What prevents me from using a some server’s public key and impersonate another server [duplicate]

I read alot regarding RSA encryption/DH key exchange/digital signatures and the whole TLS protocol.

There’s something i am missing regarding the public key signatue validation.

Let say some website has a certificate signed with its private key, as a client I have access to the public key.

But if the server only sends the public key to the client, what is preventing me as an attacker from taking this public key, and returning it to who ever wants to communicate with me.

I mean, where is the private-key authentiction comes to place?

I created this small C# code to demostrate:

private const int _port = 4455; static void Main(string[] args) {     Task.Run(async () =>     {         await TcpServerInit();     });      Task.Run(async () =>     {         await TcpClientInit();     });      Console.ReadLine(); }  private static async Task TcpServerInit() {     var server = new TcpListener(IPAddress.Any, _port);     server.Start();      while (true)     {         TcpClient client = await server.AcceptTcpClientAsync();         using (var netStream = client.GetStream())         {             ServicePointManager.ServerCertificateValidationCallback = ValidateCertificate;             ServicePointManager.Expect100Continue = true;              using (var ssl = new SslStream(netStream, false))             {                 using (var cert = new X509Certificate2(@"MyPublicCert.cer"))                 {                     await ssl.AuthenticateAsServerAsync(cert, false, SslProtocols.Tls12, true);                 }             }         }     } }  private static async Task TcpClientInit() {     using (TcpClient client = new TcpClient("localhost", _port))     {         using (SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateCertificate), null))         {             var servername = "CN=localhost";             await sslStream.AuthenticateAsClientAsync(servername);             byte[] messsage = Encoding.UTF8.GetBytes("Hello");             sslStream.Write(messsage);             sslStream.Flush();          }     } }    private static bool ValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {     //cert validation     return true; } 

What prevents someone from spoofing their public key when trying to establish an SSH connection?

Recently I’ve been trying to learn the mechanisms behind SSH keys but I came across this question that I haven’t been able to find an answer to (I haven’t figured out how to word my question such that searching it would give me the answer).

Basically, we add our local machine’s public key to the server’s authorized_keys file which allows us to be authenticated automatically when we try to ssh into the server later on. My question is: what if someone takes my public key (it is public after all) and replaces their public key with it? When the "attacker" tries to connect to the server, what part of the process allows the server to know that they do not have the correct private key?

I read somewhere that for RSA, it is possible for a user (let’s say user A) to encrypt/sign a message with their private key, and then for others to decrypt this message using A‘s public key, thus proving that A is really who they claim to be. However, apparently, this is not true for all cryptosystems, where it is not possible to sign with a private key (according to What happens when encrypting with private key?, feel free to correct this information if it is wrong). In those cases, how does the server make sure that the user is really who they claim to be?

What prevents a Fallen from getting way too many thralls?

Well I have been reading Demon The Fallen corebook and gaining a thrall seems liike a relatively easy thing and quite useful for the demon allowing them to boost their followers and if they have thralls through the world then constantly gain faith. So what i wish to ask is that is there any limiting factor to how many thralls a demon can have?

Does HSTS prevents MITM using a valid certificate?

Let’s consider this scenario:

An attacker got a valid certificate for a HSTS protected domain https://example.com. Can he still perform a man-in-the middle attack even if the website is already loaded in the browser HSTS list?

I remember using Burp suíte once and getting a strict transport security related error for a valid certificate, so I would suppose the HSTS list also contain the certificate fingerprint, although I could not find anything about it in the RFC

What prevents malicious servers from spoofing mail transfer agents and/or mail delivery agents?

An email system typically consists of multiple agents:

  • Mail user agent (MUA)
  • Mail submission agent (MSA)
  • Mail tranfer agent (MTA)
  • Mail delivery agent (MDA)

Mail agent netword

Evidently the ‘middlemen’ of this system are a spoofing risk. (Technically the endpoints could also be a spoof risk, but let’s assume in this case that the end users are genuine.)

