Collaborate Disseminate
Does Firefox’s built-in installer for addons/extensions validate its payload’s authentication and integrity for all files it downloads before actually installing them?
I avoid in-app updates because, more often than not, developers do not … Continue reading Does Firefox’s addon/extension installer provide cryptographic authentication and integrity validation?
So I wrote the following logic for my web app:
When a user interacts with the website it initiates a Backend call. In the backend every endpoint has multiple middlewares, of which there is a JWT verification step, if it succeeds it goes to… Continue reading Is there any danger in refreshing JWT tokens directly without a refresh token?
Say I have a game, when you finish playing you put your name in and your score is synched with a public scoreboard. Assume also that I own the server and its code. How can I verify that the scores received by public clients are legitimate … Continue reading validating the authenticity of messages from public client without authentication
For any file on your OS you can get a md5 or sha256 value and if you suspect anything you get it again and compare. I was wondering if there is any way to do the same with the bios and bootloader and check their integrity manually. Can you… Continue reading Is there any security technology/technique beside tpm/secure boot which can verify the integrity of the bios or bootloader?
Let’s suppose I’m uploading some website to website example.com, and I’m signing every single file with MAC which is shared by users of my website to verify that me (the admin) uploaded that file.
It’s clear that if someone isn’t a user of… Continue reading How message authentication code (MAC) works?
Alternatively, the question could be asked: Does issuing a checksum for a file we sign anyways just duplicate work?
Use case: Firmware sent to an IoT device. We sign it, and form a separate checksum for it.
My understanding is that this is… Continue reading Is signing a file better than issuing a checksum, and does it render a separate checksum useless?
I am looking for a device to explain the compromises that we make for extra layers of security.
For example wrt extra layers: communication like JWT encryption/signing and other sorts of encapsulation over TLS
Could I use something like th… Continue reading Can I use the CIA triad as a sliding scale wrt complexity?
We’ve all certainly heard about the widely overhyped BadUSB exploits on the Physon microcontrollers.
There’s certainly a high potential of gaining something by targeting such a specific device, which is designed to only contain secrets.
Ev… Continue reading What security measures does YubiKey take to secure its hardware from malicious firmware tampering? [closed]
Sometimes there’s no tar release for some repo in github, and the download as zip button only generates a random zip with random hash. So, in my Dockerfile, I want to clone a repo but be able to check against some hash to prevent tampering… Continue reading Can I trust a hash commit for integrity of the entire repository?
I’ve read about APKPure being infested with AdWare and similar PUPs, what would be the great source/method to download APKs for your Android phone?
Some options I’m aware of, but I need opinion on:
Package manager from F-Droid which can e… Continue reading What’s the most secure way to get APK files?