Search Results

Search found 8253 results on 331 pages for 'secure coding'.

Page 39/331 | < Previous Page | 35 36 37 38 39 40 41 42 43 44 45 46  | Next Page >

  • C# Secure Sockets (SSL)

    - by Matthias Vance
    LS, I was planning on writing a wrapper around the System.Net.Sockets.Socket class, because I didn't feel like using the SSLStream class because I wanted to maintain backwards compatibility with other programs. I found an article which does exactly what I want, but on Windows Mobile. (Link: Enable SSL for managed socket on windows mobile) Quote: My first surprise was that SetSocketOption takes a SocketOptionName enum value as the second parameter, but this enum doesn’t have the equivalent of SO_SECURE. However, C# was nice enough to let me cast an arbitrary integer value to the enum I needed. I tried to do the same, but it doesn't work. Code: private const ushort SO_SECURE = 0x2001; private const ushort SO_SEC_SSL = 0x2004; this.SetSocketOption(SocketOptionLevel.Socket, (SocketOptionName) SO_SECURE, SO_SEC_SSL); Error: An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call Is there a way to work around this? Kind regards, Matthias Vance

    Read the article

  • how secure is NSURLConnection over https

    - by drunken_elf
    I've been reading through a number of questions on this site regarding NSURLConnection and https, but most relate to "untrusted" certificates and how to allow them nonetheless. My question is a little more basic. I am building an app for a client who handle online donations, and I would like to load their donation script using an NSLURLRequest and POST the values of credit card details (entered in the app). Does NSURLConnection (when connecting to a https url) ensure the encryption of those details as they are sent to the donation script on my clients server? Sorry if this is a basic question, I just couldn't find a place in the apple docs that guaranteed this.

    Read the article

  • Secure online registration form to capture credit card info

    - by baraider
    We have used Google form, Wufoo form to try to securely capture the info for IN-HOUSE processing. Google form is unreliable and often blocked behind firm's firewall. Wufoo does not allow storing CC info in their database What is service or other alternative for us to securely store the cc info. The purpose is to have people manually process the registration. Once the payment goes through, we notify the customer and remove the CC info from our database.

    Read the article

  • Exception during secure communication implementation

    - by Liran
    hi everyone. im trying to implement simple secured client server communiction using WCF. when im launching mt server everty thing is OK , But when im launching my client im getting this error: Error : An error occurred while making the HTTP request to https://localhost:800 0/ExchangeService. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caus ed by a mismatch of the security binding between the client and the server. this is the server code : Uri address = new Uri("https://localhost:8000/ExchangeService"); WSHttpBinding binding = new WSHttpBinding(); //Set Binding Params binding.Security.Mode = SecurityMode.Transport; binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None; binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None; Type contract = typeof(ExchangeService.ServiceContract.ITradeService); ServiceHost host = new ServiceHost(typeof(TradeService)); host.AddServiceEndpoint(contract, binding, address); host.Open(); this is the client configuration (app.config): </client> <bindings> <wsHttpBinding> <binding name="TradeWsHttpBinding"> <security mode="Transport"> <transport clientCredentialType="None" proxyCredentialType ="None"/> </security> </binding> </wsHttpBinding> </bindings> the security configuration at both the client and the server are the same , and i dont need certificate for the server in that kind of security (transport) so why do i get this exception ???? thanks...

    Read the article

  • Secure, simple php faq creating/editing scripts?

    - by Tchalvak
    I'm looking to build a simple site centered around a simple faq system in php. The faq concept is simple, but I want to have an administrative-access backend for editing and creating the entries, and securing a login seems more complex and time-consuming, so I'm looking for suggestions for code to start me off. Does anyone know of any open source php scripts or snippets that would work for administrative login to some php scripts that could be used as a simple faq system? Or both, the faq php code + web administrative access code?

    Read the article

  • Retrieving WSDL file from secure service

    - by Anonimo
    I have a Web Service developed with JAX-WS. I have secured the web service with BASIC authentication configured in Tomcat. When I try to access the web service using a Java client, I first need to create the port, and then specify the credentials, as follows: CustomerServiceClient customerServiceClient = new CustomerServiceBottomUpService(); //1 CustomerService customer = customerServiceClient.getCustomerServicePort(); //2 Map<String, Object> context = ((BindingProvider) customer).getRequestContext(); //3 context.put(BindingProvider.USERNAME_PROPERTY, "kermit"); //4 context.put(BindingProvider.PASSWORD_PROPERTY, "thefrog"); //5 The problem I have is that, after line 1, I get an Authorization error (HTTP 401) as I obviously haven't provided the server with the credentials yet. I am creating the client artifacts from a server WSDL, hence the authentication problem when creating the service, and don't want my clients to store the WSDL locally as it's just annoying for them. How can I get around this problem?

