Can we implement hreflang on root domain for one country and on sub-folder for another country?

Is it possible for 2 countries, we can implement hreflang tags on root domain and a sub-folder, for example for US hreflang on www.example.com and for Italy www.example.com/IT can we do it like this?

I have added both urls in Google search console & submitted separate sitemaps, but Google is counting all pages (including sub-folders) for the main domain, so I am thinking that Google is considering main domain (root domain) as a whole website not a country specific as per hreflang.

If you know about this or have similar experience, then Appreciate your help! Thanks, Adil

Implement navmesh for climbing cliffs and walls

I am trying to implement dynamic wall climbing similar to Conan exiles and Legend of Zelda: Breath of the Wild.

My system as of now uses a raycast to get the direction of a geometry’s normal, and I make the player face that. I send another raycast in the direction of the players input, which takes the hit point, and lerps the player to that ray’s hit position on the geometry.

Although this system works well on a flat wall it struggles a lot on complex geometry such as a bumpy cliff, and constantly hangs on small edges.

I recently saw this video from a cancelled game that seems to implement some sort of navmesh by making a flat plane that follows the terrain’s normals. This allows the player to climb over gaps and complex geometry as if it was a smooth surface.

I don’t completely understand how they managed this, and I was wondering if someone who is knowledgeable about these things could explain how I could implement something like this in Unity.

How to implement what “psql > \d table1” command does, manually in C?

I’m writing a Postgresql server extension in C, it’s a server-side trigger function. I’m using the standard server side interface in C that Postgres offers:

#include <stdio.h> #include <time.h> #include "postgres.h" #include "utils/rel.h" #include "executor/spi.h" #include "commands/trigger.h" #include "utils/fmgrprotos.h"  #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif  extern Datum trig_test(PG_FUNCTION_ARGS);  PG_FUNCTION_INFO_V1(trig_test);  Datum trig_test(PG_FUNCTION_ARGS) {       // ........      // TODO:    // 1) infer a table over which a trgger is being executed (is more or less clear how to)   // 2) (!) archive the same result over that table   // as psq would do via this: "\d that_table" (how?)   // 3) write the output into a variable or file (is clear how to) } 

My current task is to achieve the same result as the \d <table1> does in C, inside of a trigger function. And more essentially I need the "indexes" part, including primary_key and also whether or not primary key is made of a single column or multiple ones, and which ones.

How can I do it?

Preferably, not strictly, without having to use SPI_exec() command because I figure that it might be slower than some other, more direct way.

Is possible to implement a Web Cryptography API custom provider?

I’m reading some basic info about Web Cryptography API and I’m wondering if is possible to implement some crypto provider (C/C++ library or something) with some extra algorithms or is mandatory to use the ones “embedded” with the web browser. I have finded articles about the security and tutorials about how to use it but nothing about custom implementation. I don’t know if it uses Operating System libraries or only web browser libraries, if should be used “as is”… Some reference or clarification is appreciated.

Heavy thrown implement for Invoker

I have this idea of a hybrid Fighter|Invoker, using Cleave and Deft Hurler to throw Divine Bolts. Deft Hurler (Dr 368) lets you use a ranged basic attack after Cleave:

Cleave: You can forgo dealing damage to the adjacent enemy to instead make a ranged basic attack with a heavy thrown weapon against one creature other than the target of your cleave. This ranged basic attack does not provoke opportunity attacks.

RAW, implement powers used with weapon implements still count as “with a weapon”.

Power of Skill (DP) turns Divine Bolts into a basic attack:

You can use any power you have that is associated with this feat as a basic attack. (Divine Bolts is listed)

Now I just need a heavy thrown weapon with the highest damage that is usable as an implement by an Invoker.
Bonus points if it is possible without a multiclass feat, as I want to use Seeker MC in paragon to get Primal Eye.


If it matters:
Str 17, Con 12, Dex 13, Int 8, Wis 16, Cha 8
Goliath (but any Str/Wis race will do)

What is the correct way to implement the OAuth2 state parameter?

I’m trying to understand how to properly implement state in an OAuth2 client, to mitigate CSRF attacks. This answer explains the attack scenario pretty well, to summarize:

  1. The attacker starts the authorization code flow, and gets a code from the authorization server
  2. The attacker traps his redirect url (e.g. https://client.com/exchangecodefortoken?code=attacker_code), and tricks a victim into accessing that link
  3. The victim is logged in with the attacker account, and if he upload sensitive info to the client application, that info will be uploaded to the attacker’s account meaning the attacker will have access to it.

The RFC vaguely says that state should be derived from the user session, for example using a cookie:

The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent’s authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent). The client SHOULD utilize the “state” request parameter to deliver this value to the authorization server when making an authorization request.

This question implements this by creating an id cookie and a random state for each session, and correlating those two in the client DB. The client then handles an authorization code callback (e.g https://client.com/exchangecodefortoken?code=abc&state=def) by verifying that:

params.state == DB_at(cookies[id]).state 

It seems to me that an attacker can still bypass this kind of protection, because he knows his own id cookie:

  1. The attacker starts the authorization code flow, and gets a code from the authorization server
  2. The attacker traps his redirect url (e.g. https://client.com/exchangecodefortoken?code=attacker_code&state=attacker_state). He then uses that URL to prepare a link that when clicked, also sets the id cookie to the attacker’s id cookie (not very familiar with cookies, but this answer implies you can do this)
  3. The victim accesses the malicious link, and is redirected to the client with the attacker’s state and id cookie
  4. The request passes aforementioned verification and the victim is logged in with the attacker’s account – the attack succeeded.

