Password is visible in online sign up form

I am about to sign up for an online school, which is an accredited statewide online school, and notice that the password they want me to enter is fully visible on the form. Should I be concern about their information security? Does a form like this indicates that the way the way the school protects students’ data is not secure, such as storing password verbatim rather than something like one-way hash?

If such forms violate established data security practices, what document(s) should I refer to the school’s IT people regarding that?

Online sign-up form

Restrict CA to issue certficates for one domain or to be able to sign just one server certificate

I have a server and I want my iPhone to connect to it securely. However, I cannot just install the self-signed server certificate on my iPhone. When I install the profile (that’s what they call the certificate), it says "Not verified".

Normally, you would go to CA Trust settings and enable full trust for the certificate. BUT I deliberately made the certificate with critical,CA:false constraint. That’s the reason it does not show in the CA Trust settings.

Why did I do it — I just need to install the single certificate and I don’t want to totally compromise my iPhone security, if my CA credentials got stolen.

Do this have a solution? iOS probably requires a CA to trust a certificate, but I don’t want a possibility to create certificates at all (beside the one), or at least for another domains.


One potential "solution" might be to create the CA, sign the server certificate and then delete the CA key, as it would not be needed and would live for a shorter time (lower chance to get stolen).

However, people except me wouldn’t be stoked to install it. (I don’t want to buy a certificate as its a home project and I don’t even have a domain name, just the IP address.)

The certificate complies with apple’s current requirements for server certificates. (https://support.apple.com/en-us/HT210176)

Sign records in a database

I have a table in my database where I store records to be processed later (basically orders that need to be invoiced or something similar, but this is not the important part).

Since this software runs on-premises, pro-users controls the database and they’re able to insert records directly into it. They usually do this to make my system process records in an unsupported way. Obviously, this leads me to problems that I often need to deal: inconsistency, invalid domain, missing fields, etc.

To avoid this problem, I’d like to know what are my options to "sign records", that is, identify the records generated by my system in a way that others can not reproduce.

Several approaches came to my mind when I think in this problem:

  • Create some undocumented record hash (that can be reverse engineered);
  • Use a digital certificate to sign records (where to store the digital certificate? the system runs offline on-premises);
  • Use some kind of blockchain approach: linking a record with the previous + some proof of work (maybe too hard to implement and error prone).

Are there other approaches I am not considering? If not, between the ones I listed, is there an approach I should stick/avoid?

Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?

I have the following setup with a keycloak authentication server and an application:

  1. user logs in on application client side, send un/pw to server
  2. application server sends un/pw to keycloak server for a token
  3. keycloak server sends a token back to application server
  4. application server outputs web page with sensitive data

I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are corectly signed with RS256, but as soon as I try to get one on the server, HS256 is used. How can I set keycloak to use RS256 in both cases?

I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.

Keycloak configuration:

  • keys
    • realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100 (EDIT: even if I set the RS256 key priority to a higher value, HS256 is used)
    • default signing algorithm for the realm is set to RS256
  • client
    • access token signature algorithm and ID token signature algorithm for the client are set to RS256
    • the client is public
    • Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
    • Web origins is set to "+" (which as far as I’m aware copies entries from valid red. uris)

Google seems to return no results related to my problem.

LifeLong Free Web Hosting – Sign Up Today : Hostpoco.com

For every webmaster, Who wants to start a new business and looking for a reliable Hosting Plan? Hostpoco is the Best Solution for it.

“Now Hostpoco is becoming the first choice for Free Web Hosting in Google Search and we are always trying to give the best possible features with our services and hence most of the clients are now moving with Hostpoco. Our features like max space and bandwidth perfectly suit for startups..hence we are requesting everyone to try our services once and then decide”

Free Startup plan: $0/Lifetime

• Single Domain Hosting
• 200MB Web Space
• 200MB Bandwidth
• 2 Email Accounts
• 2 Sub Domains
• FREE Auto SSL
• DDOS Protection
• 99.99% uptime
• Softacolous Supported
• Tier 1 Technical Support

Hostpoco offers you the freedom to upgrade your existing Free Web Hosting plan to Paid Unlimited Web hosting service plan and we guarantee that there won’t be any type of data loss of such upgrades. You simply suppose to initiate the upgrade from the client area and need to pay the respective amount and the new package will be assigned as soon as you are done with the payment! Note: Free Hosting Package limited with quantity of 1 per account.

