Timeout at verification

Hi @Sven I see that for manual verification of urls have little choice of the number of thread, the number of attempts but not the timout?

It’s been 5 times that I relaunch the verification on certain links which nevertheless pass through my browser but which do not want to be in ser. I could do it manually but it will have to sort for a long time and then I imagine that many other “useful” links are deleted unnecessarily.

How Do Online Identiy Verification Companies Ensures Their APIs to Be Not Abused?

I am trying to implement a photo ID verification along with a live-selfie verification on my Android/iOS apps.

I figured that I might be able to implement these features using Python machine learning libraries. However, I have no idea how to prevent hackers from directly sending verification data to my app’s server.

So, these days, many online identity verification companies utilize the “liveness” detection that can prevent users from taking photos of other people’s photos or photos of ID cards. They confirm if the images were not modified. They even make short videos to confirm the liveness.

However, what if the abuser is not a normal user, but a programmer? What can we do if the programmer directly calls our APIs and send photos or videos to the server? Then the liveness detection will become useless because we will not be able to differentiate the selfie directly sent by the programmer from a lively taken new selfie.

Any solutions? I can only guess that the only way to prevent this type of attacks would be making users take random actions generated by the server. Such as saying something on the screen or making users writing down random digits on the paper and take a picture with it.

Need to convert following python Signature verification code to Andorid?

I create to python3 application generat the RSA key pairs.

    from Crypto.PublicKey import RSA  print("--Private Key Generate--")  key = RSA.generate(2048) private_key = key.export_key() file_out = open("key/private.pem", "wb") file_out.write(private_key) file_out.close()  print("--Public Key Generate--")  public_key = key.publickey().export_key() file_out_1 = open("key/receiver.pem", "wb") file_out_1.write(public_key) file_out_1.close()  print("key Generated") 

I sign some data using python and create signature. It also verify using python succssfully.

 def sign(data):     private_key = RSA.import_key(open('key/private.pem').read())     h = SHA256.new(data)     signature =  base64.b64encode(pss.new(private_key).sign(h))     print("signature generate")     verify(data,signature)     return signature   def verify(recive_Data ,signature):     public_key = RSA.import_key(open('key/receiver.pem').read())     h =  SHA256.new(recive_Data)     verifier = pss.new(public_key)     try:         verifier.verify(h, base64.b64decode(signature))         print("The signature is authentic")     except (ValueError, TypeError):         print ("The signature is not authentic.") 

But acctual my verification implementaion in Andorid(min sdk 23 , target SDK 29). so , I need to convert this verification code to Android. I tried using following code , but not success. need some expert help to do it.

public class SecurityHelper {      private static String getKey(InputStream filename) throws IOException {         // Read key from file         String strKeyPEM = "";         BufferedReader br = new BufferedReader(new InputStreamReader(filename));         String line;         while ((line = br.readLine()) != null) {             strKeyPEM += line + "\n";         }         br.close();        // System.out.println(strKeyPEM);         return strKeyPEM;     }       public static PublicKey getPublicKey(InputStream filename) throws IOException, GeneralSecurityException {         String publicKeyPEM = getKey(filename);         return getPublicKeyFromString(publicKeyPEM);     }      public static PublicKey getPublicKeyFromString(String key) throws IOException, GeneralSecurityException {         String publicKeyPEM = key;         publicKeyPEM = publicKeyPEM.replace("-----BEGIN PUBLIC KEY-----\n", "");         publicKeyPEM = publicKeyPEM.replace("-----END PUBLIC KEY-----", "");         System.out.println(publicKeyPEM);         byte[] encoded = Base64.decode(publicKeyPEM ,Base64.CRLF);       //  System.out.println(encoded);         KeyFactory kf = KeyFactory.getInstance("RSA");         PublicKey pubKey = kf.generatePublic(new X509EncodedKeySpec(encoded));         System.out.println(pubKey);         return pubKey;     }       public static boolean verify(PublicKey publicKey, String message, String signature) throws SignatureException, NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeyException, InvalidAlgorithmParameterException {          Signature sign = Signature.getInstance("SHA256withRSA");         sign.initVerify(publicKey);         sign.update(message.getBytes("UTF-8"));         System.out.println(message);         return  sign.verify(Base64.decode(signature,Base64.CRLF));     }   } 

Postfix maildrop -> pickup “from:” verification [duplicate]

I was surprised to notice that sending E-mail from local server account allow any user to send message with:

From: whatever@whateverdomain

This is a security issue, because it allow identity usurpation.

