Please excuse the lack of details, you can understand why. I have a friend in a foreign country who is certain that he is a surveillance target of his local government. Other people he knows in his same category have already had their internet connections spied on, and seen contents of their emails leaked. He refuses to use his local ISP because the government runs it, so he uses another means of internet but which is very unreliable.
He really would like to use a landline ISP for it’s stability, but knows he can’t trust it. I thought of setting him up with a serious firewall (like pfSense) with a permanent VPN tunnel to a provider that is based outside of his country.
Given these considerations, would this be a safe solution? Or rather if the ISP is compromised, are all bets off?
In my Java project I’m trying to create a 100% secure method of communication between the method and the client. I used to use this process:
Client: generates 4096-bit RSA keypair Client: sends public to server Client: generates 256-bit AES key Client: encrypts AES key using RSA and send Server: decrypts AES key from RSA Server & Client now communicate using AES only
But I found out this isn’t safe as it can easily be ruined by a man-in-the-middle attack. I began researching TLS and found out about security certificates. My question is this: if the client generates the RSA keypair, signs it using the certificate, and sends it to the server, what stops a MITM from doing the same thing (assuming the certificate is publicly available, which I assume it would be because the server and the client would both need it).
When I use OpenSSL to generate a certificate it always provides an RSA key alongside it. Isn’t it safer to generate a new keypair for each connection, or do I actually use this particular key? What am I missing about the standard pattern for TLS?
Recently I’ve been trying to learn the mechanisms behind SSH keys but I came across this question that I haven’t been able to find an answer to (I haven’t figured out how to word my question such that searching it would give me the answer).
Basically, we add our local machine’s public key to the server’s
authorized_keys file which allows us to be authenticated automatically when we try to
ssh into the server later on. My question is: what if someone takes my public key (it is public after all) and replaces their public key with it? When the "attacker" tries to connect to the server, what part of the process allows the server to know that they do not have the correct private key?
I read somewhere that for RSA, it is possible for a user (let’s say user
A) to encrypt/sign a message with their private key, and then for others to decrypt this message using
A‘s public key, thus proving that
A is really who they claim to be. However, apparently, this is not true for all cryptosystems, where it is not possible to sign with a private key (according to What happens when encrypting with private key?, feel free to correct this information if it is wrong). In those cases, how does the server make sure that the user is really who they claim to be?
Like many, since March, I’ve been working from home and using the company’s VPN to do my work.
Recently, if I open a new tab in Chrome, and navigate to "news.bbc.co.uk", I got the aforementioned error, with the supplemental information being:
Attackers might be trying to steal your information from news.bbc.co.uk.x.878874e0029b7043d30ab470050dec81a4e1.9270fd51.id.opendns.com (for example, passwords, messages, or credit cards). Learn more
- This only happened when I opened a new tab.
- It did not happen for any other site that I visited, just the BBC.
- When I opened a new tab, and typed
https://news.bbc.co.uk it (correctly) had no issue.
- After forcing
https as above, opening a new tab and just typing
news.bbc.co.uk it worked.
- A few minutes later, just typing
news.bbc.co.uk once again causes a Privacy Error.
I was wondering why this is just happening to the BBC site, and no others, and what the redirect URL means (with OpenDNS). When it fails, this is what is in the address bar:
I checked established connections with "netstat" command in command prompt, and I found that there are some connections with ip’s of microsoft (I checked ip online) that have http (and not https) connection established, they bring to some svchost.exe in a Win32 folder of the system. I know that http connections are not safe, but I guess they are safe since they have microsoft ip, but why these connections are not encrypted (http)? Is it normal?
I am getting these errors after this config, I can’t get phpmyadmin to work with this config, need help. MySQL server is on different machine.
