man in the middle – Server SSH fingerprint verification when authenticating with private key

Assume I passed on my public key to a service provider for them to set up a “new” server and configure it for private key authentication (instead of root password).

Is the server fingerprint verification during my initial connection to the server still necessary and/or helpful against MITM or any other attack?

I realize that verifying the server’s fingerprint initially when using password authentication is absolutely sensible. But I don’t understand the SSH protocols well enough to see, if this still makes sense if I never use a password at all.

Wouldn’t a successful first-time authentication with my key imply that the server has my public key and is, therefore, the right one? Or is there still a way to perform a MITM attack in such a scenario? Is there any qualitative difference between this scenario and a first-time authentication with a password?

transaction verification – Details of SPV clients

  1. I found out that SPV has no mempool, but although SPV client is participating in transaction verification. So, what happens when node verifies transaction? Is SPV client checking only owner’s outgoing transactions?

That depends on what you mean by “verification”. SPV clients cannot and do not verify the validity of transactions themselves; they can only verify that they were included in a block, relying on the assumption that miners would not waste their energy on creating a block with invalid transactions in it.

  1. Transaction that SPV client is trying to verify has block hash as a reference where did a transaction came from? That’s how SPV client knows in which block to search for target transaction when SPV asks full node for part of Markle tree. Is this correct?

Transactions do not (and cannot) contain a hash of the block they’re contained it; that would be a cyclic dependency. I don’t understand the rest of this question.

  1. SPV client asks full node client for hashes inside Merkle Tree, so he can reconstruct the part of the tree of his interest and that way check if transaction is really in the block that transaction is referring to.

When using BIP37, the client sends a Bloom filter of which scripts/addresses/utxos they’re interested in, and then requests blocks. The server responds with filtered blocks, containing only the matching transactions, plus efficient Merkle proofs that those transactions are actually in a block with the claimed hash.

  1. If I’m on a right path, how does bloom filters help in increasing of level of privacy since SPV client still needs to ask full node client for a transaction by its hash?

BIP37 bloom filters are primarily a way to improve efficiency – it means that with little bandwidth overhead, the server knows what to not send to the client. It was intended to optionally offer some moderate level of privacy, because a client can choose to send an overly broad filter, resulting in false positives. It has since been discovered that this basically offers no privacy at all, due to correlation the server can still observe between requested things.

transaction verification – How are transations validated?

As per my understanding whenever someone sends a bitcoin it gets added to the transaction pool. The miner then take these transactions from the pool and add it to the block. However, I wanted understand
(a) how does the transactions by themselves get validated.
So if Bob sends 2 bitcoin but he doesn’t have that many bitcoins then how is this transaction validated.
(b) If the transaction are validated by the wallets cant the wallets be hacked and manipulated.

Transaction verification scripts – Bitcoin Stack Exchange

I’m working on a Bitcoin thesis for my master’s degree and i have some doubts of my understanding how bitcoin transaction works, so please correct me in everything i got wrong. Sorry for really long question, this is only my second posting, but i have so many wholes in my understanding of this.
Ok, so:

  1. Persons A and B are Bitcoin network nodes. A wants to send bitcoins to B. He (his wallet) needs to create transaction to do so.
  2. Every transaction has inputs and outputs and inputs of every transaction are just references to some previous outputs of some other, older, transaction that someone made towards A. After bitcoins arrived for A they reside in his UTXO (every single person in network has their own UTXO database with their own collection of unspent outputs related to address they are in control of).
  3. To send bitcoins A needs to resolve the puzzle given in scriptPubKey of previous transaction’s output by using his scriptSig which his wallet generates upon making a transaction. Basically A just needs to confirm that he is in control of private key that is related to public key and therefor to Bitcoin address of his wallet.
  4. B receives bitcoins, his wallet stores them in UTXO, and they just lay there until B decides to send those bitcoins further.
  5. And circle goes on. I skipped detail about change address because i its not relevant for this question.

If we are talking about p2pkh:
Puzzle scriptPubKey that A needs to solve (along with other operators) contains publicKeyhash, operator OP_HASH160 and operator OP_EQUALVERIFY that should compare value of publicKeyHash with public hashed key of person A (public key is included in his scriptPubKey, so taking the operator OP_HASH160 will produce hash of public key).
But how the person that sent bitcoins to A knows value of publicKeyHash so he can populate his scriptPubKey? My assumption is that he reverse steps of generating Bitcoin address, by decoding it with Base58 and taking out the control bit? But i couldn’t find confirmation of this online, sorry if missed it.


