Sending static registration links via email

In our mobile application, users need to register first before they can use it. After successful registration, they an now login and use features of the app. Now we will have a feature in our application where all users who have records in the active directory and “master” database but not yet registered in the app would be sent sms with a registration link. The details are the ff.

  1. A static link is sent (not the usual dynamic ones where a token is appended to the url)

  2. When that link is clicked, an authentication page would show up in the machines internet browser and show a page where it asks for the user’s email address and birthday. When the entered information is valid, a one time password is sent via sms and if valid, the user can now proceed with registration

The question is, is this kind of process secure? there was a debate within our team whether the link sent via sms should be dynamic or static? what are the possible vulnerabilities of this kind of process? doesn’t seem to violate any OWASP standard.

Webhook sending Purchase Details to handling Purchases from a Third Pary Service Secure?

I’m developing a mobile application for a client that sells digital courses on a service called Teachable that hosts their website and handles the purchase process for them. My client wants to keep using this service for the purchase process and when a user bought a course, he should have access to it on my app.

Now I did some research on Teachable. To my knowledge, it does not a provide a API or some sort of oAuth provider. However it does offer webhooks.

I though about a way to implement this behaviour but I have some concerns about my idea, so I would like to hear opinions from more experienced developers in the security field. My Idea goes like this:

  1. Lets assume Alice buys a course called “Awesome Course 1”.
  2. The Teachable webhooks sends me a json object to my server, that include the following properties: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
  3. Now In my Database, I create a random Id and add this json object to it. So I have something like this: RandomKey987: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
  4. I send Alice a mail that contains the Id RandomKey987
  5. Alice goes to my app, creates an account/logs into her account (that is completely independent of the Teachable Mail/Account she used to buy the course) and enters the Id RandomKey987 in a form, to unlock her course in my app
  6. On my Server, I create a Database entry under Alice’s field to mark that she bought the course associated with the Database Entry RandomKey987, which in this case is the course “Awesome Course 1”
  7. I delete the Database Entry RandomKey987, so no one can unlock this course a second time.

Now my concers are:

  1. An Adverary could just send a similar Json Object to like in Step 2., that doesn’t come from Teachable. The Attacker would need to know the http endpoint of my webhook and a valid courseId, wich I’m not sure if I can keep these private. Teachable does not provide an API where I could make a request, to validate, that the Json Object indeed refers to a valid purchase. Would be an imaginable solution, to just keep the http enpoint and the courseIDs private?

  2. It won’t be possible to guess the Id for a purchase in my database but could there be another way to get the key I send via email? Assuming no other person then Alice can read this email, this should not be a problem right?

Whats your opinion on this? Did I overlook an imporant security apect? Is there a better way to handle this problem?

Can someone hack my phone by sending me a file (e.g. PDF) via Whatsapp?

My work requires (and depends on) Whatsapp for daily sharing of files with many people (PDF, PowerPoint, Word, Images, Web links…), and I was wondering if it is possible that someone can hack our phones by sending us malware via Whatsapp.

For example, let’s say they send me a virus that pretends to be a legitimate PDF. Is it okay to “just install it” on Whatsapp? What happens if I installed it but never opened it? Can that affect my phone or I have to open/view it?

This is extremely important to me and my team, and I will share your answers with them because we seriously need more awareness on this. Thanks!

Hashing passwords before sending them to the server

when the user tries to log in ,the post request has the password in clear text. even when using HTTPS the server admins can somehow log post requests and get the user password.

I’m looking for a way to prevent the above threats (admins seeing the password, or the password might get stolen in MIM attack) we don’t need to know the actual password because it is used to encrypt stuff on the client side

i have thought about hashing the password using sha256 before sending but the user password might be weak and the hash could be easily found in rainbow tables so it’s pointless.

however i am out of ideas anyone can help me ?

Server sending RST after Client Hello

We are facing intermittent TLS handshake issue while connecting from a C++ (Openssl 1.0.2e) client to a Java Server (Java 7). The issue is observed on load test after having around 100 session sending concurent requests, that too on linux platform. Server is sending RST message immediately after “Client Hello” message. On client side the SSL_CTX object is created with TLSv1_2_client_method(). On server side the context instance is created by invoking SSLContext.getInstance(“TLSv1.2”). Also we are limiting the enbled protocol to TLSv1.2 on server side. Whenever this issue is observed we have noticed that Client Hello Protocol on Wireshark as “TLSv1”, in all other cases(SUCCESS) the Client Hello Protocol is displayed as TLSv1.2.

