I am a contractor who does development for more than one client. Let’s call them Client A, Client B, and Client X.
I use my own laptop for all 3 clients.
Throughout the day, I have to work on and respond to emails and instant messages about projects for all 3 clients.
In order to work on Client X’s project, I must be connected to their VPN.
Client X performs SSL deep inspection on the traffic on their network. (I get errors from sites/apps that enforce key pinning)
I’m worried that information about Client A and Client B, (not to mention my own sensitive information) might be exposed to Client X. How can I prevent this, but still maintain my ability to communicate with A and B while working on X’s network?
I’ve tried giving each client its own VM on my machine, but the hefty resource requirements of the software I have to use (IDE) makes this prohibitively slow, to say nothing of the licensing difficulties.
I’ve read about E2EE (end to end encryption) of Signal in web clients on a Signal Community discussion forum, and wonder why they say that the browser is insecure for E2EE and native apps are secure.
Actually, we want to develop some chat service like signal with a web client, but this article made us confused. Should we ship a web client or not? Please explain this.
I didn’t find any Appropriate place in stackexchange to ask my question. so sorry if my question is not exactly for this place. I use windows 10 and for gaming I have to use a lot of clients like Steam, origin, Epic ,… . Is any way for centalizing this clients? for eaxmple one common client instead of all of this or some apps to help? working and finding games in many clients are not easy work for me. thanks in advance
How would you design a server/client system where a client is granted a key to encrypt/decrypt data, but the key could be revoked/redistributed by the server? Data encrypted prior must still be readable with the new key.
A simple scenario:
- Client wants to send a document to a server
- Client encrypts the document with some client-side credentials and sends to server
- Server receives document and stores in database
- Client requests document, receives, then decrypts. The roundtrip is complete.
Now, suppose the client credentials are compromised and key used to encrypt/decrypt data is stolen. The client changes their password, etc, but the key that can decrypt incoming data is still an issue.
My question is about redistributing an encryption key without having to re-encrypt all of the clients data. Are there any patterns that can help me with this? It feels like a variation of symmetric encryption with a KEK and DEK, but I’m having trouble figuring out how to encrypt something on the client side without exposing the DEK.
Not sure if things belongs in Crypto SE or here but anyway:
I’m building an app and I’m trying to decide whatever is secure to protect user passwords in transit, in addition to TLS we already have.
In server side, we already have bcrypt properly implemented and takes the password as an opaque string, salts and peppers it, and compares/adds to the database.
Even though SSL is deemed secure, I want to stay at the "server never sees plaintext" and "prevent MiTM eavesdropping from sniffing plaintext passwords" side of things. I know this approach doesn’t change anything about authenticating, anyone with whatever hash they sniff can still login, my concern is to protect users’ plaintext passwords before leaving their device.
I think Argon2 is the go-to option here normally but I can’t have a salt with this approach. If I have a random salt at client side that changes every time I hash my plaintext password, because my server just accepts the password as an opaque string, I can’t authenticate. Because of my requirements, I can’t have a deterministic "salt" (not sure if that can even be called a salt in this case) either (e.g. if I used user ID, I don’t have it while registering, I can’t use username or email either because there are places that I don’t have access to them while resetting password etc.) so my only option is using a static key baked into the client. I’m not after security by obscurity by baking a key into the client, I’m just trying to make it harder for an attacker to utilize a hash table for plain text passwords. I think it’s still a better practice than sending the password in plaintext or using no "salt" at all, but I’m not sure.
Bottomline: Compared to sending passwords in plaintext (which is sent over TLS anyway but to mitigate against server seeing plaintext passwords and against MiTM with fake certificates), is that okay to use Argon2 with a public but random value as "salt" to hash passwords, to protect user passwords in transit? Or am I doing something terribly wrong?
There are so many tools such as testssl, sslyze to test the TLS configurations on webservers. I wanted to know, why aren’t there any tool that checks the TLS client side? What makes it difficult?
Someone I know was stolen a few hundreds dollars from a savings account. Looking at the history, she saw transactions like Uber rides and video games purchases she did not do. This account is used strictly for investing and is only accessed from her iPad. The only access card is in a drawer in her home and has never been used in a terminal. I know you can use hacked terminals to clone cards and steal PINs but my understanding is you need to actually swipe the card somewhere for this to happen. Appart from an internal data leak at the bank, is there any other possible explanation?
Recently in an website I had noticed that the data which is received from the server is not the data that is being displayed.I think it would have been modified on client-side. So, Is there any way by which I can know which action is being performed by which script?
One of the companies I worked for used client-side hashing to minimize risk when logging the password in the server logs. Can this be a good reason to implement client-side hashing?
I have tried to find good answer for it, but I haven’t gotten good article about this topic.
Since there are 2 types of client applications (in bigger picture) – one that runs on server and one that you download and runs in your browser.
My question comes in about the one, that runs in your machine (that you download at first visit – Blazor WebAssembly to be specific).
Do I need to enable SSL (HTTPS) for this application or web server, that hosts this application as well or is it not needed in the end?
Does only having API connection encrypted be enough?
Yes, this is a cost saving masure, since this is for my hobby project and I would like to keep running costs as minimal as possible. But since I still exchange data, that should not be seen by 3rd party, this application needs to be secure.
To enable HTTPS I would need second Static IP, which is 3$ a month (which is not much), but again, it is additional cost for me, that I would rather not have.