How should you securely implement the state parameter?

(I’ve also seen answers like this one that claim that the attack is the other way around: at the end the attacker gets access to the victim’s account – and not vice versa. I though the explanations given for this scenario are incorrect/incomplete, but please correct me if I’m wrong on this)

How to implement my PKI?

EDIT: Reasons to roll my own

https://security.stackexchange.com/a/130775/127025

How can we trust a CA?


I’m designing my own server (foo.ext), and I’ve been investigating about how I can authenticate myself to the rest of the world.

I understand that perfect security is not possible, but I would like to have enough security so that it would be difficult to break in even for the NSA.

After some investigation, I’ve arrived to the conclussion that the only way to maintain a chain of trust is to secure the first link. So I’m going to roll my own personal Certificate Authority and put it forever out of the internet.

I’ve designed 4 levels of CA in the following way:

Level 0 (Self-signed personal CA):


This is a self-signed CA. I will re-issue it every 10 years. It will live in my most secure computer which will never connect to the internet. It will sign one and only one certificate, the level 1 CA, every 5 years.

Level 1 (Limited personal CA):


This CA will live in the same computer as the level 0 CA (although in different containers). I will give in hand (USB) a copy of the certificate of this CA to my clients, who will have to install this CA in their browsers to be able to connect to my server securely.

This CA will be limited (by the level 0 CA) to issue certificates for foo.ext and *.foo.com. The reason for this limitation is that my clients will be able to install this CA in their browsers, and have a guarantee that I will never be able to impersonate something like google.com in their browsers.

Level 2 (Intermediate CA):


This CA will be signed by level 1 CA with the same limitations. This CA will sign certificates for two things: my server foo.ext and my level 3 CA. It will live in a separate computer which will also be disconnected from the internet. It will exchange keys, certificates and certificate requests by USB.

The reason for this CA is to be a firewall before my level 1 & 0 CAs. For that purpose, every time I need to certificate this CA, I will first reset its computer, so that if there is a breach, it won’t propagate to level 1 & 0 CAs.

This CA will be certified every year.

Level 3 (Subordinate CA):


This CA will be further limited to only *.foo.ext (and not foo.ext). It will/may live in the same computer where my server will be.

It will certify the different services of my server every month or so.


Every CA and service will be isolated from the rest in a container.

I will have two different servers.

foo.ext will be the most secure of the two, and its purpose will only be to publish any breaches in the level 3 CA or any service certified by that CA. This server will be signed by level 2 CA, so it won’t be affected by such breaches. When a breach is published, I will publish any certificates to be revoked.

*.foo.ext will have a set of services, which will be the main objective of all this PKI. The rest is just security overhead.

For my services over SSH, I will be my only client (no-one will be allowed to SSH into my server).

For my services over HTTPS, anyone can connect, but those services will only serve static content, and will be download only (only GET & HEAD).

I also want to set up a mail server, but I still don’t know much about mail, so I will delay that until I know how to do it securely.


Every public key, certificate request and certificate exchanges between different units of my PKI will be done by hand (by myself) to avoid someone sneaking around. Private keys will never, under any circumstance, get out of the unit in which they were generated.

Private keys will not be password encrypted, because I would need to keep the password in plain text in the same computer, which makes it useless IMHO. Instead, I will just hide the level 0 & 1 computer from physical attacks as much as possible.


I have this picture of the whole PKI

PKI


Now to the code.

I’ve found in the internet some code to do that, but it was either outdated, or incomplete, or misdocumented or all of them. Given that I want it to be as secure as possible (within my possibilities), I’m not going to use that code until I know what every line is doing.

I will use RSA keys of (at least) 4096 bits. I won’t use more bits because it may not be supported by browsers. And not less because of security.

For Signing, I will use sha512.

I would like to do everything with libressl, and avoid ssh-keygen or openssl as much as possible.

I have the following cheat sheet for now, which I hope is correct and up to date:

Generate a RSA private key:

libressl genpkey -algorithm RSA -out caX.foo.key.pem            \         -pkeyopt rsa_keygen_bits:4096 

Check private key:

libressl rsa -noout -text -in caX.foo.key.pem 

Extract public key from PEM RSA private key:

libressl rsa -in caX.foo.key.pem -pubout -out caX.foo.key.pub 

Generate level 0 certificate:

libressl req -new -x509 -key ca0.foo.key.pem -sha512 -days 3660 \         -out ca0.foo.cert.pem 

What I don’t know how to do:

  • Generate certificate requests and certificates

I have some (incomplete or incorrect) commands.

Generate CSR (certificate signing request):

libressl req -new -sha512 -key clientX.foo.key.pem -out clientX.foo.csr.pem 

Sign certificate:

libressl x509 -req -in clientX.foo.csr.pem -out clientX.foo.cert.pem    \         -CA caX.cert.pem -CAkey caX.key.pem -sha512 -CAcreateserial 

-CAcreateserial as I understand it should only be used by a CA signing its first certificate.

Missing in those commands is for example the limitation for the CAs and for the end services to be able to certificate only the domains or subdomains I want them to certificate.


My question is: how to implement my PKI design? by which I mean, how to correctly generate CSRs and sign them with the specifications I want.

It may very well be splitted into various subbquestions, but I prefer to ask a single question because they are intrinsically related, and that way you can have an overview of the whole system, which is necessary to better answer the question.