security – Page 3 – Tarik Billa

How to store ansible_become_pass in a vault and how to use it?

December 12, 2023 by Tarik

You need to create some vaulted variable files and then either include them in your playbooks or on the command line. If you change your inventory file to use a variable for the become pass this variable can be vaulted: [my-servers] san-francisco ansible_host=san-francisco ansible_ssh_user=user ansible_become_pass=”{{ sanfrancisco_become_pass }}” san-diego ansible_host=san-diego ansible_ssh_user=user ansible_become_pass=”{{ sandiego_become_pass }}” Then use … Read more

Best long term choice: JSONP vs EasyXDM

December 11, 2023 by Tarik

Disclaimer: I’m the main author of easyXDM. It is actually not easy to answer this directly, as there are many things to consider. First, lets compare easyXDM and JSONP outside the scope of the question. JSONP allows a client side program (Javascript using the BOM/DOM) to interact with a server side program(.net, php etc using … Read more

Does it make security sense to hash password on client end

December 9, 2023 by Tarik

No. When the client sends something, whether it is P or H(P) or H(H(P)) anyone who intercepts this can simply resend the exact same thing, thus making any function like this equivalent to using the password directly. That’s why you should use a nonce; The server can give out some random garbage k and the … Read more

Does HTML5 allow you to interact with local client files from within a browser

December 6, 2023 by Tarik

No, not directly at least. However, you have a number of choices here. Currently your best choices are: Drag and drop files from desktop, see a tutorial. (Link disabled for malware/phishing) Use input type file. Read the contents with the File API or submit the form. Read more on Mozilla Developer Center about reading the … Read more

How is it possible to access memory of other processes?

December 5, 2023 by Tarik

In all likelyhood, the tool uses ReadProcessMemory or some variant, which requires PROCESS_VM_READ access. With respect to your “malicious” comment, remember that you (or the process invoking this API, which likely needs Administrator-level permissions) already has total control over the machine. The security game is already lost at this point.

Do OAuth2 access tokens for a mobile app have to expire?

December 4, 2023 by Tarik

The difference between a refresh token and a non-expiring access token in means of security is one additional call to the authorization server. If an attacker gains access to your non-expiring access token, he can directly call your resource server and get confidential data as response. Now if he steals your refresh token, he first … Read more

Using HMAC-SHA1 for API authentication – how to store the client password securely?

December 4, 2023 by Tarik

This is the downside of symmetric-key challenge-response style authentication – you don’t put the secret on the wire, but you have to store the secret at both ends. (HMACs are symmetric key systems). Note though that it’s not a password – it’s a shared secret. There’s a fundamental difference here – a password is generally … Read more

The data protection operation was unsuccessful on Azure using OWIN / Katana

November 29, 2023 by Tarik

What is the appropriate way to manage API secrets within a Google Apps script?

November 28, 2023 by Tarik

There is no right or wrong answer. There are numerous factors to consider: If this is for/in G-Suite, then your G-Suite admins’ll have (or can get) access to anything. This may or may not be an issue. If you put the data in a sheet, anyone that has read access to the sheet can see … Read more

What’s the purpose of the client secret in OAuth2?

November 26, 2023 by Tarik

Client Secret was used in OAuth 1.0 to sign the request, so it was required. Some OAuth2 servers (such as Google Web Server API) required the client secret to be sent to receive the access token (either from request token or refresh token). OAuth 2.0 has reduced the role of the client secret significantly, but … Read more