security
What is the clash rate for md5? [closed]
You need to hash about 2^64 values to get a single collision among them, on average, if you don’t try to deliberately create collisions. Hash collisions are very similar to the Birthday problem. If you look at two arbitrary values, the collision probability is only 2-128. The problem with md5 is that it’s relatively easy … Read more
Password hashing, salt and storage of hashed values
The salt just needs to be random and unique. It can be freely known as it doesn’t help an attacker. Many systems will store the plain text salt in the database in the column right next to the hashed password. The salt helps to ensure that if two people (User A and User B) happen … Read more
Why do browser APIs restrict cross-domain requests?
If I visit a malicious website, I want to be sure that : It cannot read my personal data from other websites I use. Think attacker.com reading gmail.com It cannot perform actions on my behalf on other websites that I use. Think attacker.com transferring funds from my account on bank.com Same Origin Policy solves the … Read more
What is meaning of “Remember Me” functionality on login page?
Some web applications may need a “Remember Me” functionality. This means that, after a user login, user will have access from same machine to all its data even after session expired. This access will be possible until user does a logout. From here Using Cookies to implement a RememberMe functionality
Why is there no preflight in CORS for POST requests with standard content-type
See What is the motivation behind the introduction of preflight CORS requests?. The reason CORS doesn’t require browsers to do a preflight for application/x-www-form-urlencoded, multipart/form-data, or text/plain content types is that if it did, that’d make CORS more restrictive than what browsers have already always allowed (and it’s not the intent of CORS to put … Read more
Is HTTP header Referer sent when going to a http page from a https page?
The HTTP RFC states, in section 15.1.3 Encoding Sensitive Information in URI’s : Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. So, this is expected / standard behaviour.
Storing private keys in database
You could encrypt the private key with a symmetric key based on the users password. Simply store an additional salt and perform the password “hash” to get a separate key. Then use that as key for encrypting the private key. Note that it is required to use a Password Based Key Derivation Function (PBKDF) such … Read more
Understanding CSRF
The attacker has no way to get the token. Therefore the requests won’t take any effect. I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/