## Is public exposure of Google Safebrowsing API Key a valid vulnerability

When I was scanning through a target mobile application, I found the exposure of Google Safebrowsing API Key. However, I found that this is a free key and anyone can obtain it. Is this a valid security issue? If so, what are the things an attacker could achieve with the help of it? Also, can you please help me identifying the CVSS if this is an issue in the first place.

## Does HSTS prevents MITM using a valid certificate?

Let’s consider this scenario:

An attacker got a valid certificate for a HSTS protected domain https://example.com. Can he still perform a man-in-the middle attack even if the website is already loaded in the browser HSTS list?

I remember using Burp suíte once and getting a strict transport security related error for a valid certificate, so I would suppose the HSTS list also contain the certificate fingerprint, although I could not find anything about it in the RFC

## Is multiplying hashes a valid way to ensure two sets of data are identical (but in arbitrary order)

Let’s say “User A” has a set of data like below. Each entry has been hashed (sha256) to ensure integrity within a single entry. You can’t modify data of a single entry without also modifying the corresponding hash:

[ { data: "000000", hash: "91b4d142823f7d20c5f08df69122de43f35f057a988d9619f6d3138485c9a203" },  { data: "111111", hash: "bcb15f821479b4d5772bd0ca866c00ad5f926e3580720659cc80d39c9d09802a" },  { data: "345345", hash: "dbd3b3fcc3286d927ec214c5648fbb226353a239789750f51430b1e6e9d91f4f" },  ] 

And “User B” has the same data but in a slightly different order. Hashes are the same of course:

[ { data: "345345", hash: "dbd3b3fcc3286d927ec214c5648fbb226353a239789750f51430b1e6e9d91f4f" },  { data: "111111", hash: "bcb15f821479b4d5772bd0ca866c00ad5f926e3580720659cc80d39c9d09802a" },  { data: "000000", hash: "91b4d142823f7d20c5f08df69122de43f35f057a988d9619f6d3138485c9a203" },  ] 

I want to allow both users to verify they have the exactly same set of data, ignoring sort order. If, as an extreme example, a hacker is able to replace User B’s files with otherwise valid-looking data, the users should be able to compare a hash of their entire datasets and detect a mismatch.

I was thinking to calculate a “total hash” which the users could compare to verify. It should be next to impossible to fabricate a valid looking dataset that results in the same “total hash”. But since the order can change, it’s a bit tricky.

I might have a possible solution, but I’m not sure if it’s secure enough. Is it, actually, secure at all?

My idea is to convert each sha256 hash to integer (javascript BigInt) and multiply them with modulo to get a total hash of similar length:

 var entries = [ { data: "345345", hash: "dbd3b3fcc3286d927ec214c5648fbb226353a239789750f51430b1e6e9d91f4f" },  { data: "111111", hash: "bcb15f821479b4d5772bd0ca866c00ad5f926e3580720659cc80d39c9d09802a" },  { data: "000000", hash: "91b4d142823f7d20c5f08df69122de43f35f057a988d9619f6d3138485c9a203" },  ];  var hashsize = BigInt("0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"); var totalhash = BigInt(1); // arbitrary starting point  for (var i = 0; i < entries.length; i++) {   var entryhash = BigInt("0x" + entries[i].hash);   totalhash = (totalhash * entryhash) % hashsize;  } totalhash = totalhash.toString(16); // convert from bigint back to hex string 

This should result in the same hash for both User A and User B, unless other has tampered data, right? How hard would it be to create a slightly different, but valid-looking dataset that results in the same total checksum? Or is there a better way to accomplish this (without sorting!).

## Is it safe to assume that a JWT is valid if it can be decrypted with the server’s private key?

This is my first time using JWT. I’m using the jwcrypto library as directed, and the key I’m using is an RSA key I generated with OpenSSL.

My initial inclination was to store the JWT in the database with the user’s row, and then validate the token’s claims against the database on every request.

But then it occurred to me that the token payload is signed with my server’s private key.

Assuming my private key is never compromised, is it safe to assume that all data contained in the JWT, presented as a Bearer token by the user, is tamper-proof? I understand that it is potentially readable by third parties, since I’m not encrypting.

What I want to know is, is there anything I need to do to validate the user’s JWT besides decrypt it and let the library tell me if there’s anything wrong?

## What are the terminals, non-terminals and set of production rules for the following language of valid first order formula?

variables: w x y z constants: C D predicates: P[2] Q[1] equality: = connectives: \land \lor \implies \iff \neg quantifiers: \exists \forall formula: \forall x ( \exists y ( P(x,y) \implies \neg Q(x) ) \lor \exists z ( ( (C = z) \land Q(z) ) \land P(x,z) ) ) 

How would I go about deriving the set of terminals, non-terminals and production rules for this language of valid First order formula?

A method to derive the solution would be more appreciated than just the solution.

