Questions tagged [client]
In a client-server model, the server serves services to the client.
129 questions
1
vote
1
answer
93
views
In TLS1.3 server hello can the legacy version field set to 0x0304
As part of TLS1.3 handshake client hello sent containing the TLS1.3 version support as part of suppored_versions extension, consider if as part of server hello supported_versions extension is not ...
- 51
0
votes
0
answers
107
views
Can I setup and enforce additional WiFi connection (and password) requirements on managed laptops using Windows or MacOS?
Can I setup and enforce additional WiFi connection (and password) requirements on managed laptops using Windows or MacOS?
Such as:
blocking (or entirely hiding) the option to connect to open networks
...
- 7,125
2
votes
1
answer
976
views
Public client or Confidential client: should I generate a client secret?
I've read about this but I don't fully understand how to choose.
I have two options:
Public client
"A native, browser or mobile-device app. Cognito API requests are made from user systems that ...
- 123
0
votes
1
answer
563
views
What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored ...
- 123
0
votes
1
answer
421
views
How to reliably identify referrer on client browser?
Is there any way to reliably identify the referring site on modern browsers (not considering manual HTTP requests outside of a browser e.g. cURL, etc.)?
Referrer header will not work because the ...
- 123
0
votes
2
answers
119
views
How would you enforce user to only connect on a given network?
How would you enforce user PC to only connect to a given network?
Answers need to be OS agnostic.
One weak solution could be to set client-side firewall rules to only allow communications with ...
- 213
1
vote
2
answers
708
views
How do I create a Client Authentication Certificate without a domain signed by a commercial CA?
For sending soap messages to a webservice we need to include a client authentication certificate with these messages. Normally we simply created a self signed client auth. certificate (with as a ...
- 375
0
votes
1
answer
2k
views
Client Authentication in SSL Handshake
I am trying to understand how client certificate authentication works in an SSL handshake.
Can someone help to clarify the following bullet points below:
Do we need to have a Client Leaf certificate ...
- 3
2
votes
1
answer
153
views
Defining scope of a software pen test
If I own a software and I want to conduct a pen test with pen testers, should I define the scope or do the pen testers assess the software first and they define the scope? How does scope definition ...
- 105
0
votes
0
answers
162
views
Client Identification using Self Signed Certificates
Taking the concept from the Gemini protocol that allows clients to identify themselves using their own self-signed certificate - is this a valid concept that could be used in other protocols and what ...
3
votes
1
answer
124
views
Is a client server model to do root operations without asking for password everytime secure?
I'm writing a python application that will do some operations that will require root privileges. Instead of asking for user password every time i decided to use server client model.
A python script ...
1
vote
1
answer
421
views
Is braintree clientToken supposed to be public?
I'm building an app that uses Braintree for processing payments. According to the documentation, I need a server-side endpoint that returns the clientToken, which is then used to manage a user's vault ...
- 11
1
vote
1
answer
2k
views
Wildcard Certificates and Client Authentication for Machine Authentication
If a wildcard certificate is provisioned for *.domain.fqdn, and has Client Authentication as a defined usage, does this mean the certificate can be used to essentially impersonate any domain machine?
...
- 113
0
votes
1
answer
354
views
How is CertificateVerify SSL is created? It can be cached?
When a HTTPS connection with a client certificate request is done, the client sends a CertificateVerify message with his public certificate so the server can verify that the client has a valid private ...
- 3
0
votes
1
answer
168
views
Storing client keys in cloud app
I'm using Azure to store customer data. In a specific country, there are multiple partners. Each partner has his clients. The issue is they don't want us to have access to this data. In other words, ...
1
vote
1
answer
150
views
Denial of Service question
I am studying for an exam in computer security, and I got stuck on the following question from a past exam:
A random program generator service S allows clients to generate random data. Each client Ci
...
- 23
0
votes
1
answer
173
views
Client Cert Authentication: Accept cert in request or retrieve from host?
Is it more secure to retrieve a client cert from their host rather than accept the cert presented in request?
