サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
体力トレーニング
security.stackexchange.com
There was a question RSA vs. DSA for SSH authentication keys asking which key is better. Basically all answers were more in a favour of RSA over DSA but didn't really tell that DSA would be somehow insecure. Now however DSA was deprecated by OpenSSH and is later going to be entirely dropped: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html The information states: Startin
Yes, HMAC is more complex than simple concatenation. As a simplistic example, if you were to simply concatenate key + data, then "key1"+"data" yields identical results to "key"+"1data", which is suboptimal. HMAC will yield different results for each. There are other flaws with simple concatenation in many cases, as well; see cpast's answer for one. The specification for HMAC is called RFC2104, whi
When visiting Gmail in Chrome, if I click on the lock icon in the address bar and go to the connection tab, I receive a message 'no certificate transparency information was supplied by the server' (before Chrome 45, the message was displayed as 'the identity of this website has been verified by Google Internet Authority G2 but does not have public audit records'). What exactly does it mean that th
For a REST-api it seems that it is sufficient to check the presence of a custom header to protect against CSRF attacks, e.g. client sends "X-Requested-By: whatever" and the server checks the presence of "X-Requested-By" and drops the request if the header isn't found. The value of the header is irrelevant. This is how Jersey 1.9's CsrfProtectionFilter works and it is described in this blog post: h
On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved blowfish algorithm seems almost too good to be true. It is not vulnerable to rainbow tables (since creating them is too expensive) and not even vulnerable to brute force attacks. However 11 years later, m
Among the Elliptic Curve Cryptography (ECC) algorithms available in OpenSSH (ECDH, ECDSA, Ed25519, Curve25519), which offers the best level of security, and (ideally) why?
Every once in a while (when I think out loud and people overhear me) I am forced to explain what a buffer overflow is. Because I can't really think of a good metaphor, I end up spending about 10 minutes explaining how (vulnerable) programs work and memory allocation, and then have about 2 sentences on the actual exploit ("so a buffer overflow fills the buffer up with nonsense and overwrites the po
In the AWS ELB, I have uploaded a cert and only selected "RC4-MD5" + "RC4-SHA" as the ciphers and scored A in the ssltest [1] If I using the default ELB setting, I can only score a C Since I am not doing a PCI compliant site, so by using only the above two ciphers, is it enough for most purpose? (by enough I mean wide range of browser support) [1] https://www.ssllabs.com/ssltest/
RSA Security commonly uses keys of sizes 1024-bit, 2048-bit or even 3072-bit. And most Symmetric algorithms only between 112-bit and 256-bit. I do realize that the current keys are secure enough for today's hardware, but as computers get faster, should we not consider an insanely large key size like a million bits or so to protect ourselves against super computer systems that has not been invented
General SSL (and its successor, TLS) is a protocol that operates directly on top of TCP (although there are also implementations for datagram based protocols such as UDP). This way, protocols on higher layers (such as HTTP) can be left unchanged while still providing a secure connection. Underneath the SSL layer, HTTP is identical to HTTPS. When using SSL/TLS correctly, all an attacker can see on
Stack Exchange Network Stack Exchange network consists of 183 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Visit Stack Exchange
このページを最初にブックマークしてみませんか?
『Information Security Stack Exchange』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く