IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [client]

In a client-server model, the server serves services to the client.

The client/server model is a model where there are two distinct parties: One party provides services, the other uses them. It's the opposite of a peer-to-peer model, the parties are both server and client. For example in the Bitcoin peer to peer network, the programs on the user's computer acts both as a server (it uploads blocks and confirms transactions) and as a client (it downloads blocks from others and asks to confirm transactions).

Surfing the web is a good example of a client/server model: The websites are served by the servers, and the browser acts as client (it uses the received data).

123 questions
52
votes
2 answers

What is PKCE actually protecting?

I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand. So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…
TommyBs
  • 657
  • 1
  • 5
  • 7
40
votes
5 answers

Client-side encryption, but cloud service can still decrypt data in the event of a death? Is this possible?

I've been worried about this password manager, PasswordBox that seems to be gathering quite a bit of steam lately. They seem to have raised VC funding and are offering a free password management and storage tool. Their team does not seem to have…
Mallory
  • 401
  • 4
  • 5
29
votes
2 answers

Why would the BBC web site always ask for a personal certificate, and how do I avoid giving it away?

After installing a CAcert personal certificate, every time I land on the BBC weather site it asks me to identify myself with a certificate. Why would any non-malicious web site do that unless I've requested to sign in first? The weather report is…
l0b0
  • 2,981
  • 20
  • 29
26
votes
5 answers

What are the security issues with "eval()" in JavaScript?

Every time that someone mentions eval(), everyone says that there are "security issues" with it, but nobody ever goes into detail about what they are. Most modern browsers seem to be able to debug eval() just as well as normal code, and people's…
Stack Tracer
  • 514
  • 2
  • 5
  • 14
24
votes
6 answers

Alternatives to HTML's deprecated for client certs?

The keygen tag is used to make browsers generate private keys and POST the resulting CSR to the server, which can then issue a certificate. It's now been deprecated, for rather stupid reasons but that's besides the point. So, what are the…
André Borie
  • 12,706
  • 3
  • 39
  • 76
22
votes
8 answers

How can I re-use my password and still protect the password if it is exposed from one source?

I know that all servers should at least store my credentials as hash(password + salt) + salt, with a secure and well known hash function and a salt unique for me, generated from a secure and well known source. The problem is that servers should do…
Sinder
  • 389
  • 2
  • 8
18
votes
2 answers

How does a server validate the Certificate Verify message in SSL/TLS?

Client authentication may be used in a SSL/TLS negotiation. For this, the client will send a CertificateVerify after the server requested it. The CertificateVerify message contains the client certificate that will be verified by the server. How does…
Duke Nukem
  • 687
  • 3
  • 9
  • 20
16
votes
2 answers

Client authentication vs. user authentication

I am currently looking into authentication protocols which work well with REST API, in java. There is something fundamental I don't understand: I read a lot of material about OAuth protocol, SSL, basic HTTP auth, digest etc.. And in all of them…
rita potter
  • 163
  • 1
  • 6
14
votes
2 answers

Validating an SSL certificate chain according to RFC 5280: Am I understanding this correctly?

we're in the process of replacing certificates with SHA1 hash due to Google's move to let them appear less secure in Chrome. The replacement certificates use a different intermediate CA than the ones we're currently using, but the same root CA.…
luxifer
  • 143
  • 1
  • 1
  • 6
13
votes
3 answers

How to perform Login Authentication at the client-side?

How can we validate login credentials at the client-side itself without involving the server of a website?
sanjay
  • 155
  • 1
  • 3
13
votes
5 answers

Is it worth the effort to store FTP passwords encrypted?

I have a project to build a system that needs to push files to multiple third-party FTP servers. I have asked these third parties to provide a more secure interface; all have declined. So now I have this problem: I can implement some kind of…
kojiro
  • 579
  • 4
  • 11
12
votes
1 answer

Client certificate common name? Subject alternative name?

For an IoT project, I want to secure client server communication. I want both the server (Apache) and the clients identify/authenticate each other (a client won't communicate with other clients) before clients can post some data. There is much less…
Saren Tasciyan
  • 275
  • 1
  • 2
  • 7
11
votes
5 answers

How To Prove That Client Side Javascript Is Secure?

Imagine that you have a web application that encrypts the user's data, such as a note or spreadsheet, on both the server and client. The normal process for a user using this web application is something like this: The user logs into the application…
Joseph
  • 215
  • 2
  • 7
10
votes
1 answer

SSL Cert Types and Key Usage

I want to use OpenSSL to create a CSR and submit it to my CA (which uses Microsoft PKI) and receive certificates that can be used for both Server Auth and Client Auth. I'm not clear on a couple of things, which may simply be a a link between…
Mike
  • 408
  • 1
  • 5
  • 8
8
votes
3 answers

Certificate Chain checking

I have a very specific question. A client verifies a server by taking the certificate and checking specific values and that the digital signature of the intermediate CA is correct (according to the public key stored on the clients computer).…
Christopher
  • 81
  • 1
  • 1
  • 4
1
2 3
8 9