Collaborate Disseminate
I’m trying to use a site that’s https but has it’s own certificate, and when I add an exception it still shows it as unsecure, with an exclamation on the padlock and when I click the padlock it says "Connection not secure" and &q… Continue reading HTTPS/TLS security with an invalid certificate
I have one question regarding the OCSP protocol to check if the certificate is revoked or not. The question is about checking whether the intermediate CA certificate immediately below the root CA is valid or not. I know that when we send a… Continue reading How does the client get the certificate (and public key) of the delegated authority (OCSP responder) to confirm the response in OCSP?
I have to get rid of so called "weak security" in a Tomcat application.
A penetration test identified services that accept connections with insecure TLS encryption and hashing algorithms: TLS 1.0/1.1,SHA1,CBC
Without being a Tomc… Continue reading Disabling weak cipher suites in Tomcat does not work as expected
Our app links w OpenSSL 3.0.7. I need to disable TLSv1.3. Used SSL_CTX_set_max_proto_version on both client and server contexts.
Results that I observe look confusing:
Connection between instanced of our app is set using TLSv1.2 and ciphe… Continue reading Disabling in code of TLSv1.3 in OpenSSL 3
I’ve read questions targeting the usage of basic authentication over HTTPS. Since the connection is already secure, except e.g. a compromised certificate, communication should be rather safe.
But I work in a research project where HTTPS mi… Continue reading Using asymmetric encryption as authentication over HTTP?
I submitted some personal data to an organization through a HTTPS website but then they emailed it all back to me in a PDF. This included name, address and DOB. There was no end-to-end encryption on this email or PDF, but they claim as the… Continue reading Email TLS encryption – personal data [duplicate]
I have a hypothetical server and client app.
The server needs to know if a POST request came from my custom client application or regular browser.
what can i do to check who made a request. I mean I want it to be secure so changing user-ag… Continue reading http request authorization [duplicate]
Recently I got an email from Xfinity (my internet provider) that a pirated file had been downloaded. It is true, a pirated file was downloaded by my brother (who was downloading games for a WII emulator) but the email said the IP that down… Continue reading How did my ISP know someone in my house downloaded a file over BitTorrent?
I’m trying to understand how the attack described in this article could work. Let’s grant that this attacker, not associated with company.com, managed to take control of oldsub.company.com. Here’s a description from the article:
Monsegur … Continue reading Would a signed TLS certificate prevent an attacker from stealing a domain?
Most internet communication is now end-end encrypted using TLS. In the TLS process, the TLS server sends a PKI certificate to the user which then gets authenticated using the CA’s root certificate that it has (I believe it’s stored in the … Continue reading Why installing a root certificate on the client opens a door for MitM attack?