Coronavirus, you and hosting company important updates for hosting customers 2020.

Corona-virus, you and hosting company important updates for hosting customers 2020.

Corona-virus created problems in almost all countries and maybe you are facing the same also. Please take care and stay safe. If your are hosting customer please support hosting industry if anything urgent or important then contact provider because most of the employees working from home and few facing health issues. So it is time to help each other. If any hosting provider was not able to provide you support then maybe they are facing big problems so please trust them and don’t cancel your services.

If any customer looking for a web hosting plan for any startup idea in this situation and we provide free of cost hosting and support. Also logo designing. We are ready to help you and make your business successful.
Many thanks for your valuable time.

Below are Free Hosting for a lifetime, host without cost details:

FREE Startup-$0 /Lifetime

>> Single Domain Hosting
>> 200MB Web Space
>> 200MB Bandwidth
>> 2 Email Accounts
>> 2 Sub Domains
>> FREE Auto SSL
>> DDOS Protection
>> 99.99% uptime
>> Softacolous Supported
>> Tier 1 Technical Support

Order Now >> https://hostpoco.com/free-hosting.php

Thank you.

Is it more secure to encrypt separate customers’ data with separate keys?

If I am storing multiple customers’ data in cloud-based file storage such as an AWS S3 bucket, and I use an encryption service such as AWS KMS to achieve encryption at rest, does it add any extra security for me to store each customer’s data in a separate bucket and use a separate encryption key for each customer?

Or is it just as secure to encrypt all customer data with the same encryption key (provided the key is rotated regularly of course)?

How can we let customers upload filled-out forms on our website? [closed]

I’m not sure if this is the right place for this question, but here goes:

We have a website where customers can login, and see some safety forms as PDF documents.

The idea is that they need to fill out these forms, and send them to us somehow.

Right now, there are 2 choices:

  1. We can let the customer print the form, fill it out with a pencil/pen, scan it, and upload it to us as a file
  2. We can convert the form into HTML, and have them fill out a regular HTML form

Both would work, but:

  • Option 1 is incredibly inconvenient for the customer
    • They need a printer and scanner
    • They need to go through the effort of printing and scanning potentially dozens of pages per day
  • Option 2 is incredibly inconvenient for us
    • For every Safety Form we want to show the customer, which could be dozens, each one made up of dozens of pages, we would need to spend time converting it to HTML
    • The managers running our website that have new safety forms to show the customer don’t know HTML, so they’ll constantly be bugging web developers to convert PDF files to HTML. Our web developers have better things to do than convert PDFs to HTML all day long

The only thing I can think of to make it easy for everyone is to use some sort of javascript based PDF annotation library. The customers would be able to add text directly overtop of a PDF, and hit a button to send it to us. The managers would just upload the PDF they want the customer to fill out, without needing to do anything else.

There are a few libraries that can do this that I have come across, but they all seem to be insanely expensive. pdfjs.express is $ 375/month. My boss would be unlikely to pay 1/10th of that as a one time fee…

Is there a free library to let someone use their browser to write text overtop of a PDF file, and send it to the server when they are done?

Failing that, are there any other ideas?

Edit: We can also do something like convert each PDF uploaded by the managers to a set of images (one image per page), show them to the customer as images, and use something like marker.js to let them modify the images. It may be a bit of work to get working, but right now, that’s my best option

How might we help customers get back on track from a connection timeout message

I’m designing ‘sad path’ scenarios for checkout and I’m trying to design for helping customers when a connection timeout occurs when the checkout hangs trying to connect to our 3rd party credit card payment form.

When this happens the credit payment form could not get loaded in our checkout environment.

A simple solution is to reload the page.

The UX/UI solution I’m putting forward is an alert message that appears on the page and asks the customer to reload the page.

This is my attempt at making the error message more ‘user-friendly’:


A connection error occurred

An error occurred when we were trying to connect to the system.

Please reload the page to try connecting again.

[ Reload page ] <— button


How do people feel about the above message? Any other solutions you can think of?

Thanks.

Enable CORS for multiple customers

We use .htaccess file for controlling access:

Currently, we have the following code to allow CORS to our developer APIs:

<If "%{REQUEST_URI} =~ m#^/api/v1/#">             Header always add Access-Control-Allow-Origin "*"             Header always add Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"             Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT" </If> 

Now, we don’t want iframes or other 3rd parties to be able to call our APIs.

How can we maintain the whitelisted origins to be allowed for CORS. Maintaining manually .htaccess file by adding removing origins for every new customer sounds complicated. What would be the recommended way to maintain list of whitelisted origins.

How should I use the target’s customers in penetration tests? [on hold]

This question concerns both physical and non-physical pentests.


Should I used customers’ accounts to pwn? (Assuming I’m not given an account by the employer/target for the engagement)

I may somehow manage to grab credentials of a customer of the target. The customer may not be mentioned in the scope. Using their account/credentials may negatively affect them personally so I think it should be avoided. However, I believe adversaries usually would directly target the customers to either just steal the customers’ credentials and assets or (somehow) use a customer account to get more information on the target or as an attack vector (a customer may be a VIP with extra functions).


In a physical pentest, we may come in contact with the employer/target’s customer (i.e. normal people in a company building, people touring the place, shoppers in a mall). Should we attempt to extract information from them or even social engineer them to use them as a help (get some people to swarm in front of a door) without them knowing?


This, I believe, mainly depends on ethics (we probably shouldn’t use patients in hospitals) and collateral damage (people having their data touched even just from us logging in as them).

(Please simple don’t say “it depends on the scope”. That’s always a big element but I’d like to learn about pentesting in general – rules that can apply to most engagements, or at least specified details on how the scope may greatly change this aspect of a pentest)

Should I separate current users and potential customers?

My company is a B2B Software as a Service. We have a web with 2 main functions:

  1. Log in for my current users (hundred of thousands)
  2. a marketing web for my potential new customers, (portfolio, blog, contact us, etc.), about hundred leads.

It is recommended to put a first landing page to asking if who is in the browser is a current user or a lead, and depending on it, redirect to different webs?

I think it can improve the web optimization for each audience, and help keeping separated metrics (Analytics), but can be hard for who is browsing to give an additional click for accessing the page.

How to prompt existing customers to change their email

I’m looking for some UX examples to how other companies have handled this situation:

Scenario: Devs are using an old password encrypting method (sha1) I believe and need to change it to a more secure encryption.

What they did: When users logged in they just encrypted their password with the new encryption and the users didn’t know a thing.

The only problem is we have a number of users who aren’t frequent users who will only login periodically.

Devs want to clear all the passwords and require users to reset their passwords.

Problem: We don’t want to alert them to the fact that there are security issues as we hold alot of important data in their accounts of users customers.

When that happens users would attempt to login and just get hit with a message saying there login details are incorrect.

The initial approach was….users will eventually just click on forgotten password after being told ‘invalid credentials’

However, this just feels wrong and we’ve tried to think of various flows but due to dev contraints we have to stick with them having to click on the forgotten password. (not the best solution but need to make the most out of this)

My question is… what message would make sense in asking them to reset their password that doesn’t alert to security issues?

Additionally are there any existing companies that have handled randomly asking users to reset their passwords?