Securing internet connection with hostile ISP

Please excuse the lack of details, you can understand why. I have a friend in a foreign country who is certain that he is a surveillance target of his local government. Other people he knows in his same category have already had their internet connections spied on, and seen contents of their emails leaked. He refuses to use his local ISP because the government runs it, so he uses another means of internet but which is very unreliable.

He really would like to use a landline ISP for it’s stability, but knows he can’t trust it. I thought of setting him up with a serious firewall (like pfSense) with a permanent VPN tunnel to a provider that is based outside of his country.

Given these considerations, would this be a safe solution? Or rather if the ISP is compromised, are all bets off?

Establishing safe connection in Java

In my Java project I’m trying to create a 100% secure method of communication between the method and the client. I used to use this process:

Client: generates 4096-bit RSA keypair Client: sends public to server Client: generates 256-bit AES key Client: encrypts AES key using RSA and send Server: decrypts AES key from RSA Server & Client now communicate using AES only 

But I found out this isn’t safe as it can easily be ruined by a man-in-the-middle attack. I began researching TLS and found out about security certificates. My question is this: if the client generates the RSA keypair, signs it using the certificate, and sends it to the server, what stops a MITM from doing the same thing (assuming the certificate is publicly available, which I assume it would be because the server and the client would both need it).

When I use OpenSSL to generate a certificate it always provides an RSA key alongside it. Isn’t it safer to generate a new keypair for each connection, or do I actually use this particular key? What am I missing about the standard pattern for TLS?

What prevents someone from spoofing their public key when trying to establish an SSH connection?

Recently I’ve been trying to learn the mechanisms behind SSH keys but I came across this question that I haven’t been able to find an answer to (I haven’t figured out how to word my question such that searching it would give me the answer).

Basically, we add our local machine’s public key to the server’s authorized_keys file which allows us to be authenticated automatically when we try to ssh into the server later on. My question is: what if someone takes my public key (it is public after all) and replaces their public key with it? When the "attacker" tries to connect to the server, what part of the process allows the server to know that they do not have the correct private key?

I read somewhere that for RSA, it is possible for a user (let’s say user A) to encrypt/sign a message with their private key, and then for others to decrypt this message using A‘s public key, thus proving that A is really who they claim to be. However, apparently, this is not true for all cryptosystems, where it is not possible to sign with a private key (according to What happens when encrypting with private key?, feel free to correct this information if it is wrong). In those cases, how does the server make sure that the user is really who they claim to be?

“Your connection is not private” for specific website, once when opening a new tab

Like many, since March, I’ve been working from home and using the company’s VPN to do my work.

Recently, if I open a new tab in Chrome, and navigate to "news.bbc.co.uk", I got the aforementioned error, with the supplemental information being:

Attackers might be trying to steal your information from news.bbc.co.uk.x.878874e0029b7043d30ab470050dec81a4e1.9270fd51.id.opendns.com (for example, passwords, messages, or credit cards). Learn more

  • This only happened when I opened a new tab.
  • It did not happen for any other site that I visited, just the BBC.
  • When I opened a new tab, and typed https://news.bbc.co.uk it (correctly) had no issue.
  • After forcing https as above, opening a new tab and just typing news.bbc.co.uk it worked.
  • A few minutes later, just typing news.bbc.co.uk once again causes a Privacy Error.

I was wondering why this is just happening to the BBC site, and no others, and what the redirect URL means (with OpenDNS). When it fails, this is what is in the address bar:

https://news.bbc.co.uk.x.878874e0029b7043d30ab470050dec81a4e1.9270fd51.id.opendns.com/h/news.bbc.co.uk/?X-OpenDNS-Session=_878874e0029b7043d30ab470050dec81a4e19270fd51_eMU5iVa1_

Why http microsoft connection in netstat check?

I checked established connections with "netstat" command in command prompt, and I found that there are some connections with ip’s of microsoft (I checked ip online) that have http (and not https) connection established, they bring to some svchost.exe in a Win32 folder of the system. I know that http connections are not safe, but I guess they are safe since they have microsoft ip, but why these connections are not encrypted (http)? Is it normal?

SSL Connection from phpmyadmin to mysql server [closed]

I am getting these errors after this config, I can’t get phpmyadmin to work with this config, need help. MySQL server is on different machine.

