Azure App Service access restrictions – Open to Public but block specific IPs

I’m trying to implement a blacklist/blocklist of IPs in Azure App Service. I created series of firewall rules that blocked specific IPs, I then added a rule that allowed all IPs ( as a lower priority rule. My assumption was that the higher priority deny rule for specific IPs would block, if none of the deny rules matched than it would allow.

What I found was that all traffic was still allowed, that the deny rule was ignored. Is denying specific IPs while allowing all other traffic not possible or do I need to setup in a different way?

Also, I did try remove the Allow IPs rule, but received a 403 from an IP that wasn’t being blocked.

address – How can a user or wallet have multiple addresses at all if out of a private key can be generated only a single public key?

A user of a wallet, regardelss of a version of a wallet, can generate as many addresses as he wants, right?

Since an address is basically a public key, and in “private-public key” cryptograpthy there’s only one public key that corresponds to a private key, how is generating lots of addresses possible at all?

This Can same private key generate multiple addresses? isn’t what I’m asking about.

design – Multilingual sign boards for public and private structures in USA

As there are many languages spoken in USA, do you recommend to have Multilingual sign boards created for Parks, Zoos,Museums,Restaurants, Stores, Libraries, Offices etc?

Multilingual Sign boards Languages viz English, Spanish, German, French etc.

sharepoint online – How do I convert a classic ‘public’ site to a ‘private’ one?

This is a Microsoft 365 ‘Business’ environment.

There’s someone leaving the business in a couple of weeks. the boss wants me to block access to the main Sharepoint site for this user until we delete his account. The problem is, the site appears to be ‘public’ and is available to all users by default.

How do I block this user from access?
In Site Settings > Site Permissions > Team Site Members, there’s an entry ‘Everyone except external users’. Can I just replace this with a group that I created myself that has everyone in it except that user or will that cause problems elsewhere in SharePoint? Or is there an easier way to do this?

I’ve spotted a lot of online resources hinting that there’s an option to flip a site between public and private but that seems to only be available for ‘modern’ sites. This one is ‘classic’ and the option doesn’t appear to be there.

As an alternative, as it’s just one user who will be deleted from system in a couple of weeks, is it possible to simply ‘deny’ him somehow? I know this is bad practice but converting a whole site just for one person for 2 weeks seems a bit overkill.

public transport – Is there still a ferry between Gozo and Comino?

It would be most convenient for me to travel from Gozo to Comino rather than from Malta but the two guide books I found, one updated 2019 and the other 2020, only mention one from Malta. There are some mentions of route online but I cannot find anything that confirms it is currently (Summer 2020) operating. A screenshot from Google Maps does not show such a path:

enter image description here

Is there currently a ferry going from Gozo to Comino and back? If so, what is its schedule?

hash – Is using Argon2 with a public random on client side a good idea to protect passwords in transit?

Not sure if things belongs in Crypto SE or here but anyway:

I’m building an app and I’m trying to decide whatever is secure to protect user passwords in transit, in addition to TLS we already have.

In server side, we already have bcrypt properly implemented and takes the password as an opaque string, salts and peppers it, and compares/adds to the database.

Even though SSL is deemed secure, I want to stay at the “server never sees plaintext” and “prevent MiTM eavesdropping from sniffing plaintext passwords” side of things. I know this approach doesn’t change anything about authenticating, anyone with whatever hash they sniff can still login, my concern is to protect users’ plaintext passwords before leaving their device.

I think Argon2 is the go-to option here normally but I can’t have a salt with this approach. If I have a random salt at client side that changes every time I hash my plaintext password, because my server just accepts the password as an opaque string, I can’t authenticate. Because of my requirements, I can’t have a deterministic “salt” (not sure if that can even be called a salt in this case) either (e.g. if I used user ID, I don’t have it while registering, I can’t use username or email either because there are places that I don’t have access to them while resetting password etc.) so my only option is using a static key baked into the client. I’m not after security by obscurity by baking a key into the client, I’m just trying to make it harder for an attacker to utilize a hash table for plain text passwords. I think it’s still a better practice than sending the password in plaintext or using no “salt” at all, but I’m not sure.

