Highest Voted Questions - IT Security Stack Exchange

440

votes

9 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?

asked Dec 05 '10 at 22:42

Morten

4,553
3
16
7

425

votes

5 answers

Why is 'Bearer' required before the token in 'Authorization' header in a HTTP request?

What exactly is the difference between following two headers: Authorization : Bearer cn389ncoiwuencr vs Authorization : cn389ncoiwuencr All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer'…

asked Dec 21 '15 at 07:20

Anmol Gupta

4,351
2
11
5

419

votes

14 answers

How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?

I've often heard it said that if you're logging in to a website - a bank, GMail, whatever - via HTTPS, that the information you transmit is safe from snooping by 3rd parties. I've always been a little confused as to how this could be possible.…

asked Aug 15 '11 at 18:58

Joshua Carmody

4,485
4
16
11

371

votes

6 answers

What is certificate pinning?

I'm superficially familiar with SSL and what certs do. Recently I saw some discussion on cert pinning but there wasn't a definition. A DDG search didn't turn up anything useful. What is certificate pinning?

asked Jan 30 '13 at 23:27

Son of the Wai-Pan

3,835
3
12
5

365

votes

22 answers

I found that the company I work for is putting a backdoor into mobile phones

I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval. We are not using this option, and it is probably there by mistake. But the people who are responsible for…

asked May 17 '12 at 16:11

anonymousquery

3,001
2
14
4

312

votes

25 answers

Should I let my child's school have access to my kid's personal laptop?

My kid is starting 6th grade and the school requires him to get a laptop and bring it to school. Now the school IT department wants to install some software on the laptop and is asking for administrative access. They want to install Office, Outlook,…

asked Aug 28 '18 at 20:35

Sushil

2,109
2
9
10

311

votes

16 answers

SQL injection is 17 years old. Why is it still around?

I'm no techie and would like your expertise in understanding this. I recently read a detailed article on SQLi for a research paper. It strikes me as odd. Why do so many data breaches still happen through SQL injection? Is there no fix?

asked Jun 27 '16 at 05:13

Ishan Mathur

2,613
2
11
9

310

votes

8 answers

How to find live hosts on my network?

I am trying to find the live hosts on my network using nmap. I am scanning the network in Ubuntu using the command sudo nmap -sP 192.168.2.1/24. However, I am unable to find the live hosts. I just get the network address of my own PC as live. When I…

asked May 19 '13 at 18:03

TheRookierLearner

4,322
8
26
29

310

votes

9 answers

Is Docker more secure than VMs or bare metal?

I recently had a discussion with a Docker expert about the security of Docker vs. virtual machines. When I told that I've read from different sources that it's easier for code running within a Docker container to escape from it than for a code…

asked Sep 17 '17 at 22:08

Arseni Mourzenko

4,744
6
24
31

309

votes

3 answers

CRIME - How to beat the BEAST successor?

With the advent of CRIME, BEAST's successor, what possible protection is available for an individual and/or system owner in order to protect themselves and their users against this new attack on TLS?

asked Sep 08 '12 at 19:39

Kyle Rosendo

4,025
4
20
17

306

votes

7 answers

Is it normal for auditors to require all company passwords?

My company is currently engaged in a security audit framed as a pentest. They've requested all admin passwords for every one of our services and all source code of our software. They want logins for Google Apps, credit card processors, GitHub,…

asked Oct 25 '17 at 17:20

Zachary Iles

2,181
2
11
9

302

votes

10 answers

Why is Gbt3fC79ZmMEFUFJ a weak password?

On https://passwordsgenerator.net/, it says Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the…

passwords

asked Jan 10 '19 at 16:39

EuRBamarth

2,321
2
8
6

301

votes

20 answers

How can someone go off-web, and anonymise themselves after a life online?

With data mining tools like Maltego and other correlation tools for large data sets, if we conduct any transactions online assume that these can all be collated to build a good picture of what we do, buy, read etc (hence Google etc). If a normal…

anonymity

asked Dec 18 '13 at 21:57

Rory Alsop

61,507
12
118
322

300

votes

18 answers

Provide subjectAltName to openssl directly on the command line

Is it possible to provide a subjectAltName-Extension to the openssl req module directly on the command line? I know it's possible via a openssl.cnf file, but that's not really elegant for batch-creation of CSRs.

asked Dec 05 '14 at 12:38

Michael Seiwald

3,133
2
12
7

298

votes

11 answers

"Diffie-Hellman Key Exchange" in plain English

Can someone explain what the Diffie-Hellman Key Exchange algorithm in plain English? I have read that Twitter has implemented this technology which allows two parties to exchange encrypted messages on top of a non-secured channel. How does that…

asked Nov 24 '13 at 01:10

user15119

Most Popular