Example:
B2B
Client pre-shares public cert with me
I store public cert in database
Later, ...
- 113
0
votes
0
answers
131
views
Certificates between services in a single machine
I'd like to know if it's possible to protect communications between a heavy client on a machine and a remote server accessible by a web interface on this machine using certificates. Or the only way is ...
- 31
1
vote
1
answer
7k
views
"unsupported certificate purpose" for nginx client auth
Please concern the following setup: A client certificate is issued like this:
Root CA → Intermediate CA → Client Cert
Let's assume everything is fine up to here, the intermediate CA cert is properly ...
- 143
1
vote
0
answers
323
views
Bettercap TLS handshake phase information
I wanted to know if bettercap has a feature that allows to view TLS handshake phase information (as Wireshark does), for example the "Client Hello" ?
- 11
0
votes
0
answers
177
views
Addressing SSL/TLS vulnerabilities in IoT Device client side implementation
I understand SSL/TLS is the most commonly data transmission protocol for a secured communication. I need to implement the same in one of the IoT device (ARM® Cortex®-M4 Core at 80 MHz). This will be ...
- 183
0
votes
2
answers
591
views
Getting a "so-called valid" certificate to work inside the application
There is a Python client app connecting to a Java server app via a secure socket. The connection works great with a self-signed certificate, however, it fails when I attempt to utilize a given valid ...
- 109
9
votes
3
answers
1k
views
Is it possible to store / record HTTPS client auth traffic as a signed document?
In a scenario where there are client RSA certificates (e.g. on a smart card), is it possible to record a form submission (or an AJAX request) in a form which makes it possible to later ascertain that ...
- 193
1
vote
2
answers
748
views
Why Thunderbird has private IP address as remote host?
Why Mozilla Thunderbird configured to access Yahoo IMAP server, uses a private IP address, even if there is no other device in the network. Every time, Thunderbird is restarted, it changes remote-host ...
1
vote
1
answer
823
views
On TLS-enabled nginx/httpd, is "ssl_verify_client optional_no_ca" disabling TLS's "CertificateVerify" checks?
I'm looking for an helping hand with my https nginx setup.
I require my application to be exposed through an nginx frontend, offloading TLS. Easy !
The thing is, I need to have Certificate-based ...
- 11
7
votes
1
answer
6k
views
Should repositories with server-code and client-code be separate?
I have a project that runs a website with a frontend SPA and REST API backend.
Currently the code is split into /client and /server folders and they run independently. However, they are currently in ...
- 81
0
votes
1
answer
281
views
Is it safe to publish a REST API client on npm even though the API is not intended for public use?
I am build a website in Angular which communicates over my REST API on my backend server.
I have managed to auto-generate the code (TypeScript) for my client and now I need it to be available on ...
- 1,067
0
votes
1
answer
700
views
Why is there only two packets in a TLS handshake?
I captured my network traffic to a web server and the SSL Handshake consists only of two packets.
Why does that happen and why aren't there all the other packets?
- 1
22
votes
8
answers
6k
views
How can I re-use my password and still protect the password if it is exposed from one source?
I know that all servers should at least store my credentials as hash(password + salt) + salt, with a secure and well known hash function and a salt unique for me, generated from a secure and well ...
- 389
13
votes
3
answers
8k
views
How to perform Login Authentication at the client-side? [closed]
How can we validate login credentials at the client-side itself without involving the server of a website?
- 155
1
vote
1
answer
599
views
Client-only authentication instead of server-only authentication, using OpenSSL [duplicate]
First, some background: I've got a C++-based client/server system that uses the OpenSSL C library to encrypt the client/server connections. This is done in (what I believe is) the canonical OpenSSL ...
- 111
1
vote
1
answer
646
views
Is it possible to setup 1-way TLS client authentication without server certificates?
Is it possible with TLS to only authenticate the client? In other words can one-way TLS be setup in such a way that only the host initiating the connection uses a client certificate and the second ...
- 11
0
votes
0
answers
254
views
How can a server make sure client application sending data is not a modified copy?
