Should we encrypt all REST API calls from a mobile device?

I have a mobile application and the backend is hosted on a cloud provider. I would like to ask for feedback on encrypting all REST API calls that will be used to communicate with the server, if we should or we shouldn’t do it.

Adding details:

for example instead of having a proper rest object

{    "name" : "username",    "info" : "profile" } 

make it similar to this:

{    "encryptedData" : "Mq6rTVdPP1YMlE9AxhnryIRX+JA9MfIXv" } 

and after decryption it becomes the model and the flow carries on, of course the response is also expected to be encrypted in a similar fashion.

Does the Thief rogue’s Use Magic Device feature let them ignore class, race, and level requirements on attuning to magic items?

The Artificer’s Magic Item Savant feature states (E:RftLW p. 58, WGtE p. 180; emphasis mine):

[…] You ignore all class, race, spell, and level requirements on attuning to or using magic items.

In contrast, the Thief rogue’s Use Magic Device feature merely states:

[…] You ignore all class, race, and level requirements on the use of magic items.

The Use Magic Device feature doesn’t mention ignoring requirements on attuning to magic items, only on using them. It seems like that would mean a Thief rogue can not attune to a magic item if it has a specific requirement on who can attune to it (e.g. the holy avenger).

Does the Use Magic Device feature let a Thief rogue ignore class, race, and level requirements on attuning to magic items?

Monitor HTTPS URL logging of a specific device of a Network


Goal

The main goal is to monitor all the URL logging (HTTPS) of a specific device in my Network. So I’m decided to buy a Security tool WifiPineApple from Hak5 store.

Ex. Alexa, Chromecast, and maybe iPad.

enter image description here

Steps (Windows 10 PC)

I did :

  • configured a Network Sharing from my Ethernet to the WifiPineApple : here
  • configured Static IP to my WifiPineApple as 172.16.42.42 as required : here
  • GUI/Portal
  • login into the GUI portal, finishing the setup, root password, and SSIDs
    • allow all clients to connect
    • installed “SSLSplit” module from Community Repository, and start it

iPad

I can see the SSID being broadcasted, and connected to it. I tested the Speedtest, I got about 30 Mbps after connected.

Then, I tried to load the HTTPS site, it takes forever to load a simple page.

and the portal is not even auto refresh as they claimed it should …


Questions

  1. How good could it be to sniff the traffic that take 10 minutes to load a simple page ?
  2. Am I using WifipineApple not correctly ?
  3. Should I use a different modules for SSL Strip HTTPS traffic/request ? I’ve tried DWall, urlsnarf, buy they also works very sluggish and only works for HTTP.
  4. Should I look into other options since WifipineApple, not being so efficient?
  5. With my Network diagram in mind, should I look a better tools/applications like maybe spin up another router in between the router & the modem ?

Expecation

To reiterate my goal, my expectation is very simple, I want to see the URL logs of all the sites requested by my iPad at the particular moment. I can care less about these information header, body, payload, and even credentials, I only care about requested URLs or history.

If anyone has any suggestions for me, I would love to take your advice.

How do I implement the SSL on an embedded device?

I understand that SSL/TLS is the best option to ensure secure communication on embedded IoT devices. Like I read the details of SSL, there are a series of steps involved (certificate verification, handshake, cipher suite, and more…). When we are doing the same via a browser like Chrome accessing a secured website, I think this all is implemented/taken care by the browser itself.

Device is not having a UI, so no browser being used there! consider this like a IoT gateway like smart home gateway or connected vehicle telematics gateway!

How do I implement the SSL on an embedded device? Also is everything on SSL require to be implemented by a developer in this case?

will some library like wolfSSL be a good option?

How does **Enhanced Trait : Affect Others Only** function as a device?

This is a continuation of this question for Mutants and Masterminds 3e. So, the character I proposed could spawn a minimum of 6 constructs with 30pp worth of powers/skills by using Invention at Quickness 20, but this is from a PL20 character, so making a flood of these critters wouldn’t be that effective unless we were being attacked by a huge, person-man army. That being said, it doesn’t prevent me from making other inventions using the same method. My initial solution is to create beacons to buff my constructs, a power worth at least 2pp per rank (Permanent Enhanced Trait, Affects Others Only, Perception, Limited(my constructs)). Now, I could use this to buff a core stat or a ranged attack by 10 ranks (thus bringing that up to PL12 by proxy), but that involves planting several beacons in series to cover all my bases and still leaves them much weaker than most things that’d be thrown our way. My other option is to drop the Perception range modifier, which would give me the leeway to either buff a core stat/ranged attack to the PL cap and have 12 points to spare or buff 2 things to a more agreeable 15 ranks.

