Is it cryptographically insecure to use fixed-length AES-GCM messages?

Is there any weaknesses to encrypting fixed-length messages? Should a random amount of padding be added to the message to decrease the odds of some sort of attack?

Is there anything insecure about opening port 80 just to redirect?

Its a pretty simple question, is there any real network insecurity to opening up port 80 just so I can redirect them to ssl? Currently you have to type https:// just to access one of the sites. Is there anything bad with opening port 80 just to automatically redirect to the same url on port 443?

Tool(s) for cracking insecure RSA keys

I have a 60-bit RSA public key and a file encrypted with it. Since RSA with keys under 256 bits should be crackable with even limited computational resources, is it possible to obtain the decrypted file? If so, are there any good tools for this?

exploit – JSON.Net insecure deserialization

I have a question in regard to insecure deserialization with the JSON.Net component.
It is my understanding that this component is safe by default unless you specify the TypeNameHandling setting to anything except for none.

However, suppose you do not change the TypeNameHandling setting (so that the default applies), will the following implementation be vulnerable to insecure deserialization (for instance, to achieve RCE)?

JsonConvert.DeserializeObject<dynamic>(jsonModelFromUserinput)

I’m only able to create RCE when the default TypeNameHandling setting is changed.

magento2 – PCI Compliance: Insecure configuration of Cookie attributes

The PCI compliance checking found this issue on our site: “Insecure configuration of Cookie
attributes”. Magento Version: 2.3.5-p1

Here are the Default Cookie Settings:

enter image description here

The Base URL and Secure Base URL are already using https.

How will we be able to set the secure flag on all cookies to true?

tls – How to block requests in web app when certificate is insecure?

I am developing a web app and wanted it to be secure from attacks from the application layer.

Currently, my website is allowing introspection from Burpsuite like certificate proxy software. Is there a way to block requests from frontend whenever we run the website on an insecure certificate?

If that is not possible, can I detect an insecure SSL certificate from the frontend using JS?

Thanks

How do I resolve Mixed Content Insecure Image in SharePoint 2016?

I created the following web applications:

  1. https://webapp

  2. http://mysite

UPSA My Site host is http://mysite

I created an employee directory which shows profile pictures as broken in Chrome (v83). Chrome developer tools show the following error:

Mixed Content: The page at ” was loaded over HTTPS, but requested an insecure image ”. This content should also be served over HTTPS.

I created AAM of Internal url: https://mysite – zone: default – Public URL for Zone: http://mysite and added a binding to mysite in IIS as https://mysite (http://mysite still exists). I also added mysite to allow insecure content in Chrome but images are still broken.

How would I fix this message?

Apple bluetooth keyboard insecure connection?

From time to time, I see this dialog box pop up on my MacBook Pro screen. It typically happens as the computer wakes up from sleep.

popup message

Magic keyboard is trying to connect using an unsecured Bluetooth connection. Unsecured Bluetooth accessories can be used to control your computer or gain access to your data.

At this point, the bluetooth keyboard is still connected. Usually, I select “Don’t Allow” in that dialog box, after which the bluetooth keyboard is no longer connected. Then I go to Settings and select the device and connect.

I am partially aware of some problems with bluetooth devices. Is this something I need to worry about, especially given that an Apple computer is complaining about an Apple keyboard. Could this particular keyboard be “special”?

encryption – Encrypt and decrypt files securely via PBE in Java (Jasypt seems insecure)

Requirements:

  • I have a Java application which among other things has to encrypt / decrypt binary files on the file system. I plan to use PBE (password encryption) because the password will be entered by the user each time he uses the app (it is not stored nowhere).
  • I'm not sure if AWS KMS (Key Management System) or Google KMS can help you in any way, but it doesn't matter because remote services are not allowed to be used for this project.

My questions:

  • Are there any Java libraries that will help me meet my needs, in addition to interacting directly with the JCE API (java cryptography extension)? I am not a security expert and I don't want to abuse ECC.
  • I am also open to other ideas that do not use a Java library, however, it should integrate well with my main Java application.

Google Tink:

Tink does not support PBE.

Tink's main developer (Thai Duong) declared it as such. Thai Is say it is possible to achieve using an internal API (AesGcmJce.java), however, he continues: "This is not recommended as the subtle layer may change without notice". I want a stable solution, so Tink doesn't cut it.

There is an open github problem for adding PBE to Tink.


Jasypt:

Jasypt doesn't seem sure.

If you want to know the details, read on, but it's not mandatory …

Jasypt is supposed to make PBE tasks easier, and the API East very simple, but the default parameter values ​​it uses seem to be those that have not proven to be safe (for example, MD5 and DES). I can configure it manually to use more secure options but the very fact that its default values ​​are not secure makes me wonder what other aspects of the library are not secure.

For example, here are its default values ​​when using the API:

  • Encryption algorithm: PBEWithMD5AndDES
  • No IV generator
  • 64-bit random salt generator using SHA1PRNG (java.security.SecureRandom)
  • KDF using MD5 with 1000 iterations

I can manually modify the default values ​​to obtain the following configuration:

  • Encryption algorithm: PBEWITHSHA256AND256BITAES-CBC-BC
  • 128-bit random IV generator using SHA1PRNG (java.security.SecureRandom)
  • 128-bit random salt generator using SHA1PRNG (java.security.SecureRandom)
  • KDF using SHA256 with 1000 iterations

The API is super simple. Here's how to instantiate the Java object that encrypts and decrypts binary data using the default settings (PBEWithMD5AndDES, etc.):

StandardPBEByteEncryptor binaryEncryptor = new StandardPBEByteEncryptor();
binaryEncryptor.setPassword(password);
byte() cipherBytes = binaryEncryptor.encrypt(plainBytesArray);

In order to secure things, I have installed a library called Bouncy Castle which adds many encryption algorithms for use by the JVM. Among the many options, I chose PBEWITHSHA256AND256BITAES-CBC-BC. Similar to the code above, here is how I instantiated the most secure configuration:

StandardPBEByteEncryptor binaryEncryptor = new StandardPBEByteEncryptor();
binaryEncryptor.setPassword(password);
binaryEncryptor.setProvider(new BouncyCastleProvider());
binaryEncryptor.setAlgorithm("PBEWITHSHA256AND256BITAES-CBC-BC");
binaryEncryptor.setIvGenerator(new RandomIvGenerator());
binaryEncryptor.setSaltGenerator(new RandomSaltGenerator());
byte() cipherBytes = binaryEncryptor.encrypt(plainBytesArray);

The library has its own "stronger" encryption classes (StrongBinaryEncryptor, AES256BinaryEncryptor, etc.) but like I said, I have lost confidence in their software (unless you can explain otherwise).


Help me:

Help me 🙂
THX

http – What is the risk of downloading files from an insecure site

Downloading via HTTP is not a problem in itself, but it depends on what you do with the file once the download is relevant:

  • If you just deleted the file: no problem.
  • If you download an executable from a seemingly trusted site and run it: bad idea as it could have been manipulated during transit or the attacker caused you to access a different server than the one planned.
  • If you know from a secure source that the file has a specific hash or signature and check it successfully after downloading: the problem of handling in transit or bad server is gone.

In your specific case, the files may have a signature which is verified by the program for which they are intended. If you do something else with these files and do not verify the signature, you will not get the associated benefits, but you will have to face the problem of manipulation of the download.

Apart from that: just because something is downloaded via HTTPS, it is not automatically secure either. Only the problem that the download could be handled in transit or that you accessed the attackers' server instead has disappeared. It is always possible that the file is already bad on the trusted server because the server has been hacked or you have blindly connected to an arbitrary server to download certain files.