For more Details:https://www.hostpoco.com/

Thank you.

Is SerializationException sign of Serialization/Deserialization vulnerability?

I am doing a bug bounty. I intercepted the POST request to the inscription in the target website. I modified the first name and last name POST params to inject bad char (in order to SQL inject) but the API/Registration service sends me a response with 400 error code for bad request and body content : {"__type":"SerializationException"}

This type of response remind me Serialization/Deserialization vulnerability. I never exploited this vulnerability but I read content about that. I know the target sends the request to Amazon web server.

This is the request intercepted and modified from BURP :

POST / HTTP/1.1 Host: XXXX.us-east-1.amazonaws.com User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://XXX.domain.com/sign-up Content-Type: application/x-amz-json-1.1 X-Amz-Target: AWSCognitoIdentityProviderService.SignUp X-Amz-User-Agent: aws-amplify/0.1.x js Origin: https://XXX.domain.com Content-Length: 365 DNT: 1 Connection: close    {"ClientId":"3ck15a1ovXXXXX97vs3tbjb52","Username":"an-email@my-domain.com","Password":"Apassword","UserAttributes":[{"Name":"email","Value":"an-email@my-domain.com"},{"Name":"birthdate","Value":"1980-01-01"},{"Name":"given_name","Value":"<>'\"\é`"},{"Name":"family_name","Value":"<>'\"\é`"},{"Name":"locale","Value":"en-us"}],"ValidationData":null} 

This is the response :

HTTP/1.1 400 Bad Request Date: Fri, 01 May 2020 08:08:38 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 35 Connection: close x-amzn-RequestId: a2cf8b37-a837-4dfc-a385-058bxxxxxxx Access-Control-Allow-Origin: * x-amzn-ErrorType: SerializationException: Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date    {"__type":"SerializationException"} 

I know the website uses theses technologies :

Vue.js HTTP/2 webpack Adobe DTM 

Note : I read on internet that Adobe DTM is programmed in Java. Hasard ?

At this point, which tests should be try and this message is the sign of a potential serialization/deserialization?

Modified sign function VC dimenson

If we have $ f:\mathbb{R} \rightarrow \{\pm 1\}$ , and $ \mathcal{F}$ and $ \mathcal{F}’$ , what are the VC dimensions of

$ \mathcal{F} = \{sign(\prod_{i=1}^n (x-\theta_i), \forall a_i \in \mathbb{R} \}$

$ \mathcal{F}’ = \cup_{n=1}^n \mathcal{F}$

I think VC dimesion of $ \mathcal{F}$ is $ n$ and $ \mathcal{F}’$ is infinity

For $ \mathcal{F}$ , we know that it is in 1D, and expanding the polynimals in makes it possible to separate the points with a large polynomial

For $ \mathcal{F}’$ taking the union will add at least one in each increment, and there are infinite functions. Thus infinity.

Do I have the right approach?

Which Algorithm should PFX file use to sign PDF document?

I exported localhost certificate in .PFX format with private key. I have to use this PFX file to sign PDF document. C# program was used to sign document and below error encountered when hitting this code-

C# code –

 Pkcs12Store pk12;  pk12 = new Pkcs12Store(new FileStream(this.Path, FileMode.Open, FileAccess.Read), this.password.ToCharArray()); 

error –

 Unable to cast object of type 'Org.BouncyCastle.Asn1.DerSequence' to type 'Org.BouncyCastle.Asn1.DerInteger' 

is error associated with mismatch in algorithm? Below are steps used to export PFX file. enter image description here enter image description here enter image description here enter image description here

I am using itextSharp library to sign PDF document. Is there any error in PFX file OR localhost file should not be used? how can I validate PFX file whether it is correct?

Thanks.

How to automatically sign a message using PGP in an email?

Is there any way to sign and send a message from email server automatically…without using any desktop client to sign the message.

For Example, A wants to send a message to B. A open its email account, composes message and click on ‘send’. After pressing send button message should be automatically signed by PGP private key and deliver to B. A don’t want to use desktop client to copy message, then sign and then compose and then send…manually