Site is not secure unless someone types in “www.”

so we connected our domain with HubSpot CMS. They only support SSL for subdomains, so when someone does not type in "www." they are prompted with a security warning. They told me I needed to set up a redirect through GoDaddy for it to always go to the root domain (https://example.com)?

In GoDaddy’s forwarding section I see one that says "Domain" and the other says "Subdomain".

What do I type in each of these boxes so that my site goes to https://example.com no matter what someone types in?

Looking for a secure project management platform for our group to use [closed]

Our group is a non-profit (most of us are volunteers) with a limited budget doing community awareness on the topic of safe technology use to support health and safety.

We are looking for a project management platform that is safe, secure (data encrypted?), and has a good track record of not having any past security breaches. We need the platform to organize our meetings and activities, as well as facilitate our information and document sharing.

We are looking for project management platform options that have measures in place that would make it difficult, if not impossible, for others to steal information/documents and/or take note of what we are doing/sharing.

Any suggestions on where to look?

How is AMP-Same-Origin: true even remotely secure?

in the AMP Docs, the following snippet is given:

If the Origin header is set:

  1. If the origin does not match one of the following values, stop and return an error response:

    • <publisher's domain>.cdn.ampproject.org

    • the publisher’s origin (aka yours)

      where * represents a wildcard match, and not an actual asterisk ( * ).

  2. Otherwise, process the request.

If the Origin header is NOT set:

  1. Verify that the request contains the AMP-Same-Origin: true header. If the request does not contain this header, stop and return an error response.
  2. Otherwise, process the request.

What I don’t understand is how the AMP-Same-Origin header provides a form of security.

TLDR:

Couldn’t anyone provide an AMP-Same-Origin: true header in a browser missing the Origin header and skip CSRF protection even if it’s not on a trusted AMP CDN?

WireGuard / CVE-2019-14899: How secure the protocol really is?

I’ve been using OpenVPN and SSH tunnels for a multitude of scenarios over the years and recently I’ve been earning a lot of buzz around the simplicity and security of WireGuard. Now I’ve found some troubling information about CVE-2019-14899:

An attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.

Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.

Source: https://protonvpn.com/blog/statement-on-cve-2019-14899/

  1. Is this information technically correct?
  2. Some sources on the web also state that anyone controlling the WAN of the server will also be able to take advantage of this flaw. Is it true? Can the server’s ISP exploit this?

Assuming the information is correct:

  1. Why does it matter if the "TCP connection is unencrypted inside the VPN tunnel"? In theory one uses a VPN exactly to go around this issue – to make sure nobody can see the contents of the communication between two machines;
  2. If anyone controlling the client’s LAN can inject packages, how is this even considered a secure protocol? From my understating authenticity validation is a must in scenarios like this. The server should be able to check the authenticity of new data instead of blindingly accepting it… Isn’t there some kind of key exchange for this?
  3. According to Wireguard’s website "mimics the model of SSH and Mosh; both parties have each other’s public keys, and then they’re simply able to begin exchanging packets through the interface." How is a 3rd party (that doesn’t have the right keys) able impersonate the client, send data and then how the server decrypts it using the client’s real key without errors?

It look to me like the information about the CVE isn’t correct OR WireGuard was so badly designed that it can’t even use a proper key exchange to secure a communication channel.

Thank you in advance.

Does (UEFI) secure boot provide security advantages over TPM measured boot?

Given how UEFI secure boot appears later than TPM, i had assumption that it provides advantages over TPM.

As i read into each, it appears to me that the TPM measurements to each stage would provide about the same level of integrity guarantee as how each secure boot stage verifies the next stage’s signature.

I get how the UEFI secure boot’s key/certificate structure may have management advantages over TPM. However, i have trouble finding security advantages against attackers. Can someone enlightens me if those statements would be valid? Thanks!

How secure is the apple cross device copy and paste feature?

I can copy and paste between my iPhone and MacBook Pro it’s a great feature that I find myself using frequently. I am frequently copy and pasting from my password manager to log in to different sites. a few questions about the security of the cross device cut and paste.

  • Does apple get access to the clipboard?
  • How is apple securing this cross device copy and paste?
  • Can this feature be turned off?
  • Should I turn off this feature to improve my security?

How secure is pass compared to Keepass?

Is pass a real alternative to Keepass in terms of security?

While Keepass has its own built-in encryption, pass relies on GPG to secure your passwords. GPG is obviously recognized as providing excellent security for transferring data over insecure networks, when the threat model is a MITM. But is GPG still a reliable way for securing local files on your computer? Keepass goes to some length to thwart potential attack vectors, such as making typed passwords harder to get with a keylogger and protecting its memory. Is pass with gpg agent more or less secure?

Also, if the private key which decrypts your passwords is just a file on your computer, is it really secure? I guess you can simply put a passphrase on the key, but I get the impression that it’s dangerous for someone to get your GPG key even if they don’t know the passphrase. Besides, Keepass has additional features like using a key file to unlock. Is there a security benefit to Keepass’s approach over pass?

Are node.js, express, socket.io, localhost on http, and alike ACTUALLY secure? [closed]

I use localhost for learning more coding, and I keep wondering the same question over and over again when I use Node.js:

Is it really safe?

Many, many people might have asked this. I would naturally want to put SSL HTTPS encryption on it, but there isn’t really anywhere you can get it, even if it may be a bit overkill.

It feels like there should and could be some "protection" or "encryption" type package for npm or something.

I haven’t used Node.js or localhost it for sensitive information, but should I be worrying about this?