Plain text file encryption

Context:

I have a custom tool which connects to remote servers using ssh, installs and deploys services. That tool only accepts a erlang tuple in textfile as input for server names and ssh credentials. i have a wrapper on top of the tool which generates erlang tuple text file . Now i trying to encrypt the text file using python Crypto . I am planning to encrypt the text file with user input key and while connecting to servers decrypt it for ssh connection and then am planning to encrypt the text file back once deployment is done.

My Question: can ssh sessions be made with encrypted text file ? also i have used ansible vault i past. Does ansible vault decrypts textfile before making ssh sessions internally ?

Is decrypting text file for ssh session and restoring the encrypted file back a security problem ? Appreciate your help.

Store passwords local with plain text access on WinPE

I have an application that needs to store Network Credentials for a Network Drive/Share on the disk. The user shouldn’t need to enter the password every time. The OS is WinPE, so he cannot map the drive once and it will stay there.

Limitation:

  • I need the password in plain text, to map the drive.
  • The program should work without an additional password that the user has to enter.

Thoughts:

  • Hash + Salt is not reversible, so I cannot get the password in plain text.
  • An encrypted password is not safe, because the program has to store the key. If someone looks inside the code he will get the key and decrypt the password.
  • I cannot use the “Protect Data” interface of windows, because I use WinPE. Protect Data Documentation

The program is written in C#. Maybe someone has a good idea about my problem. Thanks!

Keeping passwords in plain text in “value” attribute. Addons can use this for password leaking

Either there is a security hole or I’m missing information about something.

While I was testing how Surfingkeys addon works I’ve noticed that it has command yf to copy form content on current web page. I though about testing it on “Sign In” and “Log In” forms on few websites to see if it would be able to retrieve typed passwords in plain text. It was successful if standardized <form> tags were used.

Then I’ve noticed that in most web applications password is kept in <input value=""> attribute in plain text which to me seems like by-standard security hole for whole W3 stack (HTML, CSS, JS, etc.). If this addon was able to get password from DOM then any addon can do that. The only piece missing is sending that data to server of a 3rd party who are owners of such malicious addon – such situation already had place with Stylish.

So attack scenario looks like this:

  1. Company “mal1c1ous” buys popular web addon.

  2. They add to addon generic <form> parser script which retrieves data from <input value="">.

  3. For each known website they make their addon “decorate” submit buttons with script which on click 1st sends request with credentials to their server and then to host of that website. Or they just send requests each time parser script is able to get new data.

  4. After some time they perform an attack using gathered credentials.

I find that scenario possible show me that it can’t happen. Also my question is: given that is Web security flawed by design?

The thing is that no one discourages from using <input value=""> as a password holder it seems that there is no other option by standard. Web developers can only come up with their own ideas to obfuscate where a password is stored before request is made.

Should read-only text appear as plain text or in a read-only textbox?

Should I use labels for read-only information, or should I use read-only text boxes to maintain the look of the fields?

It seems to me that if something is in a textbox it implies there is some way to edit it, whereas plain text is explicitly read-only.

Update: While my question is similar to Locking input form fields, does it make sense?, mine is different in that I’m referring to fields that are never editable by anyone. It’s not based on the user’s rights or role.

mockup

download bmml source – Wireframes created with Balsamiq Mockups

Should read-only text appear as plain text or in a read-only textbox?

Should I use labels for read-only information, or should I use read-only text boxes to maintain the look of the fields?

It seems to me that if something is in a textbox it implies there is some way to edit it, whereas plain text is explicitly read-only.

Update: While my question is similar to Locking input form fields, does it make sense?, mine is different in that I’m referring to fields that are never editable by anyone. It’s not based on the user’s rights or role.

mockup

download bmml source – Wireframes created with Balsamiq Mockups

What is the source for 5e defaulting to plain English readings of non-game terms?

In many discussions involving rules interpretations the meaning of words is often called into question. Often, people will claim that if the game doesn’t define the term that it defaults to the plain English reading of the word.

Is this stated somewhere explicitly in the rules or in designer comments? What is the source (or sources) for this claim?

What is the source for 5e defaulting to plain English readings of non-game terms?

In many discussions involving rules interpretations the meaning of words is often called into question. Often, people will claim that if the game doesn’t define the term that it defaults to the plain English reading of the word.

Is this stated somewhere explicitly in the rules or in designer comments? What is the source (or sources) for this claim?

Oauth2 PKCE – What security does “S256” provide over “plain”?

