Posted by jpluimers on 2018/05/03
via: [WayBack] Yet another reason to be very careful with what you put in version control: GitLeaks – Search Engine for exposed secrets on the web https://gitleaks.com/ – This is why I Code – Google+
[Archive.is] GitLeaks – Search Engine for exposed secrets on the web
–jeroen
Posted in Development, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2018/05/03
Interesting thought on client-side password hashing: [Archive.is] Client-Side Password Hashing – DelphiTools.
I’ve ambivalent feelings on it, especially since it will expose salt and other settings to the client.
On the other hand it tremendously helps when there are transparent proxies in between. Read the article for full details; here is just one quote below.
Maybe dual hashing would be in place: once at the client to prevent plain-text to go over MITM channels, and a second hash server side with different settings like salt to prevent brute force attacks.
I need to give this more thought.
The quote:
If you are using a regular Windows and a regular browser, access to HTTPS will go through the regular certificate chain, using regular certificate authority. You also benefit from extra security layers like Public Key Pinning.
But when a custom Root CA is installed, all that goes through the window: the custom Root CA allows the corporate proxies to issue “valid” certificates for any website (even google.com and the rest), and the public key pinning features are disabled:
How does key pinning interact with local proxies and filters?
Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.
A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.
All the major browsers have a similar behavior… because it is required to allow transparent proxies. And transparent proxies are the means through which the legal logging requirements are fulfilled.
So besides introducing a major MITM opportunity, this also means that there are legally-required corporate logs somewhere of all that went through HTTPS… including plain text passwords, if you did not hash them on the client-side.
These logs will have varying degrees of security when in the corporate domain… and next to none if they are ever requested by the legal system for an investigation.
–jeroen
Posted in Algorithms, Design Patterns, Development, Hashing, Power User, Security, Software Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 