TLS 1.2 Handshake: Does the server have to take all extensions sent by the Client?

I am unsure about how extensions are handled in TLS v1.2.

During the handshake, the client is able to add some extensions during ClientHello. As far I understood, the server can pick arbitrary subsets from this list in ServerHello similar to picking the cipher suite, which the client provided during ClientHello. Is this correct?

If not, is it that the server can either take all those extensions into account, or must abort the handshake? I am not sure which is true.

I was looking for an adequate answer here in RFC5246, but didn’t really find the one statement I am looking for.

Is there ANY way to log the last sent links to SEO Indexer/other services?

Does SER keep a list of last links created, from all  projects, that went out/are to go out to indexers?
I am guessing the master verified list is kind of like that, but also includes verified links that AREN’T to be indexed…
Maybe it would be a good idea for SER to have an option of keeping separate log files for links sent to each indexer going back a few days. (GSA SEOIndexer, LinkLicous, etc.)
I don’t know what is acceptable or not to feed indexers, in terms of file format, but at the LEAST, a couple of blank lines could delineate separation of days, if that doesn’t otherwise mess them up. So, the IndexerLog(s) could go back a week, even, and the user could know which links are from the last day, 2 days, etc.
This way, a user could even RE-FEED links to a second, or even third indexer after the fact by copying by importing the file or clipboarding the days wanted from the log.
And, in the event of losing the last_queue  file, as I did with an update of SEO Indexer, SER would still have a copy.
From what I’m now leaning (and should have a while ago :| ) indexing is key. So we should have the ability to re-index with another service, for very important project runs, in case of losing the queue in SEO Indexer, etc.
For now, I guess I can go to SER’s verified list and take the last 3 days** links and index ALL of them, even tho not all were to be indexed. So, the links ARE there, just not separated into ones I wanted to index and others, initially.
(**I had been saving the links to index keeping the thread count low so I could have threads higher on other programs.)


Why are cookies sent with HTML page’s cross domain requests but not with JS’s XHR?

When we write a HTML page with form tag and an action attribute and a submit button. As soon as we click on submit a request is sent (with cookies) to the URL which was the value of action attribute.

But if we send cross domain request to the same domain with JS’s XHR cookies won’t be sent.

In both cases, requests are sent to another domain but still cookies are sent with the first case only why so?

OpenID Authentication Method Reference Name for a code sent via email


I am currently implementing acr_values, acr & amr principles on a Open ID Provider server.

The claim amr (described in the OpenID RFC 1.0) has no standard clearly defined in this same RFC, but I would like to base the system on the RFC 8176 mentioned by IANA.

One of the server authentication method is about sending a confirmation code via email.

About the authentication method:

The server uses a cryptographically secure pseudo-random number generator and store a hash of it using argon2. It is sent to an email, then hash are compared on another request. There is a short expiration time for each code. This method is indeed not considered by the server as a secure method to prove an identity, but is still selectable when no access to any resource is required.

The question is:

What Authentication Method Reference Name would you use in this case ?

Most descriptions are quite strict so I only see mca as a possibility today. It is not an otp to me since it is not implementing

Thanks for sharing.

I’ve sent a clear copy of my ID card using the WiFi at work

The title says it all, I needed to send my ID to some website so that they could verify my identity. But I took the picture with my phone, then sent it to myself via Messenger on iOS. I sent the picture to myself on Messenger so that I could download it on my PC and then censor my personal information. Right after I’ve downloaded the image, I realized that I am using the WiFi at work instead of using my own 4G hotspot. The image I sent contains a clear copy of my ID, so does the image that I downloaded. Is there any chances that they can intercept the traffic and obtain a clear copy of my ID?

Perform CSRF attack when CSRF token is sent in Custom Request header

I have found that the web application uses a weak algorithm to generate CSRF token.The CSRF token is sent in request header

X-CSRF-TOKEN: “token-string”

Since the request header is being used, how to do a CSRF attack to perform a sensitive action in real time?

Custom headers can be sent using JS but it’s blocked due to CORS. I have seen few threads which mention about ActionScript in Flash which can be used to send custom headers. Does that still work? (Considering chrome has stopped using Flash). Is there anyway I can perform the attack?

Is there a way to find out WHO sent me a life threatening text? [on hold]

Recently I received several text messages from TWO different numbers that I did not recognize. I called the numbers back, and texted them, but there was no answer, or vm. I googled them as well, and no hits. Thus, I contacted my local authorities who stated the calls definitely came from someone who utilized a “text app. The investigator stated it is impossible to find out exactly WHO texted it, or what number it REALLY originated from, and that it is unlikely I would be able to prosecute UNLESS I knew the REAL number/account/phone that was used.

He said, these text app companies purposely dont keep records, and know that people are disguising their number. Odds are they used a wifi connection, Is this accurate? Or does anyone know how I could pinpoint who sent those texts? Thanks!

Should we allow email invitations sent to an email address to be used with another?

Let’s say I have a SaaS platform, like a B2B platform where there are company accounts.

In this platform users can invite other users to join the company account by sending them an invitation link in an email with a secure token (à la Google Drive or GitHub).

Should we then let the invited user subscribe using a different email from the one where they received the invitation ?

That question regards primarily UX experience, although some security concerns might also be raised (I couldn’t find a more appropriate site for that kind of questions).

A recieved text message that was never sent on iPhone

My girlfriend asked me why I texted her at 2:30 am. But I went to bed at 2am and that message was not recorded on my phone. She had an iPhone and I have a Samsung Galaxy S9. She sent me a picture of the text and yes in fact it was a message from my number but I never sent it. Can it be an old message that was sent automatically from my number? An iPhone glitch perhaps? I would like to know the reason. Thank you