Thanks,

$  cfg['Servers'][$  i]['ssl_cert'] = '/etc/mysql/mysql.pem'; $  cfg['Servers'][$  i]['ssl_key'] = '/etc/mysql/mysqlkey.pem'; $  cfg['Servers'][$  i]['ssl_ca'] = '/usr/local/share/ca-certificates/SERVER/SERVERSSL.pem'; $  cfg['Servers'][$  i]['ssl_ca_path'] = '/usr/local/share/ca-certificates/SERVER'; $  cfg['Servers'][$  i]['ssl_verify'] = 'true'; 

ERRORS

Establish secure connection to localhost in Firefox

I have a Greenbone Security Assistant that has me connect to 127.0.0.1 port 9392, with the command:

sudo openvas-start firefox http://localhost:9392 

in Firefox. But before (and sometimes after) connecting, Firefox throws a lot of errors about insecure connection, and always highlights the better part of the URL in red. This also happens when connecting to localhost for, say, Autopsy. Is there any way I can establish a secure connection to localhost? Maybe from the terminal, in the firefox http://whateverURLforyourapp command?

Single user mode looses connection

So just a quick background, we are trying to update the database design, in a production environment. But we want to be sure, no users try to login during that time. So we started looking into single user mode, but that gave us some trouble, sometimes we would lose the connection in the middle of the update. So we setup a test environment to replicate the behavior.

We are using Microsoft SQL server 2017, with the AdventureWorks2017 database to replicate the issue. On the database we have turned off Auto close and Auto Update Statistics Asynchronously

If we then have two connections to the server, using the master database. Tell one of them to run this script

USE MASTER SET DEADLOCK_PRIORITY HIGH ALTER DATABASE [AdventureWorks2017] SET SINGLE_USER WITH ROLLBACK IMMEDIATE GO  DECLARE @kill varchar(max) = ''; SELECT @kill = @kill + 'KILL ' + CONVERT(varchar(10), spid) + '; ' FROM master..sysprocesses  WHERE spid > 50 AND dbid = DB_ID('AdventureWorks2017') EXEC(@kill);  USE AdventureWorks2017 GO  DECLARE @cnt INT = 0; WHILE @cnt < 10000 BEGIN   SELECT TOP 1000 * from Person.Person;    SET @cnt = @cnt + 1; end; 

And then on the other repeatedly run

SELECT TOP 1000 * FROM AdventureWorks2017.Person.Person; GO; 

At some point the first script stops working, and complains with an error

Database ‘AdventureWorks2017’ is already open and can only have one user at a time.

But to our understanding, this should not happen cause it still has the connection. Note this doesn’t happen all the time. But it’s still fairly consistent.

Is there anything that we are missing, or can this be an issue with the SQL server?

Secure and private connection to GnuPG keyservers

I wish to privately submit my public key (without possibility of it’s snooping on the internet). I found that I have 3 ways to connect to the keyserver securely:

  1. https://
  2. hkps://
  3. hkp:// [Using TOR]

Which one of the 3 is most secure …….surprised to find that the TOR keyservers present use only hkp and not hkps?

https keyservers are working with ipv4 to search and submit keys but it’s hard to find hkps server working with ipv4?

Encryption (not hashing) of credentials in a Python connection string

I would like to know how to encrypt a database connection string in Python – ideally Python 3 – and store it in a secure wallet. I am happy to use something from pip. Since the connection string needs to be passed to the database connection code verbatim, no hashing is possible. This is motivated by:

  • a desire to avoid hard-coding the database connection credentials in a Python source file (bad for security and configurability);
  • avoid leaving them plain-text in a configuration file (not much better due to security concerns).

In a different universe, I have seen an equivalent procedure done in .NET using built-in machineKey / EncryptedData set up by aspnet_regiis -pe, but that is not portable.

Though this problem arises from an example where an OP is connecting via pymysql to a MySQL database,

  • the current question is specific neither to pymysql nor MySql, and
  • the content from that example is not applicable as a minimum reproducible example here.

The minimum reproducible example is literally

#!/usr/bin/env python3  PASSWORD='foo' 

Searching for this on the internet is difficult because the results I get are about storing user passwords in a database, not storing connection passwords to a database in a separate wallet.

I would like to do better than a filesystem approach that relies on the user account of the service being the only user authorized to view what is otherwise a plain-text configuration file.

Related questions

  • Securing connection credentials on a web server – but that requires manual intervention on every service start, which I want to avoid
  • Security while connecting to a MySQL database using PDO – which is PHP-specific and does not discuss encryption