Collaborate Disseminate
I am trying to validate a xml certificate signed by a entity called Camerfirma, I had to download their DER file and convert it to PEM in order to place it into /etc/ssl/certs/ (with the other authorized CAs). To validate the certifcate I … Continue reading Trying to use xmlsec1 but doesn’t show the CAs used
Personally, I think that it’s not so important to check the strength of the passwords on server-side, since, if the user evades the validation on the client side, it would be their responsibility to use an insecure password; however, I don… Continue reading Should password strength validation also be run server-side or only client-side?
When visiting a website that uses HTTPS, we can see its certificate in the browser. But how can we know for sure which validation process the company or domain behind the website has gone through?
Validation processes: OV (Organization Val… Continue reading How to determine validation process of a certificate used by a website using HTTPS?
In RFC-4519 stateOrProvinceName is abbreviated to ST. Should we assume that it is best practice to put ST=<name-of-state> in the certificate if the state or province is indicated? After all X-500 also has the acronyms S and SP reserv… Continue reading Best practice for "stateOrProvinceName" in certificate
I think I have a good understanding of how cloud password managers work. However, I always asked myself how do they know I don’t upload bad data if the data is encrypted and they can’t decrypt it.
Let’s say the data is stored as JSON. Do t… Continue reading How can a password manager ensure I don’t upload bad data? [closed]
I’m working with a developer to develop a web application. For one aspect of this application, I need to allow hundreds of merchants to deliver non-PII and non-sensitive data to my website. The data will be used to pre-fill a form on my w… Continue reading Processing Parameters passed in URL String from a Third Party
Christa: Forensic Focus’ coverage of standardization and digital forensics continues this week by exploring CASE: the Cyber investigation Analysis Standard Expression. An extension of the Unified Cyber Ontology, which defines classes of… Continue reading Eoghan Casey on the CASE Ontology for Digital Forensics Practice & Process
I have an old let’s encrypt (but disregard that, it could be any) certificate that is no longer active.
How may I check if it was valid at the time?
Continue reading How may I check if an expired certificate was valid at the time?
For my personal use, I bought a domain for internal ssl validation for my pfsense. I was able to get the LetsEncrypt’s ACME script to successfully validate my domain and produce an ssl certificate for a subdomain. I setup my pfsense to use… Continue reading How does DNS-01 validation for LetsEncrypt know what the right IP address is?
In this question I asked about how to handle situations when SHA-256 hashes are not available for a file downloaded from the internet that contains executable code. Another community member insightfully asked if a hash is really needed to… Continue reading If a file is digitally signed, is posting a hash very useful for security purposes?