If we are talking about m of n transaction:
Assume that A is controlling an address that requires multisig for future use of bitcoins.
Someone wants to send A bitcoins and needs to create scriptPubKey and it should look like this
:
m pubKey_1, pubkey_2, …pubKey_m n OP_CHECKMULTISIGVERIFY
How does the person that wans to send A bitcoins knows public keys of people that are related to A’s bitcoin address? And further more, how does he knows the value of ‘m’? Isn’t it logical that A determines what is the minimal number of signatures? If i understood this transaction has no use no more, but still i want to understand how did it work.


If we are talking about P2SH:
if A is in control of P2SH address, how does the scriptPubKey looks for person that creates transaction towards A? Does that person needs to be in control of P2SH?

When A wants to send bitcoins, I understand that whole scriptSig now contains the scriptPubKey operators and operands, but new generated scriptPubKey is now the part that confuses me.

OP_HASH160 hash(scriptSig) OP_EQUAL should be the look of scriptPubKey.
And person that receives bitcoins from A should know how to solve this. But my question is how? How can he solve this when his scriptSig will be different than one written down in scriptPubKey. I know im missing a lot here since this protocol is wide popular, and to me is not making any sense.


Last question:
What is the correct moment of verifying this scripts and transaction itself. As i said above, i assume scriptPubKey and scriptSig, after they are concatenated are evaluated when person wants to send bitcoins. But what happens to transaction after that? Does it travel around the network and other client wallets verify them by checking sender’s UTXO base (which is available for everyone?). Is there any additional checks by those other nodes?
After checking is done is it only then that transaction goes to memory pool and waits there until miner picks it up?
After miner include it in block, is transaction checked again trough some protocol that is checking the block?
Does miner checks the transaction himself again?
Again, sorry for a lot of questions and thank you in advance. Stay healthy.

dns – Why letsencrypt certificate generation not done like domain verification done by GSuite?

If you have to do manual work with certbot, you aren’t doing it right. Certbot is designed to be automated. Introducing anything manual into the process isn’t a good idea. Having to perform a manual task every 3 months is easy to mess up or forget. At some point your certificate is going to expire and your visitors to your site will get errors.

You don’t say where your DNS is hosted, but there are many plugins for certbot that automate the process. I use AWS Route 53 for DNS. I generate an encrypted key pair that allows scripts to add DNS records to be added to my zones. Then I use the dns-route53 certbot plugin to automatically add those records when it runs. I have certbot running in a cron job periodically and I never have to manually do any verification or manually install certificates.

The certbot user guide lists the following plugins for various DNS providers:

  • dns-cloudflare: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
  • dns-cloudxns: Obtain certificates using a DNS TXT record (if you are using CloudXNS for DNS).
  • dns-digitalocean: Obtain certs using a DNS TXT record (if you are using DigitalOcean for DNS).
  • dns-dnsimple: Obtain certificates using a DNS TXT record (if you are using DNSimple for DNS).
  • dns-dnsmadeeasy: Obtain certificates using a DNS TXT record (if you are using DNS Made Easy for DNS).
  • dns-gehirn: Obtain certificates using a DNS TXT record (if you are using Gehirn Infrastructure Service for DNS).
  • dns-google: Obtain certificates using a DNS TXT record (if you are using Google CloudDNS for DNS).
  • dns-linode: Obtain certs using a DNS TXT record (if you are using Linode for DNS).
  • dns-luadns: Obtain certificates using a DNS TXT record (if you are using LuaDNS for DNS).
  • dns-nsone: Obtain certificates using a DNS TXT record (if you are using NS1 for DNS).
  • dns-ovh: Obtain certificates using a DNS TXT record (if you are using OVH for DNS).
  • dns-rfc2136: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
  • dns-route53: Obtain certificates using a DNS TXT record (if you are using AWS Route53 for DNS).
  • dns-sakuracloud: Obtain certificates using a DNS TXT record (if you are using Sakura Cloud for DNS).

With certbot and Let’s Encrypt I would recommend making the renewal process automatic even if it means:

  • Switching to a DNS provider with a certbot plugin
  • Scripting the DNS records for your own provider
  • Switching to the older HTTP verification method and automating that.

validation – Requirement Verification – Software Engineering Stack Exchange

According to what I understand, Requirement validation involves going over the SRS to ensure the requirements is correct with respect to user needs.

1- Could you help clarify verifiable requirement (checked during validation)?
2- What is the difference between “requirement verification” and “requirement validation”?

