Mind Blank states:
Until the spell ends, one willing creature you touch is immune to psychic damage, any effect that would sense its emotions or read its thoughts, divination spells, and the charmed condition. The spell even foils wish spells and spells or effects of similar power used to affect the target’s mind or to gain information about the target.
How does the spell Mind Blank interact with shapeshifters and other forms of false identity?
Are all aspects of their identity protected, or just information associated with their true form/name?
- For example, can a guard give a description of a changeling’s persona via sending since it is not their natural form?
Having successfully integrated my old web forms app with an ADFS server I got to thinking about how the process works as a whole. The old app passes the user to the remote ADFS, then eventually the user arrives back in our server having a signed-in identity of email@example.com but I’m not entirely clear on whether I’m supposed to trust that’s right, or whether I’m supposed to try and ensure it’s right.
Supposing that a rogue actor at somedomain.com replaces the sign on at the remote end or manipulates it in some way such that my local server ends up being told that firstname.lastname@example.org signed in (when it was actually tom.hacker@somedomain,com), or worse that email@example.com signed in, what do we do with such situations?
Is this handled already by the auth process such that we can be sure there are some local rules that enforce the federated server may only return users with some characteristic such as "must really be a user of somedomain.com, for which you know this identity server is responsible" ?
When we hand off authentication to a third party, and get the "user X auth’d successfully", do we need to be wary about whether it’s truly user X and whether the server confirming the identity truly has authority to do so for the user given?
At the moment I’m thinking I should also implement my own local check that the announced user matches a pattern to ensure the federated server isn’t used to break into other domains’ accounts and also implement 2FA to give some extra check that the user announced truly is that person
I’m trying to make notes about the TPM and what it does. More specifically I’m looking at the 3 RSA key pairs: the ‘endorsement key’, the ‘storage root key’ and the ‘attestation identity key’.
This is what I have written so far:
The ‘Endorsement Key’ is an RSA key pair where any data sent to another device is encrypted using the private key and the receiving device decrypts it with the public key, so it knows the data is trusted. This is created when the TPM is manufactured (not user-specific)
The ‘Storage Root Key’ is a pair of RSA keys within the TPM and is used to protect TPM protected keys created by applications and stored outside of the TPM, so that these keys cannot be used without the TPM. It’s created when you take ownership of the TPM (If user changes so does the key)
However, I am now trying to research the use of the attestation identity key but don’t understand how it is different from the endorsement key? If anyone could explain in simple terms because this is all new to me I would greatly appreciate it 🙂
I know that a VPS provider can track the client connected to a VPS (This Q/A) using RDP(Remote desktop protocol). But my question is about websites accessed from the VPS using a browser. Can they know anything about the main client (IP/Location/Local Time etc.) behind the RDP through the browser http (or https or any) protocols?
Is there any way (software or hardware solution) to create a usb drive that can make its contents readable only on specific PCs using their hardware serial numbers?
seems hard to prove the next identity. i think the direction is through combinatorics reasons. thanks.
I’m new to public key infrastructure. I think I understand how public key encryption works, conceptually. So public key is, by definition, public and not a secret. Recently when I came across the term identity certificate and read about it, it sounded very similar to public key of an entity. But, it was not explicitly stated whether they are same or different.
My questions are…
Is identity certificate same as public key? If no, then is identity cert considered a secret?
How are they related?
I’m developing a mobile app. I have a question, and here is the scenario.
If a person is logging into the App with google sign in API in a public network. The website will verify the user with his
Email ID and if verified the website will in return returns the user details like his mobile number, address, and somethings. Meanwhile, from that Public network, a person has sniffed the
Email ID of the user and that person uses that
Email ID to retrieve the user details.
In this case, how can I verify the genuine user?
- Is there is some other technique to overcome this thing?
- Should I use TLS to overcome this vulnerability?
Would that create a risk to have a testing function that imports and change user identity from a plaintext configuration file inside a software even if it is not called? Would someone be able to call this function and change their identity?
Note: the function is inside a dynamically loaded DLL
I’m having difficulty to rate a CVSS for an Identity Provider. Imagine you have a vulnerability where you can bypass an authentication mecanisme.
How would you rate :
- Confidentiality (C)
- Integrity (I)
- Availability (A)
as you don’t how with which system it will be connected ?
The scope is changing, but I can’t just asume the worst scenario, it will just raise the score unnecessarily.