What methods are used/can be used to protect against these ‘middlemen’ agents being spoofed?

I’ve thought about it myself and the only answer I can come up with is that DNS might provide some sort of limited authentication, though DNS spoofing would still be a risk.


(Image is CC BY-SA 3.0, © Ale2006-from-en.)

Apparmor enforce mode prevents Firefox from reading U2F security key

When the default apparmor profile for Firefox is set to enforce mode, it blocks Firefox access to security keys. Disabling the profile restores access.

Rules that I’ve tried and failed:

  • /sys/devices/** r,
  • #include <abstractions/dbus>
  • dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1)

Can someone help me craft rules to allow Firefox access security keys?

kern.log:

Sep 17 19:07:01 user-pc kernel: [21606.295620] usb 7-2: new full-speed USB device number 4 using uhci_hcd Sep 17 19:07:01 user-pc kernel: [21606.487632] usb 7-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 4.33 Sep 17 19:07:01 user-pc kernel: [21606.487636] usb 7-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Sep 17 19:07:01 user-pc kernel: [21606.487638] usb 7-2: Product: Security Key by Yubico Sep 17 19:07:01 user-pc kernel: [21606.487639] usb 7-2: Manufacturer: Yubico Sep 17 19:07:01 user-pc kernel: [21606.495139] hid-generic 0003:1050:0120.0005: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:1d.1-2/input0 Sep 17 19:07:34 user-pc kernel: [21639.275573] audit: type=1400 audit(1568714854.720:331): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=21659 comm="apparmor_parser" Sep 17 19:07:34 user-pc kernel: [21639.275577] audit: type=1400 audit(1568714854.724:332): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release" pid=21659 comm="apparmor_parser" Sep 17 19:07:34 user-pc kernel: [21639.275580] audit: type=1400 audit(1568714854.724:333): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" pid=21659 comm="apparmor_parser" Sep 17 19:07:41 user-pc kernel: [21645.812202] audit: type=1107 audit(1568714861.260:334): pid=1061 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=21662 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1858 peer_label="unconfined" Sep 17 19:07:41 user-pc kernel: [21645.812202]  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' Sep 17 19:07:42 user-pc kernel: [21646.966062] audit: type=1107 audit(1568714862.416:335): pid=1061 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=21703 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1858 peer_label="unconfined" Sep 17 19:07:42 user-pc kernel: [21646.966062]  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?' 

Is there anything that prevents this “Negative AC armor” creation process to function?

This is a follow-up to a portion of this answer to a previous question of mine pertaining to the lowest possible achievable AC. The question is also slightly different as it pertains to magical armor and is limited in scope to Adventurers League play.

Currently, there are two monsters in the game with an ability to damage a Magical armor’s AC value : Zorbos…

Destructive Claws. […] one such item worn or carried by the creature (the targets choice), magically deteriorates, taking a permanent and cumulative -1 penalty to the AC it offers […]. Armor reduced to an AC of 10 […] is destroyed.

…And the Demon Lord Juiblex :

Eject Slime. […] Any metal armor worn by the target takes a permanent −1 penalty to the AC it offers […]. The penalty worsens each time a target is subjected to this effect. If the penalty on an object drops to −5, the object is destroyed.

The destruction clauses are different : one is when the Armor’s AC=10, one is when the Armor’s penalty=-5.

Now, let’s say you take a +1 Plate magic item (AC of 19). Your DM somehow agrees to add a Zorbo into your game (if they can find a thematically appropriate justification), and said Zorbo successfully reduces your Magical Plate’s AC 8 times, making it go to AC 11. Then, your DM somehow agrees to add the Demon Lord Juiblex into your game (again, with a thematically appropriate justification), which successfully reduces your Magical Plate’s AC 4 times, making it go to AC 7. At this point, you go back to the Zorbo, who successfully reduces your Plate’s AC once more. At this specific point, the armor’s AC is already lower than 10, and its total penalty is already higher than 5, so, to my understanding, this new reduction doesn’t activate either of the 2 destruction clauses. And thus, the Zorbo reduces it again, and again, and again, until the armor reaches a (potentially infinitely) negative AC value.

