Is using Argon2 with a public random on client side a good idea to protect passwords in transit?

Not sure if things belongs in Crypto SE or here but anyway:
I’m building an app and I’m trying to decide whatever is secure to protect user passwords in transit, in addition to TLS we already have.
In server side, we already have bcrypt pr… Continue reading Is using Argon2 with a public random on client side a good idea to protect passwords in transit?

Does hashing client-side increase attack surface (assuming TLS and serverside salt+hash)? [duplicate]

This question asks whether one should hash on the client or the server. I want to know if there is any reason, aside from having to maybe handle one extra hashing library (if it’s not already in your security stack), why you wouldn’t want … Continue reading Does hashing client-side increase attack surface (assuming TLS and serverside salt+hash)? [duplicate]

Can we know which client side script is performing a particular action on a website?

Recently in an website I had noticed that the data which is received from the server is not the data that is being displayed.I think it would have been modified on client-side. So, Is there any way by which I can know which action is being… Continue reading Can we know which client side script is performing a particular action on a website?

Using the hash of the user’s password for encrypting/decrypting an E2E encryption/decryption key: is this good practice? [migrated]

I am developing a zero-knowledge app, meaning the data is encrypted in the client before it’s transmitted (over SSL) and decrypted after the data is received. If the database is ever compromised, without the user’s decryption keys the atta… Continue reading Using the hash of the user’s password for encrypting/decrypting an E2E encryption/decryption key: is this good practice? [migrated]

Offloading TLS client-cert checking to OpenSSL (or similar) if server does not support it

TL;DR

I want to have “some thing” to handle client-certs on behalf a server that is unable to do it, for secure user authentication in addition to regular TLS encryption.

Context

In this question How can I double check security against … Continue reading Offloading TLS client-cert checking to OpenSSL (or similar) if server does not support it