So i recently tryed to understand how exactly PGP works.
I hope the following is correct, if not please correct me:
I encrypt plain text with my private key and if i send that encrypted text to a person with my public key he/she/it can encrypt that with my public key?!
I hope you can understand my question and maybe you are able to help me 😀
I wish to add an extra layer of security to my product (web app that people download and install on their server) that have a module that allows me, the developer, to access their sites instantly with just one link. The way I thought about this specific layer, which is on top of your basic security, is, everyone who buys my product will get a copy of this public hash. As of now, I compute this hash with
password_hash( 'mypassword', PASSWORD_BCRYPT, ['cost'=>20'] ), it creates a strong password, supposedly unbreakable.
When I’m trying to access their website with it, and so, I pass the plain-text in a password field, I simply do
password_verify on the input. If the input provided matches (after hashing) the public hash, then it means the passwords match.
A problem with all of this, however. If one of my customers is running on HTTP only or an attacker tricked me into accessing his evil site, he’ll see this in plain-text. Now, this password is cycled every 12h or on some triggers and on its own, it’s useless, but is this really a good way of solving the issue?
In other words, if I “leak” my hash to the public, is
bcrypt, 12 hours with resets happening on triggers such as if a customer’s site is on HTTP enough to stagger attackers enough?
This is just an additional layer that adds an extra step for an attacker to work through.
I’ve been trying to figure out “practical encryption” (AKA “PGP”) for many years. As far as I can tell, this is not fundamentally flawed:
- I know Joe’s e-mail address: email@example.com.
- I have a Gmail e-mail address: firstname.lastname@example.org.
- I have GPG installed on my PC.
- I send a new e-mail to Joe consisting of the “PGP PUBLIC KEY BLOCK” extracted from GPG.
- Joe received it and can now encrypt a text using that “PGP PUBLIC KEY BLOCK” of mine, reply to my e-mail, and I can then decrypt it and read his message. Inside this message, Joe has included his own such PGP public key block.
- I use Joe’s PGP public key block to reply to his message, and from this point on, we only send the actual messages (no key) encrypted with each other’s keys, which we have stored on our PCs.
Is there anything fundamentally wrong/insecure about this? Some concerns:
- By simply operating the e-mail service, Google knows my public key (but not Joe’s, since that is embedded inside the encrypted blob). This doesn’t actually matter, though, does it? They can’t do anything with my public key? The only thing it can be used for is to encrypt text one-way which only I can decrypt, because only I have the private key on my computer?
- If they decide to manipulate my initial e-mail message, changing the key I sent to Joe, then Joe’s reply will be unreadable by me, since it’s no longer encrypted using my public key, but Google’s intercepted key. That means Joe and I won’t be having any conversation beyond that initial e-mail from me and the first reply by him (which Google can read), but after that, nothing happens since I can’t read/decrypt his reply?
so today I was attempting to demonstrate something for a friend, so I ran a port scan of my public ip, of my home network, and found ports that I had not opened (forwarded)to be open. I am on optimum online, could this just be them messing with my network or is this something to be worried about? how can I go about figuring out what services are on those ports? is it worth trying to talk to someone at optimum? attached is an image of my port scan, and of my router’s config page to show the differences.
the ports in question are 3394, 5473, and 18017
Thanks for the help.
Using the Tor network to visit the web pages in public wifi is secured or not since The Tor will help us to make us anonymous( To hide the metadata such as visiting URLs) and The HTTPS helps us to prevent the content. Will Tor and HTTPS requests help us to secure our browsing and other stubs?
According to https://www.quora.com/Is-it-ok-to-scan-a-public-IP-address
Scanning a public IP address can be a cyber crime
But there are a few public IP that can be used for testing purposes such as
126.96.36.199 which is belong to http://scanme.nmap.org/
188.8.131.52 for http://testphp.vulnweb.com/
Is there anything else?
I would like to have something in range … e.g..
What are the minimum (safest) Windows Firewall holes to make to permit Windows 7-10 computers to connect to public (secured or open) WiFi networks and browse the web with any modern web browser?
Assume all incoming and outgoing packets are blocked on every port unless explicitly allowed.
Note that Windows Firewall does allow incoming packets when only outgoing packets are allowed. This oddness is because it automatically trusts Established Connections. Thus allowing outgoing TCP packets on ports 80 and 443 will also allow incoming packets (even if they were not requested).
So far, this is what I’m thinking is required:
UDP - Local Port 53 - Remote Port 53 - Outgoing - Why: DNS TCP - Local Port 80 - Remote Port 80 - Outgoing - Why: HTTP TCP - Local Port 443 - Remote Port 443 - Outgoing - Why: HTTPS
Also, to actually connect to the network and get assigned an internal IP address:
UDP - Local Port 68 - Remote Port 67 - Outgoing - Why: DHCP
Is anything missing or too restrictive?
I wonder if it is possible to send PGP encrypted mail if I have public key of the receipient
I have a few VPS and Databases in GCP, I can access them by whitelisting my IP, but just few months ago my ISP rollout their CGNAT and I was affected. As far as I know CGNAT, allow multiple subscriber to have a single public IP.
Is still safe to whitelist my IP or I need another means or extra layer of protection?
Why can’t they just ask their fathers to enroll them in to private schools?