An example to clarify the concepts would be great. Thanks

solution verification – Prove: For all sets A and B, ( A ∩ B = A ∪ B ⇒ A = B )

In the upcoming proof, we make use of the next lemma.

Lemma: For all sets A and B, (A = B ⇔ A – B = B – A )

Proof: Let A and B be arbitrary sets and let S = A ∩ B and T = A ∪ B. If S = T, then S and T have got the same elements. Thus, by simplification law, Towe can state that

∀ x ∈ A ∪ B ( x ∈ A ∩ B ) (1)

To proof A = B we might as well harness our lemma and establish that A – B = A – B, which we can be verified through the axiom of extension by showing that ∀ y ∈ A – B( y ∈ B – A ) and ∀ y^* ∈ B – A (y^* ∈ A – B ). So, let

y ∈ A – B (2)

and let
y^* ∈ B – A (3)

From (2) we rest assured that y∈A and y∉B. Furthermore, by (1) we know that

y ∈ A ∧ y ∈ B (4)

Nonetheless (4) is an antilogy since from (2) we deduced, inter alia, that y∉B. Notice thus far we are trying to prove that (3) and F implies y ∈ B – A and y^* ∈ A – B. Therefore, it’s vacuously true that

A = B

Q.E.D

I believe I could’ve done this proof more easily by using the contrapositive method, but my question is, is this proof right?

I will verify your 10000 emails for $3

I will verify your 10000 emails

Hi, I will verify all your emails and provide you all verified, and unverified emails differently on an Excel sheet.

I’m an expert on it. I have premium tools bought for verifying emails. So, I ensure you best service and your satisfaction guarantee.

I will verify and provide the result within your timeframe.

Kind Regards!

.

Software Requirement Verification

I am looking for a good book, paper or online tutorial that discusses the topic of "requirement validation and verification" in detail. Please note emphasis is on requirement. Any help is greatly appreciated.

event subscriber – Age verification does not redirect to intended language

I have a multi-lingual site and found an age verification module which am trying to tweak.
If I select the English option, the age gate redirects to the global site as intended. However, if I choose a different language, the site redirects back to the age-gate page.

The submitForm method looks like this:

public function submitForm(array &$form, FormStateInterface $form_state) {

  $age = $this->checkAge($form_state);
  if ($age < 18) {
    setcookie('age_gate_fail', 1, strtotime( '+1 days' ), "https://drupal.stackexchange.com/");
    $welcome = newSymfonyComponentHttpFoundationRedirectResponse('https://google.com');
    $welcome->send();

  } else {

    // Add TRUE to session age_verified.
    $session = Drupal::request()->getSession();
    $session->set('age_verified', 1);

    setcookie('age_gate_ok', 1, strtotime( '+1 days' ), "https://drupal.stackexchange.com/");
    setcookie('age_gate_country', $form_state->getValue("country"), strtotime( '+1 days' ), "https://drupal.stackexchange.com/");
    setcookie('day', $form_state->getValue("day"), strtotime( '+1 days' ), "https://drupal.stackexchange.com/");
    setcookie('month', $form_state->getValue("month"), strtotime( '+1 days' ), "https://drupal.stackexchange.com/");
    setcookie('year', $form_state->getValue("year"), strtotime( '+1 days' ), "https://drupal.stackexchange.com/");

    if(Settings::get('local_env')) {

      // Add a redirect to requested page. Using $form_state built in redirects.
      $redirect = $session->get('age_verification_path');
      if (!empty($redirect)) {
        $form_state->setRedirect($redirect);
        $form_state->setRedirect("/{$form_state->getValue("language")}");
      }

      $form_state->setRedirect('<front>');

    } else {

      if($form_state->getValue("language") == 'en') {
        $form_state->setRedirect('<front>');
      } else {
        $host = Drupal::request()->getHost();
        $welcome = newSymfonyComponentHttpFoundationRedirectResponse("http://$host/{$form_state->getValue("language")}");
        $welcome->send();
      }
    }
  }
}

The module comes with the EventSubscriber and the content inside is as follows:

<?php

/**
*
* Contains Drupalage_verificationEventSubscriberpathGate.
*/

// Declare the namespace for our own event subscriber.
namespace Drupalage_verificationEventSubscriber;

use SymfonyComponentHttpFoundation;
use SymfonyComponentHttpFoundationRedirectResponse;
use SymfonyComponentHttpKernelKernelEvents;
use SymfonyComponentHttpKernelEventFilterResponseEvent;
use SymfonyComponentEventDispatcherEventSubscriberInterface;
use DrupalCorePathPathMatcherInterface;
use DrupalCoreSessionAccountInterface;
use DrupalCoreRoutingTrustedRedirectResponse;