Also I understand the Handshake layer version number is important and any TLS1.2 compliant server MUST accept any value {03,XX} as the record layer version number for ClientHello as per RFC5246. But whenever the failuere is observed, record layer is “TLSv1 Record Layer: Handshake Protocol: Client Hello”. In the case of successful handshake the record layer is “TLSv1.2 Record Layer: Handshake Protocol: Client Hello”. The client hello message for both the cases are given below, note that the cipher suites and signature algorithm are same in both the cases.

Client Hello message when issue occurs:

Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Client Hello     Content Type: Handshake (22)     Version: TLS 1.0 (0x0301)     Length: 358     Handshake Protocol: Client Hello         Handshake Type: Client Hello (1)         Length: 354         Version: TLS 1.2 (0x0303)         Random: 44e153eb9aa960e39e7dd4c01fbc1cc3770d95e0d70d6aac…             GMT Unix Time: Aug 15, 2006 10:26:11.000000000 India Standard Time             Random Bytes: 9aa960e39e7dd4c01fbc1cc3770d95e0d70d6aac83f458ab…         Session ID Length: 0         Cipher Suites Length: 228         Cipher Suites (114 suites)             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)             Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)             Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)             Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)             Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)             Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)             Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)             Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)             Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)             Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)             Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)             Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)             Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)             Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)             Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)             Cipher Suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0x00a7)             Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x006d)             Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)             Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)             Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)             Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)             Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)             Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)             Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)             Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)             Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)             Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)             Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)             Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)             Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)             Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)             Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)             Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)             Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)             Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)             Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)             Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)             Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)             Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)             Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)             Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)             Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)             Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)             Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)             Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)             Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)             Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)             Cipher Suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0x00a6)             Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x006c)             Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)             Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)             Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)             Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)             Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)             Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)             Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)             Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)             Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)             Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)             Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)             Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)             Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)             Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)             Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)             Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)             Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)             Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)             Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)             Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)             Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)             Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)             Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)             Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)             Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)             Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)             Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)             Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)             Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)             Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)             Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)             Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)             Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)             Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)             Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)             Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)             Cipher Suite: TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)             Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)             Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)             Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)             Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)             Cipher Suite: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 (0x0017)             Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)             Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)         Compression Methods Length: 1         Compression Methods (1 method)             Compression Method: null (0)         Extensions Length: 85         Extension: ec_point_formats (len=4)             Type: ec_point_formats (11)             Length: 4             EC point formats Length: 3             Elliptic curves point formats (3)                 EC point format: uncompressed (0)                 EC point format: ansiX962_compressed_prime (1)                 EC point format: ansiX962_compressed_char2 (2)         Extension: supported_groups (len=28)             Type: supported_groups (10)             Length: 28             Supported Groups List Length: 26             Supported Groups (13 groups)                 Supported Group: secp256r1 (0x0017)                 Supported Group: secp521r1 (0x0019)                 Supported Group: brainpoolP512r1 (0x001c)                 Supported Group: brainpoolP384r1 (0x001b)                 Supported Group: secp384r1 (0x0018)                 Supported Group: brainpoolP256r1 (0x001a)                 Supported Group: secp256k1 (0x0016)                 Supported Group: sect571r1 (0x000e)                 Supported Group: sect571k1 (0x000d)                 Supported Group: sect409k1 (0x000b)                 Supported Group: sect409r1 (0x000c)                 Supported Group: sect283k1 (0x0009)                 Supported Group: sect283r1 (0x000a)         Extension: session_ticket (len=0)             Type: session_ticket (35)             Length: 0             Data (0 bytes)         Extension: signature_algorithms (len=32)             Type: signature_algorithms (13)             Length: 32             Signature Hash Algorithms Length: 30             Signature Hash Algorithms (15 algorithms)                 Signature Algorithm: rsa_pkcs1_sha512 (0x0601)                     Signature Hash Algorithm Hash: SHA512 (6)                     Signature Hash Algorithm Signature: RSA (1)                 Signature Algorithm: SHA512 DSA (0x0602)                     Signature Hash Algorithm Hash: SHA512 (6)                     Signature Hash Algorithm Signature: DSA (2)                 Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)                     Signature Hash Algorithm Hash: SHA512 (6)                     Signature Hash Algorithm Signature: ECDSA (3)                 Signature Algorithm: rsa_pkcs1_sha384 (0x0501)                     Signature Hash Algorithm Hash: SHA384 (5)                     Signature Hash Algorithm Signature: RSA (1)                 Signature Algorithm: SHA384 DSA (0x0502)                     Signature Hash Algorithm Hash: SHA384 (5)                     Signature Hash Algorithm Signature: DSA (2)                 Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)                     Signature Hash Algorithm Hash: SHA384 (5)                     Signature Hash Algorithm Signature: ECDSA (3)                 Signature Algorithm: rsa_pkcs1_sha256 (0x0401)                     Signature Hash Algorithm Hash: SHA256 (4)                     Signature Hash Algorithm Signature: RSA (1)                 Signature Algorithm: SHA256 DSA (0x0402)                     Signature Hash Algorithm Hash: SHA256 (4)                     Signature Hash Algorithm Signature: DSA (2)                 Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)                     Signature Hash Algorithm Hash: SHA256 (4)                     Signature Hash Algorithm Signature: ECDSA (3)                 Signature Algorithm: SHA224 RSA (0x0301)                     Signature Hash Algorithm Hash: SHA224 (3)                     Signature Hash Algorithm Signature: RSA (1)                 Signature Algorithm: SHA224 DSA (0x0302)                     Signature Hash Algorithm Hash: SHA224 (3)                     Signature Hash Algorithm Signature: DSA (2)                 Signature Algorithm: SHA224 ECDSA (0x0303)                     Signature Hash Algorithm Hash: SHA224 (3)                     Signature Hash Algorithm Signature: ECDSA (3)                 Signature Algorithm: rsa_pkcs1_sha1 (0x0201)                     Signature Hash Algorithm Hash: SHA1 (2)                     Signature Hash Algorithm Signature: RSA (1)                 Signature Algorithm: SHA1 DSA (0x0202)                     Signature Hash Algorithm Hash: SHA1 (2)                     Signature Hash Algorithm Signature: DSA (2)                 Signature Algorithm: ecdsa_sha1 (0x0203)                     Signature Hash Algorithm Hash: SHA1 (2)                     Signature Hash Algorithm Signature: ECDSA (3)         Extension: heartbeat (len=1)             Type: heartbeat (15)             Length: 1             Mode: Peer allowed to send requests (1) 

