It is my understanding that requests from a client browser to a webserver will initially follow the specified protocol e.g, HTTPS, and default to HTTP if not specified (Firefox Tested). On the server side it is desired to enforce a strict type HTTPS for all connections for the privacy of request headers and as a result HTTPS redirections are used. The problem is that any initial request where the client does not explicitly request HTTPS will be sent unencrypted. For example, client instructs browser with the below URL command.
google.com will redirect the client browser to use HTTPS but the initial HTTP request and GET parameters were already sent unencrypted possibly compromising the privacy of the client. Obviously there is nothing full-proof that can be done by the server to mitigate this vulnerability but:
- Could this misuse compromise the subsequent TLS security possibly through a known-plaintext
- Are there any less obvious measures that can be done to mitigate this possibly through some DNS protocol solution?
- Would it be sensible for a future client standard to always initially attempt with HTTPS as the default?
So, I keep reading again and again that one should encrypt his android device.
But from an attacker’s perspective, what can be done with an unencrypted phone? Can I extract all the files or possibly install malware by accessing the file system on the phone, or can I unlock the phone?
I have bought a new phone and I want to test what can actually be done. So, what can be done?
I have a zip file,
Example.zip consisting of a directory
Example and three files *.dat. I can see the names of all 3 files. The dat files are encrypted (ZipCrypto Deflate). I’m interested to know if I can use bkcrack, and am aware of the required:
at least 12 bytes of contiguous plaintext.
My system has a modern 6c/12t CPU, and an older GPU.
- Can I use anything about the directory or filenames themselves for the required plaintext?
- If 1 is not possible what hints/course of action can I take to derive the 12 (or more) bytes.
I just need the files.
A basic plain-text unencrypted TCP connection is setup as follows:
Network Client LAN <—-> Network Modem <–> ISP <–> Remote Server
The network Modem only has a single wired user, and nobody can sniff any LAN packets.
TCP packets are generated on the Network Client underneath the lan. The network modem sends packets to the ISP and then to a remote server.
The Local and Remote server is completely trusted. No LAN traffic can be sniffed on either end.
The ISP itself is trusted or are allowed to see the traffic, and they are not compromised.
Is there any way for hackers to see the unencrypted packets as they travel throughout the WAN? They know both the source IP and destination IP address. Can they sniff this traffic?
Should these details be stored encrypted, not at all or in plain text in a database?
My son kindly crashed my laptop and when I restarted my machine, cryptsetup was not accepting my password (going into 60 minute delay) and I cannot launch Ubuntu 18.04 that I have installed on my laptop SSD; however I can launch using live USB and unlock the laptop SSD using the Disks utility; I am not given any options to mount the drive.
I also tried to access the drive through command prompt and I get an error message.
Has someone encountered this issue before?
Old IoT devices and some low-power devices are not capable of doing encryption or use week encryption methods like TLSv1.0. What could be the risks of using such devices and unencrypted protocols like HTTP?
This question already has an answer here:
- Is it safe to send clear usernames/passwords on a https connection to authenticate users? 8 answers
- I just send username and password over https. Is this ok? 2 answers
There’s an endpoint that receives an e-mail and password and creates a user account in an external system. To access that endpoint, one must be logged in to our system as it’s the only way for that user account to be created.
To me it looked really bad when I found out that the password was going to be sent without encryption, but I’m not an expert on the subject and I was assured that the communication was safe being sent via https.
Is it? If not, what would be a good solution to this problem?
On a Linux system I’m running an utility like this:
$ /usr/bin/myapp myprivatekey Enter passphrase for the private key:... ...application runs and uses the private key
My understanding is that if I have a private key encrypted with a passphrase it is more secure than an unencrypted one because the private key cannot be accessed even if the user account is compromised. So if the private key is loaded by a process running as a different user and the passphrase is typed manually by the user then one cannot intercept the above passphrase. Please note that the /usr/bin/myapp can only be written by root.
On the other hand a colleague argues that, if the user account is compromised then the private key is compromised too even if it’s protected by a passphrase, because if the account is compromised then the password typed by the user can be intercepted and one cannot be protect himself in such a situation.
Which one is correct? Is it possible to setup a system such that the private key is protected in the above situation?
I was running 18.04 LTS on a 320GB hard drive on a fully encrypted install and I recently upgraded to a 1TB hard drive. I made a disk image on my external drive and restored the system on to the new 1TB drive. After restoring, I attempted to expand the partition using gparted to the full disk size but was unable. After doing some research, I found that gparted does not allow you to manipulate encrypted partitions so now I’m in search of a way ahead. Can anyone help me with step by step direction on how to make a unencrypted disk image and restoring it to my new drive so I can expand it using gparted?