Can you restrict the services a certificate can access on the client side?

I have a verification certificate signed by my organisation’s CA, which I can use to authenticate my user account on intranet web services.

Is there someway I can sign a new certificate which can only authenticate to one specific web service. Or some other way to enable limited access to one web service by a script I don’t want to give full access to my verification certificate.

Unfortunately I don’t have access to modify the web service, which is running nginx.

Why server side hashing is required if the client side hashing is already in place?

I am looking for best practice for username/password login. People have different views for client side hashing on password.

From Google’s recommendation https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf

The client side hashing should be implemented as below:

Have the client computer hash the password using a cryptographically secure algorithm and a unique salt provided by the server. When the password is received by the server, hash it again with a different salt that is unknown to the client. Be sure to store both salts securely.

My questions are

  1. I agree the server should send a (unique) salt to the client. But why does the server need to hash the client result again with another salt?

  2. Does the above mechanism suggest the server should store both salts as separate columns in the database table? And assume both salts are static (not changed per each login?)

  3. SSL/TLS have mechanism to avoid replay attack. Does the above mechanism provide extra value to counter replay attack? I don’t see any random factor about the static salts and I cannot relate anything can address replay attack.

Is there a vulnerability other than XSS which can result in client side script execution?

If the intention of attacker is to execute an arbitrary client side script in the context of a web application, is XSS the only possible attack other than compromising the server with an RCE or a sub-resource supply chain attack? I am looking for attacks which can be mitigated by an application owner rather than attacks which the application cannot control.

  • XSS is Cross Site Scripting – Be it reflected, persistent or DOM based.
  • A sub-resource supply chain attack is where you compromise a sub resource such as CSS, javascript, flash objects etc by compromising the supply chain ie; compromising the CDNs, S3 buckets etc or by MITM a subresource loaded over non-https channel.

Can a spell Conjure Elemental be used to make an elemental appear on the other side of a closed door?

The spell states :

You call forth an elemental servant. Choose an area of air, earth, fire, or water that fills a 10-foot cube within range. Blockquote

So lets say a party is standing in front of a closed/barred door and there is a group on the other side getting ready and waiting for them. Could a wizard cast Conjure Elemental spell and choose an area where the elemental will appear in the other side of that closed door (Thus in the midst of the enemies preparing themselves for combat) ?

Should I take a side in an external player conflict, or let my game die?

I’m the DM for a Homebrew campaign that I’ve been running for about 2 years. Our group is me plus four players and we’ve been lucky enough to meet fairly consistently on a weekly basis, so I’m loathe to be asking this question at all…

The situation We meet at an apartment shared by two of my players (let’s call them Jack and Jill), who were dating when we started the game. They broke up about a month ago but we were still playing up until now. However, today Jack messaged me saying he’s no longer on speaking terms with Jill and never will be again. He is looking to move out as soon as their lease ends.

Obviously this creates a difficult and awkward atmosphere for all involved, and playing with both of them will be impossible. But I really don’t want to have to scrap my game entirely. I also don’t want to seem like I’m “taking sides” (even though I don’t even know what happened).

What can I do to salvage my game at this point? Should I jump ship and get two new players entirely, or pick just one player to “keep”?

Should user input be validated/checked for it’s length in PHP (server side) as a security measure?

important to note that this user input is something that after validation & sanitation – will be inserted into a database, and later on be shown to other users on the same web site. (example: a forum) I’m referring to both a case when I know in advanced what’s the length I should expect from the user and a case in which I don’t but know vaguely that’s not more than 100 length. I’m trying to figure out if there is any security advantages for checking user input length in PHP. taking into account I’m already validation & sanitation user input based on the type of content I’m expecting using regex. I know this differs from language to language to I want to refer to PHP this time, but any referring to other language like Java, .NET, python etc. would be fine.

Client + server side hashing

I don’t want the password to be sent in clear text over the internet, even when using HTTPS the server admin can read the password if they somehow cache or log post requests,

now what i have come up with is the following.

  1. generate a “salt” from the user email and extend it with padding like this:
var email = "example@example.com" const padding = 0x12564213155763573 (this is constant for all users)  var extended = email.padEnd(100, padding) //appending the padding at the end of the email and maximum string length is 100  var salt = sha256(extended)  

then calculate a hash of the password using PBKDF2 like this:

var password = pbkdf2("user password", salt, 10000, 128) 

now that hashed password will be the actual password of the user, then it will be sent to the server and the server will calculate another hash of that hash

now I’m posting this here because i came up with this on my own and i feel like something is missing or wrong here, as they say about cryptography you shouldn’t invent it yourself. so I’m open for discussions & ideas.

Why do some cars only have a physical lock on the driver side?

I have a car (tsx) and I realize that sometimes I will need to use the physical key instead of the electronic key fob to unlock my car. Such as if there is something wrong with the electronics or my battery died. But then I realize that on the passenger side of my car, there is no key hole for it!

I also rented a car (mazda 2) a while back and that car did not have an electronic key fob to unlock the door remotely. I went to open the door first for my wife, but then I realized that there is no lock hole on the passenger side! I had to unlock my driver side door first and then unlock hers from the inside.

Also, something has went wrong with the electronic trunk button inside my car, so i can only open my trunk using the key fob. Why isn’t there a physical lock on my trunk too?

Why doesn’t my car have a physical lock on the passenger side? Is it just because car manufacturers are being cheap?

Context-free grammar how to have unequal number of a on either side of a b

I have been trying to create a CFG for the set

{w=(a^i)b(a^j)|where i =/= j} 

To my understanding, there are essentially 2 scenarios, one where there are more ‘a’s on the left side of ‘b’, and one where there are more ‘a’s on the right side of ‘b’. So far I have come up with:

S = TbR | RbT T = aT | ε R = TaT 

My intention is the have R to always have more ‘a’s than T, however I don’t think this is correct as T can be greater than R in this definition, as R could take be just ‘a’ while T is ‘aa’. I need a bit of help defining 2 variables T and R, where R always has more ‘a’s than T.