    Read the article

  • Is SHA-1 secure for password storage?

    - by Tgr
    Some people throw around remarks like "SHA-1 is broken" a lot, so I'm trying to understand what exactly that means. Let's assume I have a database of SHA-1 password hashes, and an attacker whith a state of the art SHA-1 breaking algorithm and a botnet with 100,000 machines gets access to it. (Having control over 100k home computers would mean they can do about 10^15 operations per second.) How much time would they need to find out the password of any one user? find out the password of a given user? find out the password of all users? find a way to log in as one of the users? find a way to log in as a specific user? How does that change if the passwords are salted? Does the method of salting (prefix, postfix, both, or something more complicated like xor-ing) matter? Here is my current understanding, after some googling. Please correct in the answers if I misunderstood something. If there is no salt, a rainbow attack will immediately find all passwords (except extremely long ones). If there is a sufficiently long random salt, the most effective way to find out the passwords is a brute force or dictionary attack. Neither collision nor preimage attacks are any help in finding out the actual password, so cryptographic attacks against SHA-1 are no help here. It doesn't even matter much what algorithm is used - one could even use MD5 or MD4 and the passwords would be just as safe (there is a slight difference because computing a SHA-1 hash is slower). To evaluate how safe "just as safe" is, let's assume that a single sha1 run takes 1000 operations and passwords contain uppercase, lowercase and digits (that is, 60 characters). That means the attacker can test 1015*60*60*24 / 1000 ~= 1017 potential password a day. For a brute force attack, that would mean testing all passwords up to 9 characters in 3 hours, up to 10 characters in a week, up to 11 characters in a year. (It takes 60 times as much for every additional character.) A dictionary attack is much, much faster (even an attacker with a single computer could pull it off in hours), but only finds weak passwords. To log in as a user, the attacker does not need to find out the exact password; it is enough to find a string that results in the same hash. This is called a first preimage attack. As far as I could find, there are no preimage attacks against SHA-1. (A bruteforce attack would take 2160 operations, which means our theoretical attacker would need 1030 years to pull it off. Limits of theoretical possibility are around 260 operations, at which the attack would take a few years.) There are preimage attacks against reduced versions of SHA-1 with negligible effect (for the reduced SHA-1 which uses 44 steps instead of 80, attack time is down from 2160 operations to 2157). There are collision attacks against SHA-1 which are well within theoretical possibility (the best I found brings the time down from 280 to 252), but those are useless against password hashes, even without salting. In short, storing passwords with SHA-1 seems perfectly safe. Did I miss something?

    Read the article

  • How can I connect to server using SSL(secure socket layer) on .NET Compact Framework

    - by net
    Hello. I want to change .NET framework v3.5 to .NET compact framework v3.5. But I can't change SSL Stream class to compact framework version. For resolving this problem, I already read some article and msdn library. http://blogs.msdn.com/cgarcia/archive/2009/08/21/enable-ssl-for-managed-socket-on-windows-mobile.aspx http://blogs.msdn.com/cgarcia/archive/2009/08/22/getting-a-managed-socket-to-talk-ssl.aspx http://msdn.microsoft.com/en-us/library/aa916117.aspx but I got an error that is "Unkown error 0x0ffffff", when invoking 'socket.connect(endPoint)' method based on thease article. In order to find the proper method, I try to use TcpClient class. but i can't solve this problem. When I try to connect to server on .NET compact framework, TcpClient class didn't work(Smart Device project and windows ce). As you can see below, I've got the error. In other hand, this code is work on .NET framework(C# console project). I can't understand why this socket can not access to server. Thanks for reading my question.

    Read the article

  • Which Secure Software Development Practices do you Employ?

    - by Michael Howard-MSFT
    I work on a project known as the Security Development Lifecycle (SDL) project at Microsoft (http://microsoft.com/sdl) - in short it's a set of practices that must be used by product groups before they ship products to help improve security. Over the last couple of years, we have published a great deal of SDL documentation, as customers ask for more information about what we're doing. But what I'd like to know is: 1) What are you doing within your organization to help improve the security of your product? 2) What works? What doesn't work? 3) How did you get management to agree to this work? Thanks.

