All Questions
Tagged with tls authentication
346
questions
0
votes
1
answer
154
views
How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
...
1
vote
2
answers
121
views
Authenticating a device for remote motor control
I'm looking for a standard solution to the following problem. I've been unable to find how something like this is normally accomplished. Even a key word that points me in the right direction would be ...
0
votes
1
answer
143
views
What happens at a low level when authenticating server certificates?
Regarding the TLS 1.3 Handshake Protocol:
When the Server sends it's certificate, exactly how does the Client validate this?
I know at a high level the Client is verifying the data the Server sent ...
1
vote
2
answers
198
views
Evading authenticated diffie hellman with MITM
I understand that in a non-authenticated Diffie-Hellman setup, a man-in-the-middle attack can occur. Now i'm curious about the feasibility of the following scenario:
Let's assume a situation where www....
-1
votes
1
answer
173
views
PATCH request on a login attempt
I have a problem deciding what is the most secure method to send a login request with a username and password strings, I understood that PATCH is less secure than PUT while both are less secure than ...
3
votes
1
answer
281
views
How to form the IV and Additional Data for TLS when encrypting the plaintext
When using AES GCM for encryption within TLS and referring to the below diagram:
Is iv[0:3] the fixed IV established from the handshake and iv[4:11] are the current (write) sequence number + 1?
For ...
1
vote
1
answer
196
views
Does TLS 1.3 include the auth tag from GCM in the record?
When TLS 1.3 is used with GCM AES (128), does the GCM auth tag (calculated right at the end) get included within the record?
I am looking at the 1.3 RFC and section 5.2 doesn't seem to explicitly ...
3
votes
1
answer
4k
views
Is it safe to send an API key in an HTTPS request? [duplicate]
Q: Is it 'safe' to include a secret API Key in a HEADER (for a request) which prevents bad actors from creating their own evil-requests by using your API Key ?
We need to send data to a 3rd party from ...
0
votes
0
answers
149
views
Providing encryption and password for an IOT device over gRPC
I've been breaking my head over how to do this, as it doesn't seem to fit any example I could find online.
My IOT device servers will run on the client network and may be accessed over it or over the ...
2
votes
1
answer
256
views
Determine if the client certificate comes from a smarcard in mTLS [closed]
I am designing a web access gateway that authenticates users through certificates using the mTLS mechanism. I would like to be able to identify the users that access the system using a Smartcard and ...
2
votes
2
answers
1k
views
Mutual TLS replacement
When last time I was thinking about mTLS, I came to a conclusion that this is too hard to implement but at the same time it provides high security. The reason why it's hard to implement is that it's ...
3
votes
3
answers
982
views
Is it OK to use client TLS certificate for site login instead of username/password?
Is it OK to just use a client's TLS certificate as a way of logging in to a website? What are the drawbacks? Is there any real system doing it?
Normally, there is mutual client/server TLS ...
3
votes
3
answers
682
views
Is it a good idea to reuse certificate issued by public CA for internal database client authentication?
Let's say we have:
Publicly available HTTPS API (e.g. api.example.com). The web server that runs it uses a certificate from a publicly trusted CA (e.g. Let's Encrypt) with both server auth and client ...
0
votes
0
answers
100
views
Authenticating with unencrypted POST credentials - is it safe? [duplicate]
If a webpage is served over https and to authenticate it receives both login and password as unencrypted POST parameters (free text) is it considered unsafe?
2
votes
1
answer
769
views
Creating secure website-based login for a desktop app
This question relates to this post I made on StackOverflow recently, which I'll recap here briefly.
I have a desktop app that I would like to authenticate through a website, using the process outlined ...