Establish secure connection to localhost in Firefox

I have a Greenbone Security Assistant that has me connect to 127.0.0.1 port 9392, with the command:

sudo openvas-start firefox http://localhost:9392 

in Firefox. But before (and sometimes after) connecting, Firefox throws a lot of errors about insecure connection, and always highlights the better part of the URL in red. This also happens when connecting to localhost for, say, Autopsy. Is there any way I can establish a secure connection to localhost? Maybe from the terminal, in the firefox http://whateverURLforyourapp command?

How does Amazon secure its 6 digit one-time password?

I noticed that Amazon’s password reset relies on a 6 digit numeric PIN. Doesn’t this reduce every user’s account to a 1 in 10^5~ chance of being accessed through brute force guess factoring in a few retries (requesting OTP resend)?

It seems that they put a captcha ahead of this and probably have some timeout where the OTP expires or unspecified limit when too many attempts will lock the account from further retries. But nevertheless this doesn’t seem like a very good idea to me. I think Google Apps uses 8 characters with multiple character sets (lowercase, uppercase, numeric, symbol), which seems like how I would implement something like this.

What are good best practices for implementing a similar password reset mechanism with 6 digit numeric PIN on my own web app? Or is this a bad idea?

OTP

OTP2

Can I use my own implementation of a widely used, supposedly secure cryptographic algorithm for securing data at rest?

I know you shouldn’t roll your own crypto and generally its not a good idea to implement (and then deploy) any extensively tested and recommended algorithms by yourself either.

I have already seen this question, and as far as I understand, the main problem with implementing things yourself is that you will probably remain vulnerable to a host of side-channel attacks.

But suppose I have already implemented AES (just for fun and as a learning experience). What if I now use that implementation for simply encrypting files locally (and then perhaps back them up on the cloud or on removable media)? Since nobody other than me would be using the implementation, most of the side channel attacks would not apply. For instance, since no attacker can request an encryption/decryption (the way it works with a server), no timing attack can be carried out. Would this scenario be sufficiently secure?

In other words would using my own implementation of AES provide security for data at rest or will using it still be a stupid idea?

Are web worker / service worker secure environments to store a password, credit card information, access tokens?

If there is a case where I wish to store sensitive data like a password, credit card information, or access tokens:

Are web workers / service workers a secure environment, where such data can not be compromised? If so, what to do to really secure it? If not so, why not exactly?

Secure and private connection to GnuPG keyservers

I wish to privately submit my public key (without possibility of it’s snooping on the internet). I found that I have 3 ways to connect to the keyserver securely:

  1. https://
  2. hkps://
  3. hkp:// [Using TOR]

Which one of the 3 is most secure …….surprised to find that the TOR keyservers present use only hkp and not hkps?

https keyservers are working with ipv4 to search and submit keys but it’s hard to find hkps server working with ipv4?

Secure code makes exploitation easier with CPU vulnerabilities

I researched CPU vulnerabilities in the past, such as Specta and Meltdown.

I read that one of those attacks is actually made easier if the code is a certain way. I cannot remember if it was related to being efficiently wrote, securely wrote, or some other reason. However, now I need this quote I cannot find it anywhere.

Simply put – what factors in the code make Spectre and/or Meltdown easier to perform the attack?

Forgive me for asking here but I cannot find this anywhere, and was hoping for a link.

Is a LAN to LAN with different subnet configuration secure?

I plan to implement the following network configuration :

Internet [(cable A)]

Router A (192.168.0.x)[(WAN:cable A)(LAN1:cable B)(LAN2:)(LAN3:)(LAN4:)]

Router B (192.168.1.x)[(WAN:)(LAN1:cable B)(LAN2:)(LAN3:)(LAN4:)]

The first LAN port of router A is connected into the first LAN port of router B, but both routers are in a different subnet.

Usually, when I setup two routers together, I do a double NAT configuraton (LAN to WAN) or a LAN to LAN in the same subnet.

I know the following facts: In a double NAT configuration such as this one,

Internet [(cable A)]

Router A (192.168.0.x)[(WAN:cable A)(LAN1:cable B)(LAN2:)(LAN3:)(LAN4:)]

Router B (192.168.1.x)[(WAN:cable B)(LAN1:)(LAN2:)(LAN3:)(LAN4:)]

Hosts from router B can communicate with hosts from router A. Hosts from router A can’t communicate with hosts from router B.

In a LAN to LAN in the same subnet configuration, any hosts can communicate to any. It’s the same subnet.


In the network configuration I plan to implement, LAN to LAN but in a different subnet, I noticed that hosts from both network can’t be reached. Is this a secure way to isolate networks, at least better than double NAT ?

The connected router B gets an IP address in the router A subnet (192.168.0.x).

Also, I did not have to define any static routes to get internet access, I have difficulties to understand how this is possible since router A gateway does not ping.

Is it less secure to force periodic user logouts vs keep them logged in?

I’ve been unable to find any research or information on this.

Google periodically signs me out and forces me to sign back in. I have multiple devices and multiple google accounts so it’s a bit frustrating but that’s just how it is. However I was thinking about whether this practice is actually secure.

  1. It seems to encourage easy-to-remember / easy-to-type passwords over longer stronger passwords
  2. There’s more chance for a keylogger to intercept a password
  3. There’s more chance for a physical observer to watch you enter a password
  4. It may desensitise users and lead to them automatically entering their password without checking a url

How does this balance this against the inherent insecurity of indefinitely extending a login’s lifetime?

It’s worth noting that Google doesn’t ever log me out of my mobile device – I wonder why it treats this environment differently? Security vs UX concerns?