My question is : is there anything I forgot to consider — anything that would make the above “negative AC armor” creation process not function within the scope of Adventurers League play ?

For the record, I want such negative AC armor on a Redemption Paladin to symbolize a divine punishment by his goddess (he’s been naughty).

ufw prevents ssh into machine if it’s connected to wireguard (Nordvpn)

I have several Ubuntu machines at home, some of them have ufw enabled and some not, I can ssh between them ok. The problem comes when I connect a machine to wireguard vpn(Nordvpn service), from that moment I can’t ssh into that wireguard machine any more, unless I disable the ufw. I believe I need to open something in iptables but I don’t know what, any ideas; Thanx in advance for any help.

sudo iptables -L Chain INPUT (policy DROP) target     prot opt source               destination          ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  --  190.2.132.74         anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  --  localhost/8          anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  --  190.2.132.74         anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  --  192.168.144.0/24     anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  --  190.2.132.74         anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  --  10.5.0.0/16          anywhere             ctstate RELATED,ESTABLISHED ACCEPT     udp  --  localhost/8          anywhere             udp dpt:51820 ACCEPT     udp  --  192.168.144.0/24     anywhere             udp dpt:51820 ACCEPT     all  --  anywhere             anywhere              Chain FORWARD (policy DROP) target     prot opt source               destination          ufw-before-logging-forward  all  --  anywhere             anywhere             ufw-before-forward  all  --  anywhere             anywhere             ufw-after-forward  all  --  anywhere             anywhere             ufw-after-logging-forward  all  --  anywhere             anywhere             ufw-reject-forward  all  --  anywhere             anywhere             ufw-track-forward  all  --  anywhere             anywhere              Chain OUTPUT (policy ACCEPT) target     prot opt source               destination          ACCEPT     udp  --  anywhere             103.86.99.99         udp dpt:domain ACCEPT     udp  --  anywhere             103.86.96.96         udp dpt:domain ACCEPT     udp  --  anywhere             103.86.99.99         udp dpt:domain ACCEPT     udp  --  anywhere             103.86.96.96         udp dpt:domain ACCEPT     all  --  anywhere             anywhere             ACCEPT     all  --  anywhere             190.2.132.74         ACCEPT     all  --  anywhere             localhost/8          ACCEPT     all  --  anywhere             190.2.132.74         ACCEPT     all  --  anywhere             192.168.144.0/24     ACCEPT     all  --  anywhere             190.2.132.74         ACCEPT     all  --  anywhere             10.5.0.0/16          ACCEPT     all  --  anywhere             anywhere              Chain ufw-after-forward (1 references) target     prot opt source               destination           Chain ufw-after-input (0 references) target     prot opt source               destination          ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST  Chain ufw-after-logging-forward (1 references) target     prot opt source               destination          LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "  Chain ufw-after-logging-input (0 references) target     prot opt source               destination          LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "  Chain ufw-after-logging-output (0 references) target     prot opt source               destination           Chain ufw-after-output (0 references) target     prot opt source               destination           Chain ufw-before-forward (1 references) target     prot opt source               destination          ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ufw-user-forward  all  --  anywhere             anywhere              Chain ufw-before-input (0 references) target     prot opt source               destination          ACCEPT     all  --  anywhere             anywhere             ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID DROP       all  --  anywhere             anywhere             ctstate INVALID ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc ufw-not-local  all  --  anywhere             anywhere             ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900 ufw-user-input  all  --  anywhere             anywhere              Chain ufw-before-logging-forward (1 references) target     prot opt source               destination           Chain ufw-before-logging-input (0 references) target     prot opt source               destination           Chain ufw-before-logging-output (0 references) target     prot opt source               destination           Chain ufw-before-output (0 references) target     prot opt source               destination          ACCEPT     all  --  anywhere             anywhere             ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED ufw-user-output  all  --  anywhere             anywhere              Chain ufw-logging-allow (0 references) target     prot opt source               destination          LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "  Chain ufw-logging-deny (2 references) target     prot opt source               destination          RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10 LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "  Chain ufw-not-local (1 references) target     prot opt source               destination          RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10 DROP       all  --  anywhere             anywhere              Chain ufw-reject-forward (1 references) target     prot opt source               destination           Chain ufw-reject-input (0 references) target     prot opt source               destination           Chain ufw-reject-output (0 references) target     prot opt source               destination           Chain ufw-skip-to-policy-forward (0 references) target     prot opt source               destination          DROP       all  --  anywhere             anywhere              Chain ufw-skip-to-policy-input (7 references) target     prot opt source               destination          DROP       all  --  anywhere             anywhere              Chain ufw-skip-to-policy-output (0 references) target     prot opt source               destination          ACCEPT     all  --  anywhere             anywhere              Chain ufw-track-forward (1 references) target     prot opt source               destination           Chain ufw-track-input (0 references) target     prot opt source               destination           Chain ufw-track-output (0 references) target     prot opt source               destination          ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW ACCEPT     udp  --  anywhere             anywhere             ctstate NEW  Chain ufw-user-forward (1 references) target     prot opt source               destination           Chain ufw-user-input (1 references) target     prot opt source               destination          ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ipp /* 'dapp_CUPS' */ ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipp /* 'dapp_CUPS' */ ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* 'dapp_OpenSSH' */ ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:22000 /* 'dapp_syncthing' */ ACCEPT     udp  --  anywhere             anywhere             udp dpt:21027 /* 'dapp_syncthing' */ ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8384 /* 'dapp_syncthing-gui' */ ACCEPT     udp  --  anywhere             anywhere             multiport dports 1714:1764 ACCEPT     tcp  --  anywhere             anywhere             multiport dports 1714:1764 ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp /* 'dapp_Postfix' */ ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt  Chain ufw-user-limit (0 references) target     prot opt source               destination          LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable  Chain ufw-user-limit-accept (0 references) target     prot opt source               destination          ACCEPT     all  --  anywhere             anywhere              Chain ufw-user-logging-forward (0 references) target     prot opt source               destination           Chain ufw-user-logging-input (0 references) target     prot opt source               destination           Chain ufw-user-logging-output (0 references) target     prot opt source               destination           Chain ufw-user-output (1 references) target     prot opt source               destination 