    Read the article

  • Secure Webservice (WCF) without storing credentials on consumer application

    - by Pai Gaudêncio
    Howdy folks, I have a customer that sells a lottery analysis application. In this application, he consumes a webservice (my service, I mean, belongs to the company I work for now) to get statistical data about lottery results, bets made, amounts, etc., from all across the globe. The access to this webservice is paid, and each consult costs X credits. Some people have disassembled this lottery application and found the api key/auth key used to access the paid webservice, and started to use it. I would like to prevent this from happening again, but I can't find a way to authenticate on the webservice without storing the auth. keys on the application. Does anyone have any ideas on how to accomplish such task? ps1.Can't ask for the users to input any kind of credentials. Has to be transparent for them (they shouldn't know what is happening). ps2. Can't use digital certificates for the same reason above, not to mention it's easy to retrieve them and we would fall into the original problem. Thanks in advance.

    Read the article

  • How to give you website customers a secure feeling

    - by Saif Bechan
    I was wondering how you can give your website customers the confidence that you are not tinkering with the database values. I am planning on running a website which falls in the realm of an online game. There is some kind of credit system involved that people have to pay for. Now I was wondering how sites like this ensure there customers that there is no foul play in the database itself. As I am the database admin i can pretty much change all the values from within without anyone knowing i did. Hence letting someone win that does not rightfully is the winner. Is it maybe an option to decrypt en encrypt the credits people have so i can't change them. Or is there maybe a company i can hire that checks my company for foul play.

    Read the article

  • How to make Facebook Authentication from Silverlight secure?

    - by SondreB
    I have the following scenario I want to complete: Website running some HTTP(S) services that returns data for a user. Same website is additionally hosting a Silverlight 4 app which calls these services. The Silverlight app is integrating with Facebook using the Facebook Developer Toolkit (http://facebooktoolkit.codeplex.com/). I have not fully decided whether I want Facebook-integration to be a "opt-in" option such as Spotify, or if I want to "lock" down my service with Facebook-only authentication. That's another discussion. How do I protect my API Key and Secret that I receive from Facebook in a Silverlight app? To me it's obvious that this is impossible as the code is running on the client, but is there a way I can make it harder or should I just live with the fact that third parties could potentially "act" as my own app? Using the Facebook Developer Toolkit, there is a following C# method in Silverlight that is executed from the JavaScript when the user has fully authenticated with Facebook using the Facebook Connect APIs. [ScriptableMember] public void LoggedIn(string sessionKey, string secret, int expires, long userId) { this.SessionKey = sessionKey; this.UserId = userId; Obvious the problem here is the fact that JavaScript is injection the userId, which is nothing but a simple number. This means anyone could potentially inject a different userId in JavaScript and have my app think it's someone else. This means someone could hijack the data within the services running on my website. The alternative that comes to mind is authenticating the users on my website, this way I'm never exposing any secrets and I can return an auth-cookie to the users after the initial authentication. Though this scenario doesn't work very well in an out-of-browser scenario where the user is running the Silverlight app locally and not from my website.

    Read the article

  • Is this PHP/MySQL login script secure?

    - by NightMICU
    Greetings, A site I designed was compromised today, working on damage control at the moment. Two user accounts, including the primary administrator, were accessed without authorization. Please take a look at the log-in script that was in use, any insight on security holes would be appreciated. I am not sure if this was an SQL injection or possibly breach on a computer that had been used to access this area in the past. Thanks <?php //Start session session_start(); //Include DB config require_once('config.php'); //Error message array $errmsg_arr = array(); $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); //Input Validations if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } //If there are input validations, redirect back to the login form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: http://tapp-essexvfd.org/admin/index.php"); exit(); } //Create query $qry="SELECT * FROM user_control WHERE username='$login' AND password='".md5($_POST['password'])."'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); //Collect details about user and assign session details $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['user_id']; $_SESSION['SESS_USERNAME'] = $member['username']; $_SESSION['SESS_FIRST_NAME'] = $member['name_f']; $_SESSION['SESS_LAST_NAME'] = $member['name_l']; $_SESSION['SESS_STATUS'] = $member['status']; $_SESSION['SESS_LEVEL'] = $member['level']; //Get Last Login $_SESSION['SESS_LAST_LOGIN'] = $member['lastLogin']; //Set Last Login info $qry = "UPDATE user_control SET lastLogin = DATE_ADD(NOW(), INTERVAL 1 HOUR) WHERE user_id = $member[user_id]"; $login = mysql_query($qry) or die(mysql_error()); session_write_close(); if ($member['level'] != "3" || $member['status'] == "Suspended") { header("location: http://members.tapp-essexvfd.org"); //CHANGE!!! } else { header("location: http://tapp-essexvfd.org/admin/admin_main.php"); } exit(); }else { //Login failed header("location: http://tapp-essexvfd.org/admin/index.php"); exit(); } }else { die("Query failed"); } ?>

