Is using Argon2 with a public random on client side a good idea to protect passwords in transit?

Not sure if things belongs in Crypto SE or here but anyway:

I’m building an app and I’m trying to decide whatever is secure to protect user passwords in transit, in addition to TLS we already have.

In server side, we already have bcrypt properly implemented and takes the password as an opaque string, salts and peppers it, and compares/adds to the database.

Even though SSL is deemed secure, I want to stay at the "server never sees plaintext" and "prevent MiTM eavesdropping from sniffing plaintext passwords" side of things. I know this approach doesn’t change anything about authenticating, anyone with whatever hash they sniff can still login, my concern is to protect users’ plaintext passwords before leaving their device.

I think Argon2 is the go-to option here normally but I can’t have a salt with this approach. If I have a random salt at client side that changes every time I hash my plaintext password, because my server just accepts the password as an opaque string, I can’t authenticate. Because of my requirements, I can’t have a deterministic "salt" (not sure if that can even be called a salt in this case) either (e.g. if I used user ID, I don’t have it while registering, I can’t use username or email either because there are places that I don’t have access to them while resetting password etc.) so my only option is using a static key baked into the client. I’m not after security by obscurity by baking a key into the client, I’m just trying to make it harder for an attacker to utilize a hash table for plain text passwords. I think it’s still a better practice than sending the password in plaintext or using no "salt" at all, but I’m not sure.

Bottomline: Compared to sending passwords in plaintext (which is sent over TLS anyway but to mitigate against server seeing plaintext passwords and against MiTM with fake certificates), is that okay to use Argon2 with a public but random value as "salt" to hash passwords, to protect user passwords in transit? Or am I doing something terribly wrong?

What are the most tolerable options for a more general public type not to be victimized by malware?

I’ve talked with a new friend who is fairly bright and who can do some interesting things programming Office applications, but whose technical abilities omit infosec. And he got bitten by nasty malware.

I’m wondering what options might be most productive to offer to him. I’m not sure it’s realistic to repel all dedicated assault, but cybercriminals often look for someone who would be an easy kill, and (perhaps showing my ignorance here), I think it could be realistic to make a system that’s hardened enough not to be an easy kill.

Possibilities I’ve thought of include:

  1. Windows 10 with screws turned down (how, if that is possible?).

  2. Mint or another Linux host OS for what can be done under Linux, and a VMware or VirtualBox VM that is used for compatibility and may be restorable if the machine is trashed.

  3. Migrating to a used or new Mac, possibly with a Windows Virtual Machine, but most people using Macs don’t complain they are missing things.

  4. Perhaps with one of the technical situation, point my friend to user education saying things like "Don’t download software that you hadn’t set out to get. The price of Marine Aquarium of $ 20 up front is dwarfed by the hidden price tags of adware and spyware offering a free aquarium screensaver.

This is not an exhaustive list, although it’s what I can think of now. I’ve had a pretty good track record for not engaging malicious software, and I think it can be learned (and that documentation for online safety would be taken very, very seriously).

What can I suggest to my friend for online safety?

What is the standard way, if any, to announce via e-mail that you have a public PGP key and what it is?

I’m making an e-mail system/client. I’m trying to correctly detect incoming e-mails which can be replied to with PGP encryption. This means finding out their public PGP key. I currently do:

  • Parse the e-mail body for a PGP public key block.

I suspect that these could be done:

  • Check for attachments with some kind of standard file name?
  • Check for a special hidden header which either spells out the public PGP key directly, or links to an external resource where it can be fetched?

Thanks in advance for clarifying how one properly detects/sends PGP public keys in e-mail context for maximum support.

Are FaceID/passcode logins secure over public WiFi/hotspots?

Unfortunately, I find myself serving a 14d COVID-19 self-isolation period in a hotel which only offers unsecured public WiFi.

This has me wondering if all the financial apps on my iPhone with FaceID-enabled sign-ons are secure or not (e.g. Charles Schwab, American Express, etc.)

Can anyone comment on the typical security stack that would underly this category for app? Does everything boil down to a proper implementation of TLS access to the backend?

Is there any chance that using these Apps is still secure over public WiFi?

Is there a security vulnerability in setting a public DNS entry to a private IP Address?

I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc.domain.com, def.domain.com, etc.). I hope to use nginx to do this routing.