$ cfg['Servers'][$ i]['ssl_cert'] = '/etc/mysql/mysql.pem'; $ cfg['Servers'][$ i]['ssl_key'] = '/etc/mysql/mysqlkey.pem'; $ cfg['Servers'][$ i]['ssl_ca'] = '/usr/local/share/ca-certificates/SERVER/SERVERSSL.pem'; $ cfg['Servers'][$ i]['ssl_ca_path'] = '/usr/local/share/ca-certificates/SERVER'; $ cfg['Servers'][$ i]['ssl_verify'] = 'true';
I have a Greenbone Security Assistant that has me connect to 127.0.0.1 port 9392, with the command:
sudo openvas-start firefox http://localhost:9392
in Firefox. But before (and sometimes after) connecting, Firefox throws a lot of errors about insecure connection, and always highlights the better part of the URL in red. This also happens when connecting to localhost for, say, Autopsy. Is there any way I can establish a secure connection to localhost? Maybe from the terminal, in the
firefox http://whateverURLforyourapp command?
So just a quick background, we are trying to update the database design, in a production environment. But we want to be sure, no users try to login during that time. So we started looking into single user mode, but that gave us some trouble, sometimes we would lose the connection in the middle of the update. So we setup a test environment to replicate the behavior.
We are using Microsoft SQL server 2017, with the AdventureWorks2017 database to replicate the issue. On the database we have turned off Auto close and Auto Update Statistics Asynchronously
If we then have two connections to the server, using the master database. Tell one of them to run this script
USE MASTER SET DEADLOCK_PRIORITY HIGH ALTER DATABASE [AdventureWorks2017] SET SINGLE_USER WITH ROLLBACK IMMEDIATE GO DECLARE @kill varchar(max) = ''; SELECT @kill = @kill + 'KILL ' + CONVERT(varchar(10), spid) + '; ' FROM master..sysprocesses WHERE spid > 50 AND dbid = DB_ID('AdventureWorks2017') EXEC(@kill); USE AdventureWorks2017 GO DECLARE @cnt INT = 0; WHILE @cnt < 10000 BEGIN SELECT TOP 1000 * from Person.Person; SET @cnt = @cnt + 1; end;
And then on the other repeatedly run
SELECT TOP 1000 * FROM AdventureWorks2017.Person.Person; GO;
At some point the first script stops working, and complains with an error
Database ‘AdventureWorks2017’ is already open and can only have one user at a time.
But to our understanding, this should not happen cause it still has the connection. Note this doesn’t happen all the time. But it’s still fairly consistent.
Is there anything that we are missing, or can this be an issue with the SQL server?
I wish to privately submit my public key (without possibility of it’s snooping on the internet). I found that I have 3 ways to connect to the keyserver securely:
- hkp:// [Using TOR]
Which one of the 3 is most secure …….surprised to find that the TOR keyservers present use only hkp and not hkps?
https keyservers are working with ipv4 to search and submit keys but it’s hard to find hkps server working with ipv4?
I would like to know how to encrypt a database connection string in Python – ideally Python 3 – and store it in a secure wallet. I am happy to use something from
pip. Since the connection string needs to be passed to the database connection code verbatim, no hashing is possible. This is motivated by:
- a desire to avoid hard-coding the database connection credentials in a Python source file (bad for security and configurability);
- avoid leaving them plain-text in a configuration file (not much better due to security concerns).
In a different universe, I have seen an equivalent procedure done in .NET using built-in
EncryptedData set up by
aspnet_regiis -pe, but that is not portable.
Though this problem arises from an example where an OP is connecting via
pymysql to a MySQL database,
- the current question is specific neither to
pymysql nor MySql, and
- the content from that example is not applicable as a minimum reproducible example here.
The minimum reproducible example is literally
#!/usr/bin/env python3 PASSWORD='foo'
Searching for this on the internet is difficult because the results I get are about storing user passwords in a database, not storing connection passwords to a database in a separate wallet.
I would like to do better than a filesystem approach that relies on the user account of the service being the only user authorized to view what is otherwise a plain-text configuration file.
- Securing connection credentials on a web server – but that requires manual intervention on every service start, which I want to avoid
- Security while connecting to a MySQL database using PDO – which is PHP-specific and does not discuss encryption