IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
294
votes
11 answers

"Diffie-Hellman Key Exchange" in plain English

Can someone explain what the Diffie-Hellman Key Exchange algorithm in plain English? I have read that Twitter has implemented this technology which allows two parties to exchange encrypted messages on top of a non-secured channel. How does that…
user15119
282
votes
11 answers

Why shouldn't we roll our own?

Why shouldn't we create our own security schemes? I see a lot of questions around here about custom crypto and custom security mechanisms, especially around password hashing. With that in mind, I'm looking for a canonical answer, with the following…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
282
votes
3 answers

How did "tech-supportcenter" phishers trick Google?

Related: Is the Web browser status bar always trustable? How can Google search change the location in a URL tooltip? I've always thought you can "hover" over a link to see where it really goes, until today. A coworker (working from home) searched…
browly
  • 2,100
  • 2
  • 12
  • 21
265
votes
7 answers

Password Hashing: add salt + pepper or is salt enough?

Please Note: I'm aware that the proper method for secure password storage hashing is either scrypt or bcrypt. This question isn't for implementation in actual software, it's for my own understanding. Related How to apply a pepper correctly to…
Jacco
  • 7,402
  • 4
  • 32
  • 53
262
votes
4 answers

How does Google Authenticator work?

Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android where the codes will be sent. It works without any connectivity; it even works on plane mode. This is what I don't get. How is it possible that it…
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
260
votes
11 answers

How to explain Heartbleed without technical terms?

Most of my friends who are not experienced in computers want to know what Heartbleed is and how it works. How would one explain Heartbleed to someone without a technical background?
user36976
  • 3,233
  • 4
  • 14
  • 22
259
votes
7 answers

How do certification authorities store their private root keys?

Knowledge of a CA private key would allow MitM attackers to transparently supplant any certificates signed by that private key. It would also allow cyber criminals to start forging their own trusted certificates and selling them on the black…
lynks
  • 10,636
  • 5
  • 29
  • 54
258
votes
17 answers

Provide subjectAltName to openssl directly on the command line

Is it possible to provide a subjectAltName-Extension to the openssl req module directly on the command line? I know it's possible via a openssl.cnf file, but that's not really elegant for batch-creation of CSRs.
Michael Seiwald
  • 2,713
  • 2
  • 11
  • 7
258
votes
5 answers

Consequences of the WPA2 KRACK attack

Today new research was published on vulnerabilities in wireless network security called Krack. What are the real-world consequences of these attacks for users and owners of wireless networks, what can an attacker actually do to you? Also is there…
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
256
votes
8 answers

Why are salted hashes more secure for password storage?

I know there are many discussions on salted hashes, and I understand that the purpose is to make it impossible to build a rainbow table of all possible hashes (generally up to 7 characters). My understanding is that the random salted values are…
Tsyras
  • 2,631
  • 3
  • 11
  • 7
255
votes
12 answers

Why are hash functions one way? If I know the algorithm, why can't I calculate the input from it?

Why can't a password hash be reverse engineered? I've looked into this ages ago and have read lots on it, but I can't find the explanation of why it can't be done. An example will make it easier to understand my question and to keep things simple we…
Mucker
  • 2,667
  • 3
  • 13
  • 3
254
votes
2 answers

Can ads on a page read my password?

Disclaimer: I have minimal web-dev/security knowledge so please answer as if talking to a "layman." I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this…
scohe001
  • 1,035
  • 2
  • 7
  • 13
254
votes
5 answers

Is the save button delay in a Firefox download dialog a security feature? What does it protect?

When I click to download a file through Firefox, a dialog window appears asking me whether I want to save the file somewhere or open it immediately once downloaded. The OK button in the dialog window starts disabled, and doesn't enable until the…
Numeron
  • 2,455
  • 3
  • 15
  • 19
250
votes
10 answers

How is the "WannaCry" Malware spreading and how should users defend themselves from it?

There's a new strain of attacks which is affecting a lot of systems around the world (including the NHS in the UK and Telefonica in Spain) which is being called "WannaCry" amongst other names. It seems to be a both a standard phishing/ransomware…
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
248
votes
4 answers

SSL3 "POODLE" Vulnerability

Canonical question regarding the recently disclosed padding oracle vulnerability in SSL v3. Other identical or significantly similar questions should be closed as a duplicate of this one. What is the POODLE vulnerability? I use…
tylerl
  • 82,225
  • 25
  • 148
  • 226
1 2
3
99 100