When sending E-mail from local server account, E-mail are put into maildrop directory and Postfix daemon pickup send the E-mail.

Searching into Postfix documentation (man pickup) don’t show dedicated check for this problem.

How can be solved that without disabling pickup service witch is required for correct system working?

Custom certificate verification using thumbprint

I’m trying to confirm if the approach I’m thinking of taking towards verifying a self signed certificate is sound, or if I’m going about it the wrong way. I’m no security expert, so bear with me please if I make any wrong assumptions.

Following is a summary of the situation I have:

  • Self hosted Windows Service that can be running on any machine in the LAN. The service is implemented using .NET gRPC.
  • The service will only be accessed from the LAN using a desktop client. No access from a web browser or external client is involved.
  • The client uses the IP address of the host where the service is running to access it.

From a security PoV, I want to ensure that the data sent between the client and service is encrypted. To achieve this, .NET gRPC allows the use of certificates so that the client can talk to the service using HTTPS.

However, I don’t want to buy or use a CA certificate, therefore I plan to create a self signed certificate and configure the gRPC service with it.

Given that clients need to access the service through the IP address, I would need to install the certificate on every client machine. However, I don’t wish to do that. Instead I plan to leverage .NET ServerCertificateCustomValidationCallback and implement custom verification.

To verify, I am thinking of storing the certificate thumbprint/hash in the client’s code, and when the callback is invoked, verify that the received certificate thumbprint/hash matches the one in the client’s code.

Is this verification method reliable? Can a man in the middle attack occur with this method?

My initial thinking is that because it’s only the certificate hash an attacker can get hold of from the client, it won’t be possible to create a fake certificate and make the client trust it. However, I am not 100% sure.

Why do GoDaddy customer support representatives ask for two-step verification codes?

When contacting GoDaddy customer service, whether over chat or phone, they often ask for both a PIN and a two-step verification code (which they confusingly refer to as “google auth codes”).

Then PIN can be found when you log in to your GoDaddy.com account, but the two-step verification code is something you’d need to get from whichever app, service, or hardware device you use to generate two-step verification codes (compatible options listed here).

Typically two-step verification codes are time-based one-time-use codes I’ve only used when logging in to my own accounts through my own web browser or mobile app on my own devices. I’ve never had any other customer service representatives from other companies ask for these codes. Usually they just ask for PINs (if the service is set up to use those).

Why would GoDaddy customer service require two-step verification codes? Are they actually using it to log in to your account on their end? If so, how could they do that without having your password? Also, is it poor security practice to require customers to share two-step verification codes with someone else in this manner?

I found this related question from someone concerned with customer service reps asking for PIN codes here, and people agreed that even that is poor security practice.

What can be said about complexity class of a problem if there exist a pseudo-polynomial verification algorithm?

Let X be a problem for which MILP formulation can be devised. Verifying the solution of the problem is known to be weakly NP-hard, i.e. pseudo-polynomial algorithm for verification exists. What can be said about complexity of problem X?

Differences in certificate verification between ssl libraries

I’ve been playing with x509 certificates to better understand them and I’ve hit a strange issue which makes me think I have a misunderstanding. Initially I tested everything with libressl 2.8.3 and things work as expected, however when testing against openssl 1.1.1d things fall apart.

First I’ve created a root key and certificate with

libressl ecparam -out root.pem -name secp384r1 -genkey libressl req -new -key root.pem -out root.csr libressl x509 -in root.csr -out root.crt -req -signkey root.pem -days 30 

then the intermediate

libressl ecparam -out inter.pem -name secp384r1 -genkey libressl req -new -key inter.pem -out inter.csr libressl x509 -in inter.csr -out inter.crt -req -signkey root.pem -days 30 

and a leaf

libressl ecparam -out leaf.pem -name secp384r1 -genkey libressl req -new -key leaf.pem -out leaf.csr libressl x509 -in leaf.csr -out leaf.crt -req -signkey inter.pem -days 30 

The issue I’m hitting is that libressl will verify the intermediate cert while openssl will not

>>> libressl verify -CAfile root.crt inter.crt inter.crt: C = US, ST = CA, L = SF, O = Inter error 18 at 0 depth lookup:self signed certificate OK >>> openssl verify -CAfile root.crt inter.crt C = US, ST = CA, L = SF, O = Inter error 18 at 0 depth lookup: self signed certificate error inter.crt: verification failed 

Am I missing something or is openssl exposing that I have a misunderstanding of x509 certs and libre/openssl? Similarly validating the leaf cert with a bundle of the root and intermediate succeeds with libressl and fails with openssl.