Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
Recently there has been a discussion whether secret service agencies have access to certification authorities. Before that several CAs were facing security problems being attacked by hackers.
Given this, I am wondering whether S/MIME can be still considered secure because the same CAs generate the private keys.
S/MIME, SSL, and any other technology based on public key encryption is presently as secure as the list of certificates you trust. It always has been and it always will be until computing power reaches the point of being able to brute force the algorithms behind it.
If they are doing things right, the CA never sees your private key. You should be generating a keypair on your machine, then send the public part to the CA. The CA sends back a signed copy of the public part (the certificate). The private key should never leave your machine.
Compromising a CA allows the attacker to sign an arbitrary public key. Since the certificate includes things such as a human-readable name, this would allow someone to pretend to be you by creating a certificate with your name on it. They still would not have your private key, however, so this does not allow them to decrypt anything sent to you.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I have a VPN application which is written in C++ for Windows 7+ and uses OpenVPN as well as RAS for establishing connections and I need to allow only for some apps to be able to use vpn connection and others to use user's default connection/network (I also don't know what apps it will be, users need to configure it). So far I haven't found any hints on how to implement it, is it possible to do it at all on Windows? And if yes, how?
I'm not sure that you can do that. VPNs basically work like a secure TCP/IP router (or switch). They provide an IP-address on each side that is a "gateway" to the network on the other side. (Appropriate route commands must have been issued on both sides, which the VPN client software can do for its local machine.) I don't think that there is any way to restrict which applications can use a particular IP-address . . . but of course I could be mistaken. (MS-Windows does have many tricks up its sleeve.)
I think that you should take this to superuser.com or some other StackExchange site which is targeted towards system administration of a Windows environment, because your question is actually quite specific to that, and not to VPNs in general.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 5 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Improve this question
I have a light http server (embedded software solution). This http server is calling openssl functions to handle https connexions.
I want to make the https server prioritize some ciphers. because according to the following link, the https connection is more secure when the DH cipher are prioritized:
Instead of using the RSA method for exchanging session keys, you
should use the Elliptic Curve Diffie-Hellman (ECDHE) key exchange.
Note that you can still use the RSA public-key cryptosystem as the
encryption algorithm, just not as the key exchange algorithm. ECDHE is
much faster than ordinary DH (Diffie-Hellman), but both create session
keys that only the entities involved in the SSL connection can access.
Because the session keys are not linked to the server’s key pair, the
server’s private key alone cannot be used to decrypt any SSL session.
To enable Perfect Forward Secrecy, you must do the following:
1- Reorder your cipher suites to place the ECDHE (Elliptic Curve
Diffie-Hellman) suites at the top of list, followed by the DHE
(Diffie-Hellman) suites.
2- Configure servers to enable other non-DH-key-exchange cipher
suites from the list of cipher suites offered by the SSL Client.
How I can change the cipher order on my openssl server to make the DH ciphers first?
From the OpenSSL documentation, the relevant function call here is SSL_set_cipher_list
The OpenSSL recommended string to use here is HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4, since the !kRSA disables using RSA as the key exchange and forces the use of ephemeral DH, which provides the Perfect Forward Secrecy that you describe in your question.
As a disclaimer, the cipher string above may not be what is recommended today, it is just what is recommended in the OpenSSL documentation.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
The community reviewed whether to reopen this question 8 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
This IP seems to be running a service that provides a lot of useful metadata for my instance, but I'm wondering why 169.254.169.254? What's special about that IP address?
And also wondering if the fact of having that IP occupied by that service I'm missing the chance to connect to a server with that IP on the internet?
169.254.169.254 is an IP address from the reserved IPv4 Link Local Address space 169.254.0.0/16 (169.254.0.0 through 169.254.255.255). Similar to the private address ranges in RFC-1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) in the sense that this block also can't be used on the Internet, Link Local is further restricted to being unreachable via any router¹ -- by design, they only exist on the directly-connected network.
AWS needed to create a service endpoint accessible from any system and the selection of an address in this block allows it to avoid conflict with the commonly used IP address space. Clever choice.
Presumably this specific address within the block was chosen for its aesthetic appeal or being easy to remember.
Fun fact! The adjacent address 169.254.169.253 is a DNS resolver in VPC in addition to the one you're probably familiar with at offset 2 from the base of your VPC supernet. This comes in very handy for configuring software that does its own DNS lookups independent from the OS (like HAProxy), so that the DNS resolver configuration in the software doesn't need to be modified when deployed in different VPCs. There's no documented reason to believe this address represents a "different" resolver than the one within your address block, just a different way of accessing the same thing.
But wait, there's more! 169.254.169.123 provides a stratum-3 NTP time source, allowing instances to maintain their system clock time with ntpd or chrony without requiring Internet access, from the Amazon Time Sync Service. This service also uses Amazon's leap second logic to distribute any leap seconds throughout the day they occur, rather than the clock advancing from 23:59:59 to 23:59:60 to 00:00:00, which can be problematic.
¹unreachable via any router is not a hard constraint in most IP stacks, as link local addresses can be the subject of a static route, but these addresses are not generally considered routable.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 6 years ago.
Improve this question
I just logged into my online credit card account and was getting ready to make a payment, however I needed to add a new payment method. In doing so, just out of curiosity I opened the Chrome Developer Tools and looked at the network tab to view the request data I was sending, and it seems that everything I put in (credit card number, bank account number, bank routing number, etc.) is all sent directly to their servers in plain text.
Is this legal? I thought it was against the law to send/store this kind of information in your servers, let alone send it via the internet in plain text since that can be intercepted?
I'd like someone with more knowledge on the subject to explain this to me please, as I may be misinformed.
Edit: I guess a better question may be, are members of the FDIC allowed to store such information on their own servers? Because according to their legal information, they are a member of the FDIC.
The communication between your Chrome web browser and the bank site expected to be thru HTTPS, i.e. secure connection. Check this always when you need to enter clear payment details anywhere in web.
Chrome Tool as the network tool just show the HTML Forms and Items values which were sent thru HTTP/HTTPS protocol.
For sure at some stages of payment request you need to enter payment, card or bank account details. The payment services which processed such details should be PCI complain and depending of situation can store these details. Usually encrypted on their side.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
As an example, see the reference documentation for one of paypal's APIs:
http://www.paypalobjects.com/en_US/ebook/PP_NVPAPI_DeveloperGuide/Appx_fieldreference.html#2824913
The question is, why do they need it? Doesn't the server get it as part of the HTTP protocol?
UPDATE: Just realized the example I gave wasn't so good. I'm talking about instances where the client is talking directly to the web service. I'll close the question.
I'm not sure about PayPal specifically, but one use case for a service requiring the client's IP is that the server needs to do fraud detection (too many requests coming from the same end user), but the source IP in the packet comes from an aggregator of end user actual IPs. Perhaps the aggregator has NATted clients behind it (possibly mobile devices, who knows). The server will want the aggregator to send it the IP of its clients.
There may be other cases; this is the only one I know of.
They want to be able to identify the end user, usually to protect both you and them from abuse - both to detect fraud attempts (too many requests coming from the same IP) and to be able to find the culprit after the fact (in case of criminal activity, ISPs in many countries are required to reveal user information based on an IP to the investigating authorities).
Of course you could do the logging yourself, but considering the general state of security awareness on the internet, I understand that they're not trusting you to do it well enough.