Bottomline: Compared to sending passwords in plaintext (which is sent over TLS anyway but to mitigate against server seeing plaintext passwords and against MiTM with fake certificates), is that okay to use Argon2 with a public but random value as “salt” to hash passwords, to protect user passwords in transit? Or am I doing something terribly wrong?

Assign values of public keys from textboxes using NBitcoin

How do I assign the Textbox1.text value to bob.PubKey in the below code so that public keys values can be taken from the user at run time? Tried few things but nothing worked

Imports NBitcoin

Public Class Form1

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        Dim bob As New Key
        Dim alice As New Key
        Dim satoshi As New Key

        Dim redeemScript As Script = PayToMultiSigTemplate.Instance.GenerateScriptPubKey(2, {bob.PubKey, alice.PubKey, satoshi.PubKey})

        Label1.Text = redeemScript.Hash.GetAddress(Network.TestNet).ToString

    End Sub
End Class

amazon s3 – Are public website s3 buckets vulnerable to DDoS attacks?

We are trying to make our web app the most cost effective and secure we can For that reason we are using Clodflare instead of ClodFront as a CDN four our frontend resources, but we put CloudFront between Cloudflare and S3 to be able to use Full SSL (strict), which is needed because we have a subdomain for API Gateway, which needs it to avoid infinite loops generated when using Cloudflare Flexibe SSL

The problem is that AWS documentation on connecting S3 with CloudFront for Website hosting instructs on allowing public access to the bucket contents (1), while Cloudflare recommends restricting access to Cloudflare Servers IPs to disallow public requests to the website buckets (2, 3)

Specifically, we want to be able to use Cloudflare free DDoS protection effectively, avoiding potentially high costs related to receiving DDoS attacks directly into our AWS deployed resources, and the need of using other non free services as AWS WAF

So my question is, given an architecture using Cloudflare, CloudFront and S3 website bucket with public access bucket policy, is there a DDoS vulnerability, specifically with respect to CloudFront and S3 not being properly protected by Cloudflare?

architecture – Architecting multiple codebases calling our public API + private API for first-party applications

Currently, we have the issue where we have two codebases (API & Website) calling the same database (along with some duplicate business logic) and we want to streamline this so all requests are routed via our API. We have a public REST API, and we have a website. Some functionality of the website is achievable through the public API, but some will need to come from a private API that only our secure backend can access.

Our website will be re-created as an embedded web app that can be put anywhere and calls our public API’s (think a lightweight react/vue project). However, for the official web app running under our domain we will need extra special privileges, such as doing specific admin-related tasks that only we should be able to do (thus requiring a private API). This has led me to create the architecture below:

enter image description here

This architecture achieves the following:

  • Single source of truth (our API) that talks to the database.
  • Only the Web App under our domain has any concept of the private API, and even if the code was inspected requests would be opaque as they are just be routed to a secure backend.
  • Allows us to roll out future first-party projects that can use the same secure backend.

Is this a good approach? Are there some big pitfalls I’m missing? Also I plan on making the Official Web App & the Secure Backend two separate code bases as ideally we would like to swap out the official web app (frontend) with some other arbitrary first-class project and expect it to operate in a similar fashion. It should also be noted the private API will be part of the same codebase as the public API, just with private endpoints exposed so it can access a lot of the business rules it needs to.

(Also please excuse my incorrect use of GCP icons).

public key infrastructure – Reused key issue in Asymmetric Encryption

We all hear often about the reused key issue in block cipher.

For example, for a picture being encrypted by the electronic codebook mode, we will still see the shape of the picture.

So that is why we need initialization vector to increase the randomization. That is why CBC, OFB, CFB, CTR come to the world. Session key, block cipher key should not be repeatedly used. Repeated use will create the hints to sniffer as they might find some pattern.

So here is my question, why we seldom hear about the reused key issue in PKI or Asymmetrci encryption, even PKI has no action about Initialization vector.
If i have a same plaintext, everytime i used the same public key to encrypt, i will still get the same cipher.

My answer is that PKI is always used in exchange key, key is always a random number so it will be hard for sniffer to get the same cipher.
But in case PKI one day become the session key, some further mechanism has to be added.

Can someone help to comment my thought?