    Read the article

  • How to setup multiple Apache SSL sites using multiple IP addresses

    - by Jeff
    How do you setup a single Apache2 config to host multiple HTTPS sites each on their own IP address? There will also be multiple HTTP sites on just a single IP address. I do not want to use Server Name Indication (SNI) as described here, and I'm only concerned with the important top-level Apache directives. That is, I just need to know the skeleton of how my config should look. The basic setup looks like this: Hosted on 1.1.1.1:80 (HTTP) - example.com - example.net - example.org Hosted on 2.2.2.2:443 (HTTPS) - secure.com Hosted on 3.3.3.3:443 (HTTPS) - secure.net Hosted on 4.4.4.4:443 (HTTPS) - secure.org And here are the important config directives I have so far, which is the closest I've come to a working iteration, but still no dice. I know I'm close, just need a little push in the right direction. Listen 1.1.1.1:80 Listen 2.2.2.2:443 Listen 3.3.3.3:443 Listen 4.4.4.4:443 NameVirtualHost 1.1.1.1:80 NameVirtualHost 2.2.2.2:443 NameVirtualHost 3.3.3.3:443 NameVirtualHost 4.4.4.4:443 # HTTP VIRTUAL HOSTS: <VirtualHost 1.1.1.1:80> ServerName example.com DocumentRoot /home/foo/example.com </VirtualHost> <VirtualHost 1.1.1.1:80> ServerName example.net DocumentRoot /home/foo/example.net </VirtualHost> <VirtualHost 1.1.1.1:80> ServerName example.org DocumentRoot /home/foo/example.org </VirtualHost> # HTTPS VIRTUAL HOSTS: <VirtualHost 2.2.2.2:443> ServerName secure.com DocumentRoot /home/foo/secure.com SSLEngine on SSLCertificateFile /home/foo/ssl/secure.com.crt SSLCertificateKeyFile /home/foo/ssl/secure.com.key SSLCACertificateFile /home/foo/ssl/ca.txt </VirtualHost> <VirtualHost 3.3.3.3:443> ServerName secure.net DocumentRoot /home/foo/secure.net SSLEngine on SSLCertificateFile /home/foo/ssl/secure.net.crt SSLCertificateKeyFile /home/foo/ssl/secure.net.key SSLCACertificateFile /home/foo/ssl/ca.txt </VirtualHost> <VirtualHost 4.4.4.4:443> ServerName secure.org DocumentRoot /home/foo/secure.org SSLEngine on SSLCertificateFile /home/foo/ssl/secure.org.crt SSLCertificateKeyFile /home/foo/ssl/secure.org.key SSLCACertificateFile /home/foo/ssl/ca.txt </VirtualHost> For what it's worth, I prefer to have each of my SSL sites on their own IP instead of including one of them on the primary VHOST IP. Any links which show a standard setup would be more than welcome!

    Read the article

  • secure from unauthorised access

    - by soclose
    Hi, Based on the user requirements, he wants to use our android application via pin code access like login whenever he starts to use this application. In Android or any mobile, most of the applications start again the last using layout. so which event should i call this login alertdialog to access each time users start to use it? Or let me know the better. Thank you.

    Read the article

  • How to setup IIS extranet site for unsecure access internally and secure (ssl) access from external

    - by Scott Travis
    I have an enterprise extranet application that is accessed using an internal DNS entry for the machine name by employees and via a domain name that has SSL configured externally. Currently remote sessions can use either the http or https address, but we want to turn off http access for external sessions while leaving it enabled for internal users. The site is written in ASP classic and running on IIS on Windows 2003 Server. Thank you for your time.

    Read the article

  • What's so bad about in-line CSS?

