Highest Voted Questions - IT Security Stack Exchange

115

votes

4 answers

What certificates are needed for multi-level subdomains?

I'm working on a web site with a several levels of subdomains. I need to secure all of them with SSL, and I'm trying to determine the correct certificate strategy. Here's what I need to secure: foo.com www.foo.com Any combination of…

tls certificates

asked Jan 10 '12 at 13:06

Nathan Long

2,624
4
21
28

114

votes

5 answers

What should a website operator do about the Heartbleed OpenSSL exploit?

CVE-2014-0160 http://heartbleed.com This is supposed to be a canonical question on dealing with the Heartbeat exploit. I run an Apache web server with OpenSSL, as well as a few other utilities relying on OpenSSL (as client). What should I do to…

exploit openssl heartbleed

asked Apr 08 '14 at 03:10

Deer Hunter

5,297
5
33
50

114

votes

6 answers

Roles to play when tailgaiting into a residential building

Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known). But standing helplessly in front of…

social-engineering physical-access

asked Nov 15 '18 at 13:13

Vorac

1,817
3
20
27

114

votes

7 answers

Someone is using my (or has the same) email

I just got a letter from court saying I made 49 threats to someone I had a problem with three years ago. This person presents "my emails" as evidence. I went through all my emails, and I haven't found a single one. The mail presented as evidence all…

email email-spoofing

asked Feb 06 '17 at 15:36

Leah G

1,079
2
7
5

114

votes

15 answers

How can mom monitor my internet history from a distance?

This might sound like a funny question from a twelve-year-old. The less funny part is that I am 21 and currently studying at university (I don't live at University, although I am 15 minutes away. I do not use university network). You might or…

network privacy

asked Apr 16 '16 at 21:47

Azerty

1,273
2
9
8

113

votes

4 answers

Is using 'dot' and 'at' in email addresses in public text still useful?

When entering your email address publicly, a practice is to replace . with text dot and @ with text at. I assume that the reasoning is that this way automatic email-collector robots won't match your address so easily. I still see updated websites…

email spam obfuscation

asked Nov 06 '13 at 14:07

n611x007

2,255
3
15
17

113

votes

9 answers

Should I change the default SSH port on linux servers?

Is there any advantage in changing the SSH port, I've seen people do that, but I can't seem to find the reason why. If you have a strong password and/or a certificate, is it useful for anything? Edit: I should also mention that I am using iptables…

authentication attacks linux attack-prevention ssh

asked Mar 09 '13 at 12:09

sharp12345

1,969
3
13
23

112

votes

9 answers

Why can we still crack snapchat photos in 12 lines of Ruby?

Just came across this bit of ruby that can be used to decrypt Snapchat photos taken out of the cache on a phone, apparently adapted from here. To my surprise, it worked without a problem, considering the problems around Snapchat's security which…

encryption cryptography appsec mobile

asked Mar 03 '14 at 08:53

Dmitri DB

1,181
2
9
12

112

votes

6 answers

Why should I offer HTTP in addition to HTTPS?

I am setting up a new webserver. In addition to TLS/HTTPS, I'm considering implementing Strict-Transport-Security and other HTTPS-enforcement mechanisms. These all seem to be based on the assumption that I am serving http://www.example.com in…

tls http hsts

asked Apr 18 '17 at 13:00

lofidevops

3,550
6
23
32

111

votes

9 answers

Is it safe to send clear usernames/passwords on a https connection to authenticate users?

I'm setting up a home HTTP server which can send and receive JSON data to/from different clients (Android and iPhone apps). I'd like to allow access only to certain users and I'm considering using a simple username/password mechanism, as setting up…

tls password-management

asked Aug 04 '14 at 13:56

Emiliano

1,213
2
9
6

111

votes

13 answers

Secure way to log in to a website on someone else's computer

Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke…

authentication

asked Nov 29 '18 at 16:44

today

1,081
2
7
8

111

votes

7 answers

What is the difference between Federated Login and Single Sign On?

What is the difference between Federated Login and Single Sign On authentication methods?

authentication federation single-sign-on

asked Apr 16 '12 at 05:12

c card

1,213
2
9
4

111

votes

5 answers

How to check if an SSH private key has passphrase or not?

Let's say I have access to the private portion of an RSA key-pair. How can I check if this key has associated passphrase or not?

public-key-infrastructure ssh passphrase

asked Jul 11 '16 at 11:18

kung

1,309
2
8
9

111

votes

5 answers

What should I do about Gmail ad asking me for password?

I just got a pop-up after having logged on to Gmail. It said it was from https://googleads.g.doubleclick.net and asked for username and password. What should I do about this? Has anyone else seen this? I did press cancel, nothing happened. The only…

passwords google gmail

asked Jun 21 '16 at 08:09

morten

881
2
6
5

110

votes

13 answers

Why do sites implement locking after three failed password attempts?

I know the reasoning behind not letting infinite password attempts - brute force attempts is not a meatspace weakness, but a problem with computer security - but where did they get the number three from? Isn't denial of service a concern when…

passwords attack-prevention risk-analysis

asked Nov 19 '10 at 00:45

Bradley Kreider

6,152
2
23
36

Most Popular