Is is possible/secure/recommended to register a private IP address (specifically of my home server within the wireguard network, i.e. 10.27.0.1/24) in a public DNS (e.g. google DNS), so that if you run ping abc.domain.com you would get back 10.27.0.1? I found a few questions that answer a question that are close to this one (this one covers private IP for public DNS for MX records, this one talks about having A records without much mention of VPN), and the overall picture I get from these links is that it is possible, but not technically perfect since a hacker gets a small piece of info about your local network (wireguard network is 10.27.0.1/24…isn’t this relatively a moot point given it’s behind wireguard, assuming I have all of the usual safety checks in place (no remote ssh (root or otherwise) unless on wireguard network, fail2ban, no password authentication for ssh, etc.)?

This IP (10.27.0.1) would be only accessible through the wireguard network, so I don’t think it would expose the services to the internet. I want to do this so that I don’t have to setup local DNS entries on each device, as I don’t believe this is possible on a phone, and it would be ideal to make one change [i.e. set the DNS entry to 10.27.0.1] and then have each device just running a simple DNS query for abc.domain.com. This would also have the added benefit of only opening the wireguard port, and keeping the firewall closed for 80 + 443.

A corollary of this question is how best do you manage certs/ssl if this is possible? I managed to get certbot working by temporarily exposing port 80 on my server to acquire the certs for abc.domain.com, and then closing 80 to only access the webserver via wireguard through the wireguard port + nginx. I can already see one downside to this method – having to manually open port 80 everytime certbot wants to get new certificates (I believe by default this is every 60 days). I understand that wireguard is approximately as secure as SSL/HTTPS, but for my personal OCD I would prefer to have the connection secured through https on top of wireguard. I’m somewhat iffy on the details of managing certs for wildcards, but could I do it with my main domain.com (that is pointing to a internet facing site) and have it propagate to the subdomains, allowing it to be renewed through that? (this question seems to indicate so)

My goal long term is to expand this into a network that includes family/close friends as a type of ‘intranet’ for sharing photos and using other self-hosted services.

My nginx config file (abc.conf) looks something like this:

server {    server_name abc.domain.com;   # DNS Entry of abc.domain.com is 10.27.0.1, which is the local IP for the wireguard network   # SHOULD NOT be accessible outside of wireguard network    location / {       proxy_pass http://127.0.0.1:8000; #Redirects to local service on port 8000   }       listen [::]:443 ssl; # managed by Certbot     listen 443 ssl; # managed by Certbot      // SSL Certs provided by certbot [removed manually]     // .     // .     // .  } 

Is it safe to open a server application on the internal network to the public internet

I am a programmer but I am currently learning about web development in general. I’m creating a server on my local host using nodejs and express. It’s available on my local host but I want to test it with a domain I have, so I can access it from any device anywhere.

What I decided to do was change my router settings to direct any traffic it gets on its IP to my computers internal IP on port 3000 so anyone can access the my html pages from my local machine. This was working quite well.

But after some hours of working Bitdefender Antivirus alerted that It blocked some attacks from a specific IP on port 3000. This lead me to question how safe It was to be doing this. The server is running on my home machine that has my regular files and documents.

Of course I’m only serving the html pages for the site but can someone kindly explain the security implications of using your regular home router as a server as opposed to a dedicated server or a web hosting service.

Note 1: I’m not interested in other aspects such as bandwidth since that’s not going to be a problem.

Note 2: Also I’m using Netlify’s free web hosting right now as an alternate (or instead of the alternate) but it’s god awfully slow to load my simplest html page. It takes a while (inconsistent as well) before the browser can even resolve the domain and then loads the content progressively slowly ( I mean you see things like the main image slowly reveal). when using my own router it’s blazingly fast; not just on my local machine

No way of restricting public access to Firestore/API

Just glancing at GCP offerings for storing data, I noticed that while using Firestore, the only control for restricting public access is via security rules. However, in case of mis-configuration of security rules or compromise on access tokens/keys the data store becomes absolutely public available at:

https://firestore.googleapis.com/v1/projects/<YOUR_PROJECT_ID?/databases/(default)/documents/*/** 

What’s the way of completely blocking public access here (or restrict access to certain whitelisted IPs)? I am aware that we cannot put managed services inside a VPC.