/**
* Event Subscriber PathGate.
*/
class PathGate implements EventSubscriberInterface {
/**
   * The path matcher.
   *
   * @var DrupalCorePathPathMatcherInterface
   */
  protected $pathMatcher;

  /**
   * The current user.
   *
   * @var DrupalCoreSessionAccountInterface
   */
  protected $currentUser;

  /**
   * Constructs a new Redirect404Subscriber.
   *
   * @param DrupalCorePathPathMatcherInterface $path_matcher
   *   The path matcher service.
   * @param DrupalCoreSessionAccountInterface $current_user
   *   Current user.
   */
  public function __construct(PathMatcherInterface $path_matcher, AccountInterface $current_user) {
    $this->pathMatcher = $path_matcher;
    $this->currentUser = $current_user;
  }

  /**
   * Code that should be triggered on event specified.
  */
  public function onRespond(FilterResponseEvent $event) {
    // The RESPONSE event occurs once a response was created for replying to a request.
    // For example you could override or add extra HTTP headers in here.
    $response = $event->getResponse();

    $session = Drupal::request()->getSession();

    $age_verified = $session->get('age_verified');

    // If we have a valid session.
    if ( $age_verified == TRUE ) {
            return;
    }
    if (isset($_COOKIE('age_gate_fail'))) {
      $welcome = newSymfonyComponentHttpFoundationRedirectResponse('https://google.com');
      $welcome->send();
    }

    // Make sure front page module is not run when using cli (drush).
    // Make sure front page module does not run when installing Drupal either.
    if (PHP_SAPI === 'cli' || drupal_installation_attempted()) {
      return;
    }

    // Don't run when site is in maintenance mode.
    if (Drupal::state()->get('system.maintenance_mode')) {
      return;
    }

    // Ignore non index.php requests (like cron).
    if (!empty($_SERVER('SCRIPT_FILENAME')) && realpath(DRUPAL_ROOT . '/index.php') != realpath($_SERVER('SCRIPT_FILENAME'))) {
      return;
    }

    // Get saved settings and other needed objects.
    $config = Drupal::config('age_verification.settings');

    // Now we need to explode the age_verification_user_agents field to separate
    // lines.
    $user_agents = explode("n", $config->get('age_verification_user_agents'));
    $http_user_agent = Drupal::request()->server->get('HTTP_USER_AGENT');

    // For each one of the lines we want to trim white space and empty lines.
    foreach ($user_agents as $key => $user_agent) {
      // If a user has string from $user_agent.
      if (empty($user_agent)) {
        unset($lines($key));
      }
      // To be sure we match proper string, we need to trim it.
      $user_agent = trim($user_agent);

      if ($http_user_agent == $user_agent) {
        return;
      }
    }

    // Send to proper page if logged in.
    $skip_urls_config = $config->get('age_verification_urls_to_skip');

    $skip_urls() = '/admin';
    $skip_urls() = '/admin/*';
    $skip_urls() = '/age-verification';
    $skip_urls() = '/user/login';
    $skip_urls() = '/admin/content';

    if (!Drupal::currentUser()->isAnonymous()) {
        $skip_urls() = '/*';
    }

    // Append the urls to skips with some hardcoded urls.
    $skipPaths = $skip_urls_config . "rn" . implode("rn", $skip_urls);

    $request_path = Drupal::service('path.current')->getPath();

    // Check if the paths don't match then redirect to the age verification form.
    $match = Drupal::service('path.matcher')->matchPath($request_path, $skipPaths);
    $is_front = Drupal::service('path.matcher')->isFrontPage();

    // If not the front page then append the requested path alias as a destination parameter.
    if ($is_front == FALSE) {
      $current_uri = Drupal::request()->getRequestUri();
      $destination = '?destination=' . $current_uri;
          
    } else {
      $destination = '';
    }

    // If the requested path is not restricted.
    if ($match == TRUE) {
      return;
    }
    // Redirect to the /age-verification with the destination.
    elseif ($match == FALSE) {

      $redirect = new RedirectResponse('/age-verification' . $destination);
      $event->setResponse($redirect);
    }

  }

  /**
     * {@inheritdoc}
     */
  public static function getSubscribedEvents() {

    $events(KernelEvents::RESPONSE)() = ('onRespond');
    return $events;

  }

}

How do I fix the redirect to take me to any language I want