Would an item that prevents death once be overpowered?

I am a DM running Tomb of Annihilation. I am toying with the idea of giving one of my level 5 players an item that prevents death, just once, and then breaks. Note that I do not mean dropping to 0 hit points, but rather actually dying. This is different from death ward. In other words, if the player is to die instantaneously through some mishap or fails his death saves, this item will prevent them from dying just that once.

I like the idea of doing this because an item that gives death ward once would break as soon as the player is about to be knocked unconscious or hit 0 HP for any reason, which isn’t very infrequent. I think this item is particularly interesting in this campaign.

How powerful would an item like this be? I’d like it to be comparable to a +2 weapon or a +2 armor, or a Necklace of Prayer Beads, or a Gem of Seeing.

What prevents an identity provider from falsifying authorization in a SAML 2.0 flow?

I’m confused about something in the SAML 2.0 flow. When the initial access to the service provider is made, the service provider must first validate that the user indeed has access and so the service provider will query the identity provider. Based on this link — https://developers.onelogin.com/saml , the service provider identifies the identity provider based on “application subdomain, user IP address, or similar.” My question is, what prevents the identity provider from acting maliciously and saying, “Sure, this user has access. Let them in!” I mean, I could just set up my own identity provider and if I’m identified by IP address, couldn’t I just pretend that this user has access?