## Is this a valid equation for determining certificate lifetimes in a PKI infrastructure?

I have an intuitive sense of how certificate lifetimes should work in a PKI infrastructure, but I don’t consider myself an expert in this field so I would like someone to validate or critique my assumptions:

The “leaves” on a PKI hierarchy are the certificates issued by a CA. The maximum lifetime of one such certificate is equivalent to:

renewal interval          + renewal period           = certificate lifetime (renew yearly, i.e. 1 yr) + (1-month renewal period) = 13 month lifetime 

An intermediate/issuing CA’s cert’s lifetime follows the same pattern, plus the maximum lifetime of a cert it can issue:

renewal interval + renewal period + child lifetime = certificate lifetime 2 years          + 1 month        + 13 months      = 3 year, 2 month lifetime 

The last step “recurses” up the PKI hierarchy through any more intermediate CA tiers until you get to the root cert.

This means, necessarily, a CA’s cert must always have a lifetime longer than the certs it issues.

Context: Apple’s Announcement about 13-month maximum cert lifetimes starting September 1st 2020 must therefore only apply to leaf certs, and not to certs issued to intermediate or root CAs.

## Enumerate all valid orders of subset sums

Given an positive integer $$n$$, we define an order of subset sums to be a sequence of all subsets of $$\{1,\ldots,n\}$$. For example, when $$n=2$$, the sequence $$\emptyset,\{1\},\{2\},\{1,2\}$$ is an order of subset sums.

We call an order of subset sums $$S_1,\ldots,S_{2^n}$$ valid if there exist real numbers $$0 such that $$\sum_{i\in S_1}x_i<\cdots<\sum_{i\in S_{2^n}}x_i$$. For example, when $$n=2$$, the sequence $$\emptyset,\{1\},\{2\},\{1,2\}$$ is a valid order of subset sums, but the sequence $$\emptyset,\{1\},\{1,2\},\{1\}$$ is not a valid order of subset sums because we cannot make $$x_1+x_2.

The question is, given $$n$$, how to enumerate all possible valid orders of subset sums. I know this problem cannot be solved in time polynomial in $$n$$, because there may be exponentially many valid orders of subset sums, so an algorithm with exponential time is welcome.

A trivial algorithm would be to iterate over all possible orders of subset sums, and check for each one if it is valid. But I cannot even find an (efficient) way to check if an order of subset sums is valid.

## Cannot submit valid form in FormFunction

I have a simple FormFunction like this:

FormFunction[{"expr" -> ToExpression}, HTTPRequestData[] &] 

When I use CloudDeploy, it works as normal. But when I use SocketListen and GenerateHTTPResponse to establish a server, my Chrome seems have submitted no data as I can’t Find it in the results of HTTPRequestData.

I’ve tried remote server(instead of local), #expr(instead of HTTPRequestData), none of them works. If I use APIFunction as the backend and URLRead as the client, everything is OK.

What’s missing for the submission compared to the WolframCloud one?

## Is this a valid heuristic for Dots and Boxes to reduce the branching factor of the search tree?

I am implementing an AI based on the MiniMax algorithm that plays the game Dots and Boxes. I would like to reduce the branching factor of the search tree, by introducing a heuristic rule that limits the number of successor states. However, I am not sure whether there exist any situations, where this rule would exclude the optimal move and make the AI play worse.

In the game 2 players take turns, until one of them captures a box, after which they have to make another move, possibly capturing another box etc. For this purpose, I define successor states of $$S$$ to be all states, where the opponent gets the move, or the terminal state. If a player made a capture and still has to make another move, then the current state is not yet a successor state of $$S$$ – the player has to continue making moves until they’re unable to.

My rule is as follows:
Assume a player makes a series of captures from a starting state $$S$$ and ends it with a move $$m$$, after which the turn goes to the opponent. Then it’s always better or at least not worse for the player to have made as many captures as possible before finishing the sequence with $$m$$.

This means that any state $$S$$ always has less successors, then there are legal moves. All successors where the player captures $$n$$ boxes and finishes with move $$m$$ are discarded, unless $$n$$ is the maximum number of boxes that can be captured such that $$m$$ can still be a finishing move. For example, in the following state:

immediately capturing the 4 boxes leads to a loss, while dividing them into 2 small chains, 2 boxes each, with the move (2,2)-(2,3) leads to a victory. The optimal strategy is consistent with the rule, as it would not be possible to finish with the move (2,2)-(2,3), if any of the boxes were captured. The rule excludes all successors, where the player captures 1 or 2 boxes, from being considered.

## Can I test ssl connection locally with a valid certificate (CA) with local dns?

I have a wildcard valid certificate signed by Certificate Authority. Is it possible to test the https locally from the server without a registered DNS?

My idea is to bind the domain name with 127.0.0.1 in /etc/hosts.

The HTML is running on Nginx container and I am using centos 7.

Is it possible to make an SSL handshake with curl https://<dnsname>.<name>.com:443 or it needs to be public DNS?

Note: ICMP is disabled but the server is connected to internet