Hello. Most CAs are selling code signing certificates in different "products", like Verisign or Certum: Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla..." Java CodeSign - "Allows you to sign Java code" Software Publisher Certificate - "Allows you to sign software" Well, I am REALLY confused about this. What is the d...
To build a secure system can we assume my question before starting programming. Both in symmetric and public-key encryption, is my question well-proofed ? If no, what are the vulnerabilities, can you give an example? ...
We are developing a TCP client tool which connects to one of our TCP servers. We send custom packets from the client to the server which the server knows how to intercept. On our server we wanted to know from which client machine the packets are received. Is it ok to send the Hostname of the client machine in the packet? The bigger co...
Does implementing the Java Security Manager result in decreased performance? ...
So far I've come across Botan and Crypto++ which both provide reversible (e.g AES) and non-reversible (e.g SHA) encryption. I wondered if anyone can recommend either, or something else? ...
Hey there, Our application consists of a REST web service running on App Engine and a flash client. We need to make sure that only our client can make requests to the web service and to prevent situations like replay attacks. I'm not a security expert (by far) so I'd like some advice with the security scheme I came up with. The syste...
Hello, The host of a server I work on just today turned off the site after x-cart was installed because the following commands were issued on the server and they think it's a security breach: ls -la 2>&1 id 2>&1;whoami 2>&1; id 2>&1 mkdir 123 pwd 2>&1 echo 1 The server is running linux (of some kind, not sure what..) and there is no...
Hello. I have a website which uses some functionality implemented in the Firefox extension, which I developed. JavaScript script on one of my webpages requires UniversalXPConnect privilege for communicating with XPCOM component implemented in my Firefox extension. By default, when my script tries to enable this privilege for accessing ...
I'm not a Java developer, but my client has hired one to update some JAR files on their site. Prior to doing so, we audited the existing code and found a number of security vulnerabilities. One of the solutions we employed to make the files more secure is to create a new database user with read-only access to the database, and only for t...
I'm thinking if it's a good idea to have a Web app which doesn't require a site login. This is for something like a public wiki where you just want to jump in and create stuff but still have a way to control access. Content can be read/edited by the content creator (or a few other people). What would be good references or existing apps...
It's not as simple as it looks. I've been given the task to add a third tomcat to a server that already has two Tomcats working. Problem is, this third Tomcat needs to be secure, and the port needs to be hidden. Since Tomcat 1 is currently using port 433 (secure) and Tomcat 2 is using port 80, my third tomcat is out of widely accepted ...
Hi, I know how to encrypt data using ColdFusion using AES_128. I also know how to encrypt data using MSSQL AES_128. Does anyone know if it’s possible to encrypt data in ColdFusion using AES_128, then decrypt the string in MSSQL? I’ve played around with it a lot and can’t seem to figure it out. Thanks, Paul ...
I would like to grant document level permission based on custom claims in claims based web site. A user may have hundreds of document or one. Is it a good idea to apply custom claims? What is the avantages or disadvantages? Is there a limit on the number of claims that can be added to the claim set? Thanks in advance for your help. ...
Hello, I have some HIGHLY sensitive data that I need to expose to Android and iPhone clients. My backend is completely in .NET. I'm trying to figure out the best approach to providing this sensitive data to the iPhone and Android platforms. I'm getting lost in all of the opinions circling around the internet. Some say use SOAP because...
I'm trying to protect an application (php and lots of JS) from CSRF. I want to use tokens. A lot of operations are done with AJAX, so I have to pass the token in Javascript. If I want to generate 1 token per session or per page load it's simple - I generate new token, put it somewhere in a DOM and then find it with Javascript and send ...
If I wanted to implement some sort of chat tool in my django webapp, implemented with basic ajax polling as opposed to comet, what should I do to secure it, besides running over SSL. Should I just use the permissions app for each chat session and generate a random token to be accessed in my urlconf? Are there better/different approaches ...
I am accepting user text in a form and echoing it back on the page (the code goes to the database as well but that is prepared queries so no worries there). I wanted to know if there are any possible security implications that can be caused by it? On the server side I mean, i know on the client side you can break but can you reach server...
I'm essentially preparing phrases to be put into the database, they may be malformed so I want to store a short hash of them instead (I will be simply comparing if they exist or not, so hash is ideal). I assume MD5 is fairly slow on 100,000+ requests so I wanted to know what would be the best method to hash the phrases, maybe rolling ou...
I'm working on a site which allows people to pay to stream videos online. I'm currently using JW Player to stream FLV/F4V files from Amazon S3, using a signature. This method is extremely unstable, and needless to say, useless. I've heard I can use Amazon CloudFront as a CDN for my videos. But that it won't make the files any more secur...
Perhaps I don't have enough of an understanding of this yet, so I'm looking for a little direction. All of our tables show a collation of latin1_swedish_ci. Here's what I see in the mysql variables: collation connection utf8_general_ci (Global value) latin1_swedish_ci collation database latin1_swedish_ci collation server latin1_swedis...