IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [design-flaw]

34 questions
2
votes
2 answers

Can CDN contents be decrypted by officials in new Telegram security design?

Recently Telegram announced using CDN in some territories where they don't want to place main servers. Although the internals are not explained, according to provided diagram and information, a key is passed from Telegram server to Telegram user…
Xaqron
  • 306
  • 1
  • 10
2
votes
2 answers

Methods of determining if a software bug is a security risk?

I don't really want to get into the specifics. I found a bug from a huge software provider. As any other responsible user, I have reported the bug to the software provider. It is hard to tell if this bug would be considered a security risk or not,…
Gavin Youker
  • 1,270
  • 1
  • 11
  • 23
2
votes
2 answers

Why gethosbyname() is as bad as gets() by design?

I know gethosbyname() has been obsolete for a long time. But I see static analysers report its use as unsafe, and when softwares remove its usage, it tends to be for security reasons. I know there were a lot of security flaws found inside…
user2284570
  • 1,402
  • 1
  • 14
  • 33
2
votes
2 answers

Violation of security principles?

It's clear that keyless entry fobs, smart entry cards, NFC, etc. are vulnerable to relay attacks. Suppose they were improved by limiting the period of activity, eg let them be active only when they are shaken, only when sound is detected, only when…
John M.
  • 311
  • 1
  • 2
  • 5
1
vote
1 answer

Difference between Architecture review and a Design review

As the question says, I would like to know the difference(s) between an Architecture review and a Design review. If someone could explain the two using an example, such as an Architecture review of a network and the Design review of the same…
JohnnyHunter
  • 233
  • 1
  • 7
1
vote
0 answers

Untrusted central server and self-hosted/local client

I am wanting to develop a web service (classic client/server) where the server is not trusted, so is kept (cryptographically) ignorant about the actual content/messages. Obviously, if you don't trust the server, then you shouldn't trust any client…
cloudfeet
  • 2,528
  • 17
  • 22
1
vote
0 answers

Is using URL parameters together with body parameters in a POST request a defined security anti-pattern?

It is technically allowed by many programming languages to supply parameters in POST requests as part of the URL, similar to a GET request. You can do this in addition to supplying parameters in the body of the POST request at the same time. I just…
Demento
  • 7,249
  • 5
  • 36
  • 45
1
vote
1 answer

How can I preserve the uniqueness of a document without a database?

I’m willing to create a system of transferable documents (identified by it’s ID) whose author can transfer his ownership of that document to another person (identified by his/her ID). For example: Alice; owner of document 1. Alice transfers his…
John
  • 85
  • 1
  • 7
1
vote
1 answer

Where to start filtering POST input with MVC? [PHP]

My question is more about design practice, but where should I start the filtering? I figured the class would be the best place for it, but wouldn't that put the instantiated object ($objReg) at risk for code injection using unfiltered POST variables…
Kevin
  • 13
  • 5
0
votes
1 answer

Is it secure to not expire keys in symmetric encryption?

Note that this question describe hypothetical case, that is never meant to be used in real world. Server communicates with clients with message structure: client_id, initialization_vector, encrypted body. Each client each day exchange with server…
user78934
0
votes
1 answer

Does a hash-based storage cache design require additional access-control?

Please forgive the vagueness of the question title. I am currently working/designing an opaque storage of immutable files. The purpose of the service is simple: storing files and being able to retrieve them by their identifier. As the service is…
ereOn
  • 134
  • 5
0
votes
0 answers

Server Upload to presigned URL

I am writing a ReST service which enables user to get a tar archive of a set of requested documents. When the request succeeds, the service should upload the file to a pre-signed URL that points to an s3 bucket or azure blob storage or a private…
vishnuvp
  • 101
  • 1
  • 2
0
votes
2 answers

Secure algorithm for transferring data between users via QR Code

I'm building a mobile application that transfers points between users via QRCode. I'm concerned about security and am looking for effective simple yes secure algorithm to use. The scenario should be something similar to this. User A wants to…
Abozanona
  • 103
  • 5
0
votes
2 answers

Exception handling in multi-tier applications

Error and exception handling in web applications can introduce security issues, often in the form of denial of service (i.e., when a service crashes because of poor error handling) and information disclosure (i.e., when an exception containing…
NLuburić
  • 294
  • 2
  • 9
0
votes
2 answers

Is TLS security for web server reliable or suffer a major design flaw

Best practice in term of security for the web are enforced by major actors like Google or Mozilla, but it feels a bit like something is messed up in the global design. To mitigate all man in the middle and other types of attack on SSL/TLS a lot of…
Kiwy
  • 323
  • 1
  • 13
1
2
3