SPV clients and full nodes

Suppose an SPV client goes offline at block X (meaning it has block headers until block X) and then comes back online when the blockchain is at block Y. At that point, it needs to resynchronise its UTXO set. So, it does the following: (1) get the block headers of blocks X to Y; (2) construct a bloom filter for its addresses and request a full node to send all the transactions matching this bloom filter from block X to Y; (3) the full node does so and if a match is found, sends the transaction data along with a merkle proof to the SPV client; (4) SPV client verifies the proof and if it’s correct updates its UTXO set accordingly.

Is this the way things actually happen?

If yes, then my question is then why can’t the full node simply do the following: (1) send its UTXO set to the SPV client; (2) SPV client then filters the UTXOs of its interest and put those UTXOs in its own UTXO set.

Is this method not followed because it doesn’t involve any verification from SPV client and this the full node can give the SPV client a totally wrong UTXO set?

Different IP’s (clients) cannot access linux embedded device web pages

I am a newbee to use apache. I am using apache server in my linux embedded device and trying to access web pages loaded in device using two different ubuntu PC’s (i.e different IP’s). If I access pages from PC1 it is under waiting and did not get loaded completely until I access the pages from PC2 same problem vice versa. If I disconnect PC2 with the device and try to access pages from PC1 then it works fine.I don’t understand what is happening here…Is that a problem, If yes ? How can I solve it.

Is that possible for apache to handle multiple requests to same website from different clients? Please Explain…

I am looking for the solution since 1 Week please help me in solving this

Push default settings to clients from print management

We have installed 30 printers to some 500 clients in our company using print management in Windows 2012 Server. Now we changed the default settings to the printers in print management (changed from default color to b&w).

How can i push these settings to the clients? If i reinstall the printers, the settings Will apply, but we want to avoid reinstalling in 500 clients.

OAuth2 Client Credentials Flow with assertion JWT: How to share the client’s public key?

I’m having a deeper look into OAuth 2.0 and especially the Client Credentials Flow that is intended to authenticate a client application or device without user interaction (the client is accessing its own resources, not acting on the behalf of a user).

The current best practices tell me to authenticate a client with an assertion token. In short: instead of a shared secret the client uses an assertion token to identify itself. This token is created by the client and signed using the private key of a certificate owned by the client. The authentication server needs to know the public key to validate this assession token.

Cyber security guidelines tell me to rotate / cycle secrets regularily. This means that I have to tell the authentication about the new public key.

What am I supposed to do when I want to rotate the secret?

The 2 obvious solutions are:

  • The client calls the Client Configuration Endpoint at the authentication server and the server adds the new public key to the list of secrets valid for this client.
  • The client publishes a jwks_endpoint and the server retrieves the new public key directly from the client when none of the registered keys are valid for the token (probably only once, the server can persist the new key in its database).

Both solutions have pros and cons. I cannot see any objectively “best” solution.

Are there any guidelines as to how secret rotation is best implemented? Have I overlooked a third solution?

My main concern is security. I cannot allow a malicious software to register its own secrets or jwks_endpoint at the authentication server. But I cannot allow clients being locked out because their registered secrets expired and for whatever reasons they were not able to register a new secret in time, either.

If the most secure solution takes more time to implement, I’m willing to invest that time. Apart from that, I’d like to reduce network traffic and accelerate the authentication process as much as possible.

There’s a related question on StackExchange from 2015 that didn’t answer my question.

How we can PoC our product that needs training data for our machine learning algorithm of the the bank clients?

Recently, we have had a challenge with potential future clients which are the bank. Our product requires to gather static data (e.g. address, loans, last 50 transactions, etc) of banks clients. These banks do their PoC in the public cloud, the banks are OK us to work on their data which is not sensitive like clients address but they are not allowing to have data like previous loans as this classified as sensitive. We are stuck at this time and don’t know how to convince or offer the right way for banks to provide us the data for the ML algorithm.

Should TLS clients put a limit on certificate chain depth?

Specifcally, when configuring nginx to validate proxy target SSL certificates (which it mystifyingly does not do by default), a maximum cert chain depth must be specified in the proxy_ssl_verify_depth option. If I am writing a configuration to be used in environments in which I do not control how deep the cert chain may be, is there a reason for this to have any particular limit, or should it just be a high number? I haven’t encountered any other TLS client that even exposes this as configurable, let alone has the default value of 1 (no intermediate CAs) that nginx does. So I’m thinking it should just be a high number to avoid running into it unnecessarily, but not sure if I’m missing something.

Why does ASA 5506-X intermittently drop packets from wireless clients?

I recently replaced an old firewall with a Cisco ASA 5506-X and an old wireless AP with a Ubiquiti Unifi AC LR. Now I’m experiencing intermittent packet loss for traffic going from wireless clients to the ASA firewall. Wired clients do not experience this issue and there isn’t any packet loss for traffic from wireless clients to other wired hosts connected through a layer 2 switch (see topology below). I’m pretty sure it’s not the wireless AP because I swapped the old one back in and got the same result. The only thing I see in the firewall logs is:

Received ARP request collision from 192.168.1.84/0418.d66a.f3b6 on interface inside with existing ARP entry 192.168.1.84/a088.b467.bb3c 

192.168.1.84/a088.b467.bb3c is one of the wireless hosts and 0418.d66a.f3b6 is the NanoStation M5 the wireless access point is connected to.

Here is the network topology

Here is the configuration for the Cisco Firewall:

ASA Version 9.6(1)  !  interface GigabitEthernet1/1  nameif outside  security-level 0  ip address dhcp setroute  ! interface GigabitEthernet1/2  nameif inside  security-level 100  ip address 192.168.1.1 255.255.255.0  ! interface GigabitEthernet1/3  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet1/4  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet1/5  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet1/6  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet1/7  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet1/8  shutdown  no nameif  no security-level  no ip address ! interface Management1/1  management-only  no nameif  no security-level  no ip address ! ftp mode passive same-security-traffic permit intra-interface object network obj_any  subnet 0.0.0.0 0.0.0.0 access-list outside_access_in remark ICMP type 11 for Windows Traceroute access-list outside_access_in extended permit icmp any any time-exceeded  access-list outside_access_in remark ICMP type 3 for Cisco and Linux access-list outside_access_in extended permit icmp any any unreachable  pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 10 burst-size 5 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any  nat (any,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0  dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.220 inside dhcpd auto_config outside interface inside dhcpd enable inside ! dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default  match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map  parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy  class inspection_default   inspect dns preset_dns_map    inspect ftp    inspect h323 h225    inspect h323 ras    inspect rsh    inspect rtsp    inspect esmtp    inspect sqlnet    inspect skinny     inspect sunrpc    inspect xdmcp    inspect netbios    inspect tftp    inspect ip-options    inspect sip     inspect icmp   class class-default   set connection decrement-ttl ! service-policy global_policy global prompt hostname context  no call-home reporting anonymous 

Why are wireless clients experiencing this issue?

Thanks,

Joe