Highest Voted Questions - IT Security Stack Exchange

133

votes

8 answers

Why would someone trust DuckDuckGo or other providers with a similar privacy policy?

DuckDuckGo is a search engine that claims it will not share your results with others. Many of my skeptical coworkers think it may be a scam. Is there any proof that any web search engine will protect your privacy as it advertises?

asked Mar 13 '12 at 21:28

makerofthings7

50,918
55
261
556

132

votes

4 answers

What are the security reasons for disallowing the plus sign in email addresses?

My question is based on this tweet after I commented about forbidding + symbols in email addresses. The tweet says, "This is a measure we've taken for security reasons." This can be frustrating and inconvenient for people that have (or use) plus…

email

asked Aug 12 '14 at 18:37

Matt

3,242
2
22
27

132

votes

4 answers

How does the authentication in the new UK £1 coin work?

The UK is getting a new £1 coin. Its designers, the Royal Mint, claim that unlike current coins, it includes built in technology for high speed authentication and verification everywhere from ATMs to vending machines and point-of-sale. How does…

asked Mar 19 '14 at 10:29

Colin Pickard

1,800
2
11
14

132

votes

11 answers

Are password-protected ZIP files secure?

Following my answer. If I can list contents of a password-protected ZIP file, check the file types of each stored file and even replace it with another one, without actually knowing the password, then should ZIP files be still treated as…

asked May 13 '13 at 08:29

trejder

3,649
5
25
37

132

votes

5 answers

Is momentary physical access dangerous?

I’m asking the question with these conditions: The device (computer or mobile phone) is in a running state. “Momentary” refers to a reasonably short period of time, such as 5 to 10 seconds. The system may not be in a “locked” state (e.g. showing a…

physical

asked Jun 11 '18 at 05:17

tonychow0929

2,257
3
14
14

132

votes

14 answers

Is a Windows installer that doesn't require admin rights dangerous?

I use Atlassian SourceTree on Windows, and one thing I like about it is that it doesn't require admin privileges to install or update. I happened to mention this to our ISSO (Information System Security Officer), and he was not a fan. He said that…

asked Jan 31 '18 at 16:06

David K

1,337
2
8
9

132

votes

3 answers

Recommended # of rounds for bcrypt

What is nowadays (July 2012) the recommended number of bcrypt rounds for hashing a password for an average website (storing only name, emailaddress and home address, but no creditcard or medical information)? In other words, what is the current…

bcrypt

asked Jul 14 '12 at 17:51

Jason Smith

1,601
2
12
12

131

votes

7 answers

Why is my internal IP address (private) visible from the Internet?

When visiting some websites like http://www.monip.org or http://ip-api.com, I get the following result: Your current IP Address - IP: 197.158.x.x - Internal IP: 192.168.x.x I understand that I can see my public IP address (197.158.x.x).…

ip

asked Jul 24 '15 at 08:40

Lova Andrian

1,243
2
9
7

131

votes

5 answers

How do I use "openssl s_client" to test for (absence of) SSLv3 support?

In order to mitigate the "Poodle" vulnerability, I'd like to disable SSLv3 support in my (in this case, TLS, rather than HTTPS) server. How can I use openssl s_client to verify that I've done this?

asked Oct 15 '14 at 09:54

Roger Lipscombe

2,337
3
16
20

131

votes

2 answers

What to do if caught in a physical pentest?

I've seen a lot of people talk about how to pentest and how NOT to get caught during engagements but have a hard time finding "How to behave when caught during a Red Team engagement". Red Teams are to simulate adversaries attacking systems. Many…

asked Nov 11 '19 at 11:45

ChocolateOverflow

3,482
4
18
35

131

votes

10 answers

Should I contact the manufacturer if their product allows access to other users' location information?

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness. While testing out my product, I noticed that the url was constructed as…

asked Jan 09 '17 at 21:18

Lil' Bits

1,143
2
8
9

131

votes

7 answers

Let's Encrypt for intranet websites?

Many companies have intranet websites that are not reachable via the internet. Usually they just use a self-signed certificate, which causes a bad habit for the users since they get used to just pressing OK on invalid CERT warnings. Question: How…

asked Oct 23 '15 at 16:06

LoukiosValentine79

1,581
2
11
13

130

votes

3 answers

This JavaScript code is injected on my hotel Wi-Fi: should I be worried?

While connected to my hotel Wi-Fi, visiting the URL http://www.google-analytics.com/ga.js results in the following content being served: var ga_exists; if(!ga_exists) { ga_exists = 1; var is_responsive = false; var use_keywords =…

asked Jul 14 '14 at 07:49

foodiddy

1,051
2
8
4

130

votes

5 answers

Should SSL be terminated at a load balancer?

When hosting a cluster of web application servers it’s common to have a reverse proxy (HAProxy, Nginx, F5, etc.) in between the cluster and the public internet to load balance traffic among app servers. In order to perform deep packet inspection,…

asked Feb 06 '13 at 19:55

Matt Goforth

1,303
2
9
5

130

votes

5 answers

Is it a bad idea for a firewall to block ICMP?

This question was inspired by this answer which states in part: The generic firewall manifest file finishes off by dropping everything I didn't otherwise allow (besides ICMP. Don't turn off ICMP). But, is it truly a good practice for a firewall to…

asked Oct 17 '12 at 01:57

Justin Ethier

2,018
3
17
20

Most Popular