBCA: Open-source public key infrastructure (PKI), certificate authority (CA)
In this Help Net Security interview, Charlotte Wylie, SVP and Deputy CSO at Okta, discusses the challenges of managing user identities across hybrid IT environments. She emphasizes balancing and adopting comprehensive security controls, including cloud… Continue reading Strategies for secure identity management in hybrid environments
Google is working on a new security feature for Chrome called Device Bound Session Credentials (DBSC), meant to prevent attackers from using stolen session cookies to gain access user accounts. Session (i.e., authentication) cookies are stored by brows… Continue reading How Google plans to make stolen session cookies worthless for attackers
Does the GNU GUIX package manager in require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified because the repo’s man… Continue reading Does GUIX provide cryptographic authentication and integrity validation?
If a user gains access to a Slack account, one that also has been linked to Jira — via Atlassian’s Slack for Jira Cloud app — that user then has access to the Jira account without ever having to be authenticated.
The scenario is:
I started to study how the U2U mechanism works and got confused. The gist is as follows. When we use U2U the service ticket will be encrypted with the session key KDC of the user-"server". which he will receive during Kerberos au… Continue reading Why can’t a user who is accessing the service on their own behalf find the "long term" keys to decrypt the service ticket and have to use U2U?