Client Hello when handshake is successful:

TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 358 Handshake Protocol: Client Hello     Handshake Type: Client Hello (1)     Length: 354     Version: TLS 1.2 (0x0303)     Random: b2e7fe85a0e4403ae4fec4d698094b919375f9afed8efff4…     Session ID Length: 0     Cipher Suites Length: 228     Cipher Suites (114 suites)         Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)         Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)         Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)         Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)         Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)         Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)         Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)         Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)         Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)         Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)         Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)         Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)         Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)         Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)         Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)         Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)         Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)         Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)         Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)         Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)         Cipher Suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0x00a7)         Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x006d)         Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)         Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)         Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)         Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)         Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)         Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)         Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)         Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)         Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)         Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)         Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)         Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)         Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)         Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)         Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)         Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)         Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)         Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)         Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)         Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)         Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)         Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)         Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)         Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)         Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)         Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)         Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)         Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)         Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)         Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)         Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)         Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)         Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)         Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)         Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)         Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)         Cipher Suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0x00a6)         Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x006c)         Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)         Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)         Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)         Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)         Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)         Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)         Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)         Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)         Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)         Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)         Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)         Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)         Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)         Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)         Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)         Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)         Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)         Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)         Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)         Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)         Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)         Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)         Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)         Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)         Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)         Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)         Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)         Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)         Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)         Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)         Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)         Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)         Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)         Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)         Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)         Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)         Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)         Cipher Suite: TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)         Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)         Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)         Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)         Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)         Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)         Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)         Cipher Suite: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 (0x0017)         Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)         Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)     Compression Methods Length: 1     Compression Methods (1 method)         Compression Method: null (0)     Extensions Length: 85     Extension: ec_point_formats (len=4)         Type: ec_point_formats (11)         Length: 4         EC point formats Length: 3         Elliptic curves point formats (3)             EC point format: uncompressed (0)             EC point format: ansiX962_compressed_prime (1)             EC point format: ansiX962_compressed_char2 (2)     Extension: supported_groups (len=28)         Type: supported_groups (10)         Length: 28         Supported Groups List Length: 26         Supported Groups (13 groups)             Supported Group: secp256r1 (0x0017)             Supported Group: secp521r1 (0x0019)             Supported Group: brainpoolP512r1 (0x001c)             Supported Group: brainpoolP384r1 (0x001b)             Supported Group: secp384r1 (0x0018)             Supported Group: brainpoolP256r1 (0x001a)             Supported Group: secp256k1 (0x0016)             Supported Group: sect571r1 (0x000e)             Supported Group: sect571k1 (0x000d)             Supported Group: sect409k1 (0x000b)             Supported Group: sect409r1 (0x000c)             Supported Group: sect283k1 (0x0009)             Supported Group: sect283r1 (0x000a)     Extension: session_ticket (len=0)         Type: session_ticket (35)         Length: 0         Data (0 bytes)     Extension: signature_algorithms (len=32)         Type: signature_algorithms (13)         Length: 32         Signature Hash Algorithms Length: 30         Signature Hash Algorithms (15 algorithms)             Signature Algorithm: rsa_pkcs1_sha512 (0x0601)                 Signature Hash Algorithm Hash: SHA512 (6)                 Signature Hash Algorithm Signature: RSA (1)             Signature Algorithm: SHA512 DSA (0x0602)                 Signature Hash Algorithm Hash: SHA512 (6)                 Signature Hash Algorithm Signature: DSA (2)             Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)                 Signature Hash Algorithm Hash: SHA512 (6)                 Signature Hash Algorithm Signature: ECDSA (3)             Signature Algorithm: rsa_pkcs1_sha384 (0x0501)                 Signature Hash Algorithm Hash: SHA384 (5)                 Signature Hash Algorithm Signature: RSA (1)             Signature Algorithm: SHA384 DSA (0x0502)                 Signature Hash Algorithm Hash: SHA384 (5)                 Signature Hash Algorithm Signature: DSA (2)             Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)                 Signature Hash Algorithm Hash: SHA384 (5)                 Signature Hash Algorithm Signature: ECDSA (3)             Signature Algorithm: rsa_pkcs1_sha256 (0x0401)                 Signature Hash Algorithm Hash: SHA256 (4)                 Signature Hash Algorithm Signature: RSA (1)             Signature Algorithm: SHA256 DSA (0x0402)                 Signature Hash Algorithm Hash: SHA256 (4)                 Signature Hash Algorithm Signature: DSA (2)             Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)                 Signature Hash Algorithm Hash: SHA256 (4)                 Signature Hash Algorithm Signature: ECDSA (3)             Signature Algorithm: SHA224 RSA (0x0301)                 Signature Hash Algorithm Hash: SHA224 (3)                 Signature Hash Algorithm Signature: RSA (1)             Signature Algorithm: SHA224 DSA (0x0302)                 Signature Hash Algorithm Hash: SHA224 (3)                 Signature Hash Algorithm Signature: DSA (2)             Signature Algorithm: SHA224 ECDSA (0x0303)                 Signature Hash Algorithm Hash: SHA224 (3)                 Signature Hash Algorithm Signature: ECDSA (3)             Signature Algorithm: rsa_pkcs1_sha1 (0x0201)                 Signature Hash Algorithm Hash: SHA1 (2)                 Signature Hash Algorithm Signature: RSA (1)             Signature Algorithm: SHA1 DSA (0x0202)                 Signature Hash Algorithm Hash: SHA1 (2)                 Signature Hash Algorithm Signature: DSA (2)             Signature Algorithm: ecdsa_sha1 (0x0203)                 Signature Hash Algorithm Hash: SHA1 (2)                 Signature Hash Algorithm Signature: ECDSA (3)     Extension: heartbeat (len=1)         Type: heartbeat (15)         Length: 1         Mode: Peer allowed to send requests (1) 

When this issue occurs (ie. SSL_do_handshake() fails) SSL_get_error returns SSL_ERROR_SYSCALL, but ERR_get_error() returns 0. We are calling these two methods immediately after SSL_do_handshake().

Appreciate your assistance as this is going for some time.

