client certificate and key storage on client’s machine

Related to a question I posted here, but thought it would also make sense to ask it here.

Basically, I’m developing a web application that will display a dashboard with sensor data from an installation that uses MQTT. I’ve deployed a certificate provisioning system which provides server and client (microcontroller) certificates inside that installation. The broker I use is Mosquitto and in the configuration file I added an option to require the clients to show a valid client certificate during the TLS handshake. Storing the certificate’s and keys in the microcontroller or the installation in general is not a problem because I will have control over those devices in order to mantain and secure the system. However, for the web clients it’s not the same.

Ideally, there should be an option in the Mosquitto broker that would allow some clients to not be forced to provide a client certificate during the handshake, but a username and password. I haven’t found the way of doing this.

My idea for the web app is to have two layers of security:

  1. Access to the webapp via username and password

  2. Access to the Mosquitto broker once the user is logged in via client certificates

The client certificate and key would only be sent in two cases: first login and certificate renewal. So there’s no way of requesting a certificate outside those two cases.

If someone can get hold of the username and password they would still need to certificate to view the MQTT data. If a malicious user can steal a valid certificate and key they’d still need a valid username and password combination. Is this okay from a security stand point?

What is the right way of storing private keys to access some (your) system inside a client machine you have no control over?

PKCE vs Dynamic Client Registration for public clients

The RFC recommends to use PKCE for web (public client)/native apps. It’s not stated that Dynamic Client Registration (DCR) is bad but it’s not stated as an alternative either. I am wondering if there is any negative aspect of the DCR that i am overlooking.

I would say that the biggest difference between the two is the fact that PKCE is much easier to implement with less bookkeeping while offering about the same protections as DCR.

Looking through the use cases defined in the DCR specification, it looks like the use case of native app or SPA app is included.

Is there a reason why is not included in the best practices? Which use case is ideal to use the DCR?

Webserver blocking other servers but not clients

I am currently pentesting a webserver and found out that its subdomain is blocked when pinged from another server (I tried pinging it w/ my Digital Ocean server and other ping tools from websites). But i can access its subdomain with my devices. also i tried using a VPN to check if it is only blocked by country IP but i can also access the subdomains even with VPN (with my devices).

Is there a way i can access the subdomains of that website with my server? Can i install a VPN client to my server? if so how can i then access it with ssh?

Why ASP.Net Identity sends sensitive information to clients?

As far as I understand, Identity sends to the user an encrypted token with some user information like the user name and expiration date. Then, when a new request arrives to the server, it decrypts it and will have available all the user claims and some other information.

My question is, in case there is no need to send the authetication information to other servers (for example if you are authenticating against another web site) would it be more safe not to send as much information to the user? Perhaps we can just send a large code to the user and then match it with an in memory collection or database.

I know that if someone is able to intercept that code she will be able to also make valid requests, but when the “ticket” expires it will not longer be valid for anyone until making the login process again. However, if that code is compromised there won´t be any other information than that.

I hope I am being clear with my question, if not, please let me know it so I can improve it.

How to show your work to potential clients as a pentester?

I’m sorry if you feel this doesn’t belong here but I genuinely couldn’t find any place to ask this and feel maybe people here can suggest something. While freelance software developers can show their work to potential clients by building personal projects or by showing their previous client’s project how can a pentester do the same?

A pentester can’t provide audit reports of previous client’s as they are confidential and if he is new he may work for free for few clients and show his work but again same thing how would he show his work to potential clients without showing the actual reports? I’m scratching my head from days and can’t sleep properly because am constantly thinking of a way to solve this. Any help would be highly appreciated.

Unable to See Network Clients during Deauth Capture Issue

bit of a general question here, would hope to learn more about exactly what is going on technically.

I’m attempting to test and capture a handshake from my own AP (an older Apple Airport router).

I’ve used various tools from airgeddon to wifite to fluxion to manual airodump-ng and the weird thing is: I cannot see a single client connect to the AP.

But my laptop and two mobile devices are connected. I’ve even disabled/enabled WiFi on the mobile device during a fluxion passive listening attack, mdk3 doesn’t work, nothing sees any clients.

I’ve also run the same experiment on a new Airport Extreme AP, and it captures just fine and sees clients.

For this, I’m using an ALFA adapter with the Ralink RT3070 chipset (802.11b/g/n) @ 2.5Ghz.

I’ll boot up the Nano which I just got recently next, but just curious as to WHY various tools are unable to see clients, therefore unable to deauth (or even passively listen) to ultimately capture the CAP

Connecting clients with UDP and WebSocket connections

I’m in the process of making a physics intensive multiplayer game. Naturally I use a UDP to transfer packets regarding rigidbodies between client and an authoritative server.

However non-essential packets I’d prefer to use a more reliable connection like WebSockets. This would be for things like voice chat, text chat, scoreboard, etc. It also seems the be a nice approach to checking if the client is still connected and if not, stop sending it UDP packets.

I’m actually unable to find use cases of this dual connection approach online and I was wondering how this is typically handled in similar games. Is it very far fetched or unconventional?

Another question would be how far do I take relying on the WebSocket connection? Lets say for managing remaining bullets in a guns magazine, would it be better over UDP or WebSocket?

I feel like WebSockets would be best in this case because if the bullet was successfully spawned and the server needs to remove a bullet from the client’s gun’s magazine, if that packet doesn’t arrive at the client, then they shot a free bullet…

The UDP equivalent for this scenario would be to always send the client’s magazine state as packets and the client just updates it’s magazine whenever the packets get to them. My concern here is overloading the network traffic data that might not have even changed…

Real Delivery Custom Work Order For My regular Clients for $1

Requirements What do I need to start Your order? I just Need Your Link without a password. Note: This is a custom order so you can order anything here to make it clear what you want exactly with exact link. For any confusion contact with us. Order will be Complete time 01-10 Hours Here we allowed multiple quantity option so you can order as much you want any service. We made this service for our special clients only who can’t find the right services or exact amount as he wants. So it will make easier to make orders sometimes. 100% Safe Our services are absolutely safe. We don’t need any kind of access or login details of your account to process your order. Plus, we will never share your order details with any third-party. Thanks

by: kavitarojgo
Created: —
Category: Other
Viewed: 264