Possible Duplicate: Will it ever be possible to run all web traffic via HTTPS? Why is the concept of having secure communication using encryption tied to confirming the website's identity in https? Wouldn't all users of the web benefit from even having their http traffic encrypted using a 256 bit key? There are tons of sites t...
I've been working on a Silverlight app that loads XML. Internally, in our QA environment, the URL for an XML response is servername.stage.root/script/var1=1/var2=abc/etc i kept getting unexplained Security Errors when it was time to load an XML from this URL. I tried a variety of tests and finally determined that the error only occurs w...
I have a pair of launchd daemons, one of which is a true daemon (runs as root) and one of which is a GUI agent that runs as a per GUI session basis (session type Aqua). I need to prevent non admin level users from disabling the user level agent using launchctl, or at the very least figure out how to reload the agent from the root level ...
The Zend Framework Manual says the following: 60.3.1. Escaping Output One of the most important tasks to perform in a view script is to make sure that output is escaped properly; among other things, this helps to avoid cross-site scripting attacks. Unless you are using a function, method, or helper that does escaping...
I'm thinking what are the best method to implement the forgot password. I come out with 2 ideas. One, when user click on forgot password, the user is required to key in the username, email and maybe date of birth or last name. Then a mail with temporary password will be sent to user email account. The user use the temporary password to l...
I have an IIS7 website that is set to run in its own application pool. The application pool is configured as: Managed Pipeline Mode: Integrated Identity: I_siteuser (account is member of IIS_IUSRS) The website physical path is: d:\websites\testsite\www and the account I_siteuser has modify permissions on the folder. If I set the websi...
Inspired by a much more specific question on ServerFault. We all have to trust a huge number of people for the security and integrity of the systems we use every day. Here I'm thinking of all the authors of all the code running on your server or PC, and everyone involved in designing and building the hardware. This is mitigated by reput...
I am using form authentication inmy ASP.NET 2.0 website. Today during testing i was faced major probleM. After authentication, i have default page createuser.aspx. From that page i am creating new user.It is working fine. There is logout button in which i am clearing all sessions and redirecting it in login page. All was working fine. ...
Is the June 2009 WPF Toolkit safe to use in applications that will be shipped out to customers? I'm seriously concerned that my application will crash three days prior to release. This concern stems from the fact that that the WPF Toolkit does not seem to be endorsed by Microsoft, even though it appears to be developed by established ...
I have a windows mobile app (mymobiler) that i am trying to install and run in my windows mobile phone. As soon as it gets installed it prompts the user with Yes/No option whether to let the program run in the device. Is there anyway to by pass this? I understand this is just one time , but i just want to know whether if i can avoid th...
Using only standard JEE API (JAAS, Servlet API, JSF) How can I switch back from a CONFIDENTIAL channel to a Unsecured one? In my example I already managed to switch from an Unsecured channel to a Secured one for the resources in "*/secured/**", but I'm in need to switch back to an unsecured channel after a successful Authentication as t...
any suggestions? ...
How do you unit test code decorated with the PrincipalPermission attribute? For example, this works: class Program { static void Main(string[] args) { AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); var c = new MyClass(); } } [PrincipalPermission(SecurityAction.Demand, Role =...
I'm looking for a secure user login/session management component for a public web app. Spring Security seems to have potential, are there any other high quality alternatives? Conceptually this is easy and we currently have code that works fine, but I'd rather be using code that has been publicly reviewed for security flaws. Needs: ...
Here's a question that I don't quite understand: The command, System("pause"); is taught to new programmers as a way to pause a program and wait for a keyboard input to continue. However, it seems to be frowned on by many veteran programmers as something that should not be done in varying degrees. Some people say it is fine to use. Som...
I was just told that I might have to work on a project where i will be working with ASP.NET 3.5 and C#. Someone in our team said that we should change all the pages to HTML when we publish the site. So instead of having www.test.com/Page.aspx we will have www.test.com/Page.html So what i would like to know is: A.) How can this be done ...
I understand that salts make the same password hash to different values. However, salts are usually stored in the database with the password. So let's say I am attacker, here is how I might use a dictionary attack against a salt (note in this example i don't write out 128 bit hashes or salts for the sake of brevity): user_pw = 'blowfi...
Would like to understand whether the HTTPS body part of the Response is encrypted. Also, in a HTTPS request whether the header are transmitted as plain text / encrypted? Is there any tool with which I can observe the raw HTTPS traffic without decrypting it. ...
Hi, My application needs to use a couple of hard-coded symmetric cryptographic keys (while I know that storing a public key would be the only perfect solution, this is non-negotiable). We want the keys to be stored obfuscated, so that they won't be recognizable by analyzing the executable, and be "live" in memory for as little time as p...
Is it okay to put your Google Maps API Key into your source code and publish it? Others could take it and misuse it, but I don't want every developer / user to get their own API key and type it in somewhere. If the owner of the key is responsible, should I create a new google account for the project? (The project is a desktop applicatio...