I actually wouldn't care about a perfect copy (my program is free)being used, I just can't allow someone to use a copy to communicate with my server.
I came accross this subject where the OP seemed ...
0
votes
2
answers
188
views
How to keep track of file authenticity while offline
I have an application running the client/server model and offering an online and an offline mode. Each user can read, create or modify text files (even in offline mode) that will be present on his ...
0
votes
1
answer
564
views
Ways to verify Data Integrity
I've had looks to existing subjects but it usually gets heavily complicated while I'm new to this kind of stuff and I'd prefer to understand concepts first in order to understand better concrete ...
5
votes
1
answer
2k
views
Why is PKCE secure against man-in-the-middle attacks?
In attempting to implement OAuth2 into a natively installed client application, we face the problem that we cannot securely store the pre-shared client secret. After doing some research, I came across ...
- 151
1
vote
0
answers
322
views
Verifying the authenticity of data coming to a server
I'm a newbie when it comes to information security. So pardon me if the solution can be found at page 12 of any introductory text.
I have an express server and two android apps(for clients and admin)....
- 111
0
votes
2
answers
2k
views
How to Verify Integrity of Transferred Files in a Client Server Protocol
How do I implement integrity verification using the checksum of files in a client-server protocol where the client sends multiple files to the server. I am using the following steps:
The client ...
1
vote
1
answer
237
views
How to authenticate a specific client program? [duplicate]
I have a server application which provides functions to a client program. The client is also programmed by me. Now I want to authenticate the client program itself (not any user) before using my ...
- 113
2
votes
4
answers
189
views
Prove a client sent a request - voting system
Let's say I created a voting system where each voter would use an app and vote on a candidate. The app would send the vote to a server. The server would store the vote on a DB with the request IP.
Is ...
- 121
16
votes
1
answer
21k
views
Client certificate common name? Subject alternative name?
For an IoT project, I want to secure client server communication. I want both the server (Apache) and the clients identify/authenticate each other (a client won't communicate with other clients) ...
- 315
0
votes
1
answer
2k
views
Root CA or Intermediate CA in firewall trust store
I am implementing a PKI for a test environment and have everything just about configured. The architecture consists of a Root CA, two issuing (intermediate CAs), and clients. Client certificates and ...
- 1,437
3
votes
1
answer
3k
views
How does do client authentication work over https?
I recently wrote an application that calls out to a 3rd party service to perform some work. This 3rd party service requires that I authenticate the client calling by using a client certificate. For ...
- 133
1
vote
2
answers
389
views
Where can I find the specs for the X.509 certificate used in client-authenticated TLS handshake?
The TLS specs define how the handshake between client and server must be performed when the client wants to use a certificate to authenticate itself. There is a lot of documentation onlin that assumes ...
- 159
1
vote
1
answer
917
views
limit client certificate to domain name
If i want to use client certificates for authentication to a certain part of my website, is it possible to make the client certificate only work on a certain domain name?
I know when requesting the ...
- 185
3
votes
2
answers
3k
views
Can users read client SSL certificates from a react native mobile apps APK?
I want to secure an API used by a react native app. If an authorisation header is sent, the user can read the request and access data. To avoid this I want to use SSL client certificates.
Now if I ...
- 131
1
vote
1
answer
1k
views
Impersonating Client Certificate Authentication with Same Subject Name
I am looking into the security of a service which uses client certificates for authenticating only known callers. We run a C# Web API Service that checks every request certificate subject if it is ...
- 113
4
votes
1
answer
889
views
SSH and man-in-the-middle
Assume the following scenario and please correct me if I am wrong somewhere:
There is a client and there is an SSH server that the client connects to. There is also a man-in-the-middle (MIM) which is ...
- 41
69
votes
2
answers
19k
views
What is PKCE actually protecting?
I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand.
So from what I can gather the client app creates a random cryptographically secure ...
- 827
2
votes
2
answers
459
views
How secure is this communication chat?
I have created a chat between two parties (using c#), and I am wondering what kind of weaknesses have I overlooked.
Description of its functionality:
There are two individual applications: Client (2 ...