Someone I don’t know is sending me test mail. Is this a scam? [on hold]

In the last couple of weeks I’ve received several e-mails at my work account (a small research non-profit). The format is similar for all:

  • “Test mail” in subject line
  • No content in body
  • Address follows the format: [First name][two or three digit number][last name]@gmail.com
  • I do not recognize the names, and as this is a work account, I generally wouldn’t be receiving messages from someone’s gmail account anyway

This seems suspicious but I can’t figure out what’s going on here.

sending mails with wp_mail() to multiple recipients using wp_cron and dynamic email body data

I have a frontend submission form, where users can add events to a custom post type. I want to send an email to each user 1 week before this event takes place.

The emails are sent via wp_cron. The function is called with a hook. Its working correctly, but i want to add custom values to the email body.

With my code its not possible to add dynamic value to the body template of my email.

With this function below, i loop through the events post type and get the required data

function leweb_get_events_detail() {      // Query     global $  wp_query;      // Arguments       $  args = array(         'post_type' => 'events',     );      // Start the Query     $  query = new WP_Query( $  args );      // The Loop     if( $  query->have_posts() ) {          $  results = array();          while( $  query->have_posts() ) {              $  query->the_post();                           $  event_date_timestamp = get_post_meta( get_the_ID(), 'event_date_timestamp', true );             $  future_timestamp = strtotime("+1 week");              // Damit wird geprüft ob schon einmal diese Email gesendet wurde             $  notification = get_post_meta( get_the_ID(), 'event_creator_notification' );              if( !in_array( '1week', $  notification )  && $  event_date_timestamp < $  future_timestamp ) {                  $  event_id = get_the_ID();                 $  event_email = get_post_meta( get_the_ID(), 'event_email', true );                  $  results[] = array(                                  'event_id'      => $  event_id,                                  'event_date_timestamp' => $  event_date_timestamp,                                 'event_email'     => $  event_email,                 );              }         }          return $  results;      }      wp_reset_query();  } 

The function below lets me fetch data from the post_meta array

function leweb_get_values_from_post_meta( $  meta = '') {      $  results = leweb_get_events_detail();      $  values = array();     foreach( $  results as $  key => $  value ){          $  values[] = $  value[ $  meta ];      }      return $  values; } 

The function below is called from wp_cron. The email is sent to all recipients who match the above conditions and a value is added to the post meta, to prevent multiple sends of this email.

function leweb_send_mail_to_author() {       // Alle Emails aus dem Array auslesen und für das BCC Feld im Email Header vorbereiten     $  emails = leweb_get_values_from_post_meta( 'event_email');      if ( !empty( $  emails ) ) {          $  emails = 'BCC: ' . implode( ',', $  emails );          // Email senden         $  to = '';         $  subject = 'Dein Event findet bald statt!';         $  body = file_get_contents( get_stylesheet_directory() . '/templates/email/event-creator-notification.php');         $  headers = array( 'Content-Type: text/html; charset=UTF-8','From: Example <office@example.com>', $  emails );          wp_mail( $  to, $  subject, $  body, $  headers );          // Wert in post_meta eintragen um die Mehrfachsendung zu verhindern         $  post_id = leweb_get_values_from_post_meta( 'event_id');          foreach( $  post_id as $  id ) {              add_post_meta( $  id, 'event_creator_notification', '1week' );          }      }  } 

After i coded this i figured out, its not possible to send dynamic content in the body of my email. The only way to achieve this, is to call the wp_mail() in foreach. But this would be heavy i think? Its possible that this job sends up to hundred emails per run in the future…

So i was wondering if there is another way to do this clean?

Thanks for your opinions, i know its a bit complex, but i dont have any other ideas…

How can SubtleCrypto help in the process of sending a password via HTTPS?

I heard from someone that SubtleCrypto should be used in client-server communications to login and register, then he told me it would be useful even if someone took control in the middle of the HTTPS connection. I always thought that once the TLS failed, nothing else could be reliable (at least between 2 peers.)

Since I’ve never heard of SubtleCrypto nor this case specifically, and the documentation I’ve found is scarse and not really concrete, could someone explain how this would work? (if it would)

Edit: notice the way he thought of was encoding the password with SubtleCrypto, then send it to the server.