Updated Answer If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate. If you’re using an older version such as Windows 7, you’ll need to stick with MakeCert or another solution. Some … Read more
Here is a very simplified explanation: Your web browser downloads the web server’s certificate, which contains the public key of the web server. This certificate is signed with the private key of a trusted certificate authority. Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this … Read more
The point of rainbow tables is that they’re created in advance and distributed en masse to save calculation time for others – it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what’s being done when generating rainbow tables is pre-running … Read more
OK, let me put this bluntly: if you’re putting user data, or anything derived from user data into a cookie for this purpose, you’re doing something wrong. There. I said it. Now we can move on to the actual answer. What’s wrong with hashing user data, you ask? Well, it comes down to exposure surface … Read more
The GET request is marginally less secure than the POST request. Neither offers true “security” by itself; using POST requests will not magically make your website secure against malicious attacks by a noticeable amount. However, using GET requests can make an otherwise secure application insecure. The mantra that you “must not use GET requests to … Read more
Some of the those leaving comments on other answers have noted that setting System.Net.ServicePointManager.SecurityProtocol to specific values means that your app won’t be able to take advantage of future TLS versions that may become the default values in future updates to .NET. Instead of specifying a fixed list of protocols, do the following: For .NET … Read more
This is a very good question and sadly many developers don’t ask enough questions about IIS/ASP.NET security in the context of being a web developer and setting up IIS. So here goes…. To cover the identities listed: IIS_IUSRS: This is analogous to the old IIS6 IIS_WPG group. It’s a built-in group with it’s security configured … Read more
My favourite CAPTCHA ever:
Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more
The Apache docs recommend against using a rewrite: To redirect http URLs to https, do the following: <VirtualHost *:80> ServerName www.example.com Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com # … SSL configuration goes here </VirtualHost> This snippet should go into main server configuration file, not into .htaccess as asked in the question. This article … Read more