The latter would be the preferred solution, but I’m unclear on how the device itself would function. To that end, I have 3 questions.

  • Would this device have to be a worn piece of gear or a stationary object that my constructs need to interface with?
  • If these need to be worn/carried, is there a limit to how many my constructs can carry?
  • If these need to be interfaced with, what sort of action do the constructs need to take?

Is an “inversed” Device Authorization Grant flow secure for authenticating a daemon/service native app to a web server?

I am working on a hobby project which will involve a web server (hosted and owned by me) and a native app (which will communicate with the web server periodically) an end-user can install via a deb/rpm package. This native app has no traditional UI (besides via command line) and can be installed on browser-less environments. Additionally, I’m trying to avoid registering custom URL schemes. As such, I do not wish to use redirect flows, if possible.

The web server and the native app will both be open source and the code will be visible to everyone, but I suppose it shouldn’t matter in the context of authentication. However, I wanted to point that out in case it matters.

So far, during my research, I’ve come across two mechanisms which seem suitable for what I am trying to achieve:

  • Resource Owner Password Credentials Grant
  • Device Authorization Grant

Unfortunately, I’ve come across a lot of articles and blogs stating that Resource Owner Password Credentials Grant should no longer be used. Not sure how much weight I should give these articles, but I’m leaning towards Device Authorization Grant for now.

From my understanding, one of the steps involved in this grant is the client will continuously poll the server to check if the user has authenticated the client. However, instead of polling the server, why not flip the place where the code is entered?

In other words, instead of the client/device displaying a code to the user and the user then entering the code on the server, why not display the code on the server and have the user enter the code into the client? This way the client doesn’t have to needlessly poll the server? Does this not achieve the same thing? I’m really not sure though. I want to ensure I’m not missing something before I implement this.

This is how I envision the general flow for users using my project:

  1. The user would register an account on my site (i.e, the web server). This is just a traditional username and password authentication.
  2. The user can then download and install the deb/rpm package which contains my native app. Although, it should be noted that there’s obviously nothing preventing the user from installing the package without registering an account on the server. The whole point of this authentication is create a link between the account on the server and the native app.
  3. Prior to enabling the daemon/service functionality of the native app, the user will need to authenticate the native app to the server.
  4. To do so, the user can log into the server (using their regular username/password creds) and generate a temporary token.
  5. The user can then use the CLI functionality of the native app to use this temporary token. For example, the user may type my_app_executable authenticate, where my_app_executable is the binary executable and authenticate is the parameter.
  6. This will prompt the user to enter their username and the temporary token.
  7. The app will then send the entered username and temp token to the server which will validate this combination. If it’s valid, the server will send a access token back to the app.
  8. The app can then use this access token to communicate with the server. Authentication complete.

Based on this, I have a couple of questions:

  1. Does this flow seem secure? Is there an aspect of this that I’m overlooking?
  2. Is it okay to more or less permanently encrypt and persist this access token on the filesystem? If the user turns off the native app for months and then they turn it back on, I would like it to function normally without making the user authenticate again. I suppose I’ll need to implement a way to revoke an access token, and I’m thinking about tracking this in the database on the server side. This would mean that for each HTTP request from the app to the server, the server will need to make a DB check to ensure the access token hasn’t been revoked.

Can a Fireball, a fragile glass jar, and a lot of ball bearings make a “Claymore”-like explosive device?

My rogue has some ball bearings and of course, he wants to build Claymores. He talked to me about it beforehand since he was excited. I would like to see if he can make this work, but I told him lamp oil and the like doesn’t explode, but by all means, throw that pouch of lamp oil and ball bearings lit into a room and watch… slow burning ball bearings.

He has been thinking about it more and found oil of impact as an option but that is cost prohibitive for him ATM, but also he asked an interesting question: could the wizard cast a fireball into a breakable glass jar? (He got the idea from the Mad Manor of Astabar and the glass sphere in the wizard’s bedroom.) I looked around but couldn’t find any resources as to whether that is allowed.

Can he make that work?

The rogue and wizard in the party are level 5.

Can monitor output be queried by a HDMI device? [closed]

Let’s say I have a monitor that is attached to devices via VGA and HDMI.

Is there the possibility that the HDMI device, when my source origin is the VGA one, queries the current buffer being sent from VGA (in other words, query current video)?

I think many factors that this is impossible from a HDMI input device (on top of them the lack of feature available – I did some research and I found out that HDMI queries stop at HDMI CEC, which only has packets for query monitor information), and the question sounds really stupid to myself and most likely for you as well, but I have no experience with video interfaces and I became paranoid regarding something.