The Oauth PKCE protocol flow is as follows, as defined in RFC 7636:

                                             +-------------------+                                              |   Authz Server    |    +--------+                                | +---------------+ |    |        |--(A)- Authorization Request ---->|               | |    |        |       + t(code_verifier), t_m  | | Authorization | |    |        |                                | |    Endpoint   | |    |        |<-(B)---- Authorization Code -----|               | |    |        |                                | +---------------+ |    | Client |                                |                   |    |        |                                | +---------------+ |    |        |--(C)-- Access Token Request ---->|               | |    |        |          + code_verifier       | |    Token      | |    |        |                                | |   Endpoint    | |    |        |<-(D)------ Access Token ---------|               | |    +--------+                                | +---------------+ |                                              +-------------------+ 

My question is: why do we need to use a trapdoor like S256 in step (A)?

According to the RFC’s threat model, a malicious app cannot intercept the outgoing communication in (A) or (C). So why can’t an app generate and temporarily store a random value in (A) and re-use it in (C)?

To elaborate: the goal of t(code_verifier) (ie S256(code_verifier)) is to later enable the app to prove to the server that it is indeed the app as it possess code_verifier before the transform.

However, if the app just sent code_verifier and later sent it again, the same guarantee is achieved: the server receives a random value that uniquely identifies the app, and receives it again. No other app can provide this value: as long as the connection isn’t intercepted (and it shouldn’t be – TLS), S256 seems unnecessary.

Jquery change event on miltiline text field (plain text)

I have tried to set up an onchange event to be triggered on a Multiline (Plain) Text field. I have tried all the following without luck.

$  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").change(function(){ alert('Action 1');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).bind('input', function() { alert('Action 2');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).on('input', function() { alert('Action 3');});  $  ("input[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']").change(function(){ alert('Action 3');});  $  ($  ("input[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).change(function(){ alert('Action 4');});  $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").contents().change(function(){ alert('Action 5');});  $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").change(function(){ alert('Action 6');});  $  ("textarea[Title='Identified Tasks']").closest("span").change(function(){ alert('Action 7');});  $  ("textarea[title='Identified Tasks']").change(function(){ alert('Action 8');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).change(function(){ alert('Action 9');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).closest("span").change(function(){ alert('Action 10');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).children().change(function(){ alert('Action 11');});  $  ($  ("[id^=Identified_x0020_Tasks]")[0]).change(function(){ alert('Action 12');});  var systemDescriptionRTE = $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").contents().find("body");   ar systemDescriptionRTE = $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").contents().find("body").find("span");     $  (systemDescriptionRTE).change(function(){ alert('Action 13');});  $  ("textarea[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']").change(function(){ alert('Action 14');});  $  ("textarea[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte'][0]").change(function(){ alert('Action 15');});  $  ("textarea[title='Identified Tasks']").change(function(){ alert('Action 16');});  $  slogDiv.on('change', function(e){ alert('Action 18');});  var $  slogDiv = $  ("[id^='Identified_x0020_Tasks'][id$  ='$  TextField_inplacerte']");    $  slogDiv.on('change', function(e){ alert('Action 20');}); 

The following code does work

var $  slogDiv = $  ("[id^='Identified_x0020_Tasks'][id$  ='$  TextField_inplacerte']");   $  slogDiv.on('click keyup', function(e){ alert('Action 19');});  alert($  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).text()) 

So I seem to have the selector correct. Any ideas on how to attach a change event on it?

The clickup event does work, but multiple times, not just once as expected from a change event.

Any suggestions on what coding I need?

How to still allow plain HTTP while preventing accidental use?

I have a website that must be available over both HTTP and HTTPS, however I only want people to use HTTP if they really need to (obviously). The idea I came up with is to have redirection to HTTPS, along with HSTS, on mydomain.com, and to offer plain HTTP on http.mydomain.com. I would ask search engines not to advertise my http subdomain, it should only be found via instructions on my site itself. This should prevent users from accidentally using HTTP and would also make the choice really explicit.

My question is what kinds of attacks I’m opening myself up to with this approach. Phishing attacks seem inevitable; an attacker might always trick a victim into using the insecure domain and hoping they won’t notice. I could show a permanent warning banner on my http site, but that would only help if the attacker is unable to modify the packets in flight. The second concern is DNS spoofing, where an attacker points mydomain.com to http.mydomain.com, or points http.mydomain.com to their own servers. However, more and more clients are DNSSEC-validating, and my website has DNSSEC enabled, so I’m hoping that attack vector will keep on shrinking.

Any things I’m missing? Is there a better approach to what I’m trying to do?