For an email signature, what is the “ideal” CDN image hosting provider? [closed]

Email signatures typically have an image of a logo or a profile picture. My question is, what is your recommended image hosting URL/service? Are some URL’s trusted over others?

I am not sure where to host these images hence the question.

I guess some ISP’s and email clients determine the "trustworthiness" of an image URL?

All experience greatly appreciated!

How to verify PGP signature with signing key using Enigmail in Thunderbird [migrated]

I received an email like this above:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1  Because anyone can claim to be me. There's no validation of the user name or email address when someone posts a comment. While I do try to remove imposters, some may slip through. By signing my comments using this technique, anyone can independently verify that I was the author of the message by validating the signature. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32)  iD8DBQFFxqRFCMEe9B/8oqERAqA2AJ91Tx4RziVzY4eR4Ms4MFsKAMqOoQCgg7y6 e5AJIRuLUIUikjNWQIW63QE= =aAhr -----END PGP SIGNATURE----- 

And another email with the public key. How can I verify if the signature is valid using the Enigmail in Thunderbird?

Split a JWT between payload and signature

Context: I’m looking at storage solutions for JWT tokens on a single page application.

  1. Storing the JWT in the local storage is unsafe and prone to XSS attacks.
  2. Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF attacks.

I’m studying the following scenario:

Upon authentication, a refresh token is stored in an http only secure cookie. It can only be used to get an access token.

Upon authorisation, the backend responds with a JWT access token. The header and payload part of the JWT are inside the response body. The token signature is not sent and is set in an http only secure cookie (same-site strict if possible, but let’s assume it’s not the case). The header + payload is stored in memory.

When making requests, the header + payload is sent via XHR/fetch by the SPA in an Authorisation header. The signature is sent along with the cookies. The backend concatenates both and verify the signature.

Would such a mechanism be safe from XSS and CRSF attacks, or is it just adding un-necessary complexity ? Since the cookie does not contain the full JWT, this seems like a CSRF attack would not be able to make requests. And an XSS attack would at least (this is a mild protection at this point since an XSS attack is possible, but still), not be able to retrieve the full token.

Note: I’ve read this question which is similar, but overly broad so I’m posting this to get a more precise answer.

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

mobile authentication on pc using signature

Application for user authentication on pc. A key pair is generated on an Android device. The secret key is stored in Android Keystore, the public key is sent to the PC server. The client generates a token, calculates a hash function from it, signs it with the private key and sends it to the server. Server verifies the signature and checks the hashes. It is required to protect the public key from spoofing. You can also use qr code, for example, you can generate a key pair on a PC and transfer the private key through scanning qr code, and leave the open one.

What if an attacker gets access to public key through an insecure media in digital signature?

If A encrpyts the message and creates signature using his private key and sends through the network then only B with the public key of A can decrypt that message.

But what if the attacker gets access to the public key of A and the encrypted message through the network? Will he be able to decrypt the message?