jww is right — you’re referencing the wrong intermediate certificate. As you have been issued with a SHA256 certificate, you will need the SHA256 intermediate. You can grab it from here: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
Ah, I love these questions – maintaining a session without a session. I’ve seen multiple ways to do this during my stints during application assessments. One of the popular ways is the playing tennis way that you mentioned – sending the username and password in every request to authenticate the user. This, in my opinion, … Read more
RedirectMatch as in e.g. RedirectMatch 404 /\. does the trick, it prohibits access to all files or directories starting with a dot, giving a “404 Not Found” error. From the Apache manual: “The Redirect[Match] directive maps an old URL into a new one by asking the client to refetch the resource at the new location.” … Read more
Decrypting the Authentication Cookie without needing the keys It’s worth noting that you don’t need to gain access to the keys to decrypt the authentication cookie. You simply need to use the right IDataProtector created with the right purpose parameter, and subpurpose parameters. Based on the CookieAuthenticationMiddleware source code https://github.com/aspnet/Security/blob/rel/1.1.1/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationMiddleware.cs#L4 it looks like the purpose … Read more
Bruce Schneier has a good response to this kind of problem. Cryptography is not the solution to your security problems. It might be part of the solution, or it might be part of the problem. In many situations, cryptography starts out by making the problem worse, and it isn’t at all clear that using cryptography … Read more
SSL will protect the query parameters in transit; however, email itself is not secure, and the email could bounce along any number of servers before getting to its destination. Also depending on your web server the full URL might get logged in its log files. Depending on how sensitive the data is you might not … Read more
I like the XSRF Double Submit Cookies method which mentioned in the article that @pkid169 said, but there is one thing that article doesn’t tell you. You are still not protected against XSS because what the attacker can do is inject script that reads your CSRF cookie (which is not HttpOnly) and then make a … Read more
Almost everywhere you look, people refer to the about:config and the security.fileuri.strict_origin_policy. Sometimes also the network.http.refere.XOriginPolicy. For me, none of these seem to have any effect. This comment implies there is no built-in way in Firefox to do this (as of 2/8/14).
The article mentioned by sgbj in the comments written by Google’s Paul Turner explains the following in much more detail, but I’ll give it a shot: As far as I can piece this together from the limited information at the moment, a retpoline is a return trampoline that uses an infinite loop that is never … Read more
It doesn’t decode an MD5 hash. It uses what’s called a rainbow table… That’s why it’s so important to use salted hashes instead of storing the hash directly…