    - by ChessWhiz
    When I see website starter code and examples, the CSS is always in a separate file, named something like "main.css", "default.css", or "Site.css". However, when I'm coding up a page, I'm often tempted to throw the CSS in-line with a DOM element, such as by setting "float: right" on an image. I get the feeling that this is "bad coding", since it's so rarely done in examples. I understand that if the style will be applied to multiple objects, it's wise to follow "Don't Repeat Yourself" (DRY) and assign it to a CSS class to be referenced by each element. However, if I won't be repeating the CSS on another element, why not in-line the CSS as I write the HTML? The question: Is using in-line CSS considered bad, even if it will only be used on that element? If so, why? Example (is this bad?): <img src="myimage.gif" style="float:right" />

    Read the article

  • Checkstyle for C#?

    - by PSU_Kardi
    I'm looking to find something along the lines of Checkstyle for Visual Studio. I've recently started a new gig doing .NET work and realized that coding standards here are a bit lacking. While I'm still a young guy and far from the most experienced developer I'm trying to lead by example and get things going in the right direction. I loved the ability to use Checkstyle with Eclipse and examine code before reviews so I'd like to do the same thing with Visual Studio. Anyone have any good suggestions? Another thing I'd be somewhat interested in is a plug-in for SVN that disallows check-in until the main coding standards are met. I do not want people checking in busted code that's going to wind up in a code review. Any suggestions at this point would be great.

    Read the article

  • Decrypting data from a secure socket

    - by Ronald
    I'm working on a server application in Java. I've successfully got past the handshake portion of the communication process, but how do I go about decrypting my input stream? Here is how I set up my server: import java.io.IOException; import java.net.ServerSocket; import java.net.Socket; import java.util.ArrayList; import java.util.HashMap; import javax.net.ServerSocketFactory; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import org.json.me.JSONException; import dictionary.Dictionary; public class Server { private static int port = 1234; public static void main(String[] args) throws JSONException { System.setProperty("javax.net.ssl.keyStore", "src/my.keystore"); System.setProperty("javax.net.ssl.keyStorePassword", "test123"); System.out.println("Starting server on port: " + port); HashMap<String, Game> games = new HashMap<String, Game>(); final String[] enabledCipherSuites = { "SSL_RSA_WITH_RC4_128_SHA" }; try{ SSLServerSocketFactory socketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); SSLServerSocket listener = (SSLServerSocket) socketFactory.createServerSocket(port); listener.setEnabledCipherSuites(enabledCipherSuites); Socket server; Dictionary dict = new Dictionary(); Game game = new Game(dict); //for testing, creates 1 global game. while(true){ server = listener.accept(); ClientConnection conn = new ClientConnection(server, game, "User"); Thread t = new Thread(conn); t.start(); } } catch(IOException e){ System.out.println("Failed setting up on port: " + port); e.printStackTrace(); } } } I used a BufferedReader to get the data send from the client: BufferedReader d = new BufferedReader(new InputStreamReader(socket.getInputStream())); After the handshake is complete it appears like I'm getting encrypted data. I did some research online and it seems like I might need to use a Cipher, but I'm not sure. Any ideas?

    Read the article

  • Stuck with luasec LUA secure socket

    - by PeterMmm
    This example code fails: require("socket") require("ssl") -- TLS/SSL server parameters local params = { mode = "server", protocol = "sslv23", key = "server.key", certificate = "server.crt", cafile = "server.key", password = "123456", verify = {"peer", "fail_if_no_peer_cert"}, options = {"all", "no_sslv2"}, ciphers = "ALL:!ADH:@STRENGTH", } local socket = require("socket") local server = socket.bind("*", 8888) local client = server:accept() client:settimeout(10) -- TLS/SSL initialization local conn,emsg = ssl.wrap(client, params) print(emsg) conn:dohandshake() -- conn:send("one line\n") conn:close() request https://localhost:8888/ output error loading CA locations ((null)) lua: a.lua:25: attempt to index local 'conn' (a nil value) stack traceback: a.lua:25: in main chunk [C]: ? Not very much info. Any idea how to trace down to the problem ?

    Read the article

  • Secure web module for paid subscribtion

    - by DarkJaff
    Hello everyone, I'm building a website (a community web site like digg) but we will soon release a new feature that people will need to pay for. Right now, our website is in pure C# in .NET, very simple pages with some AJAX. When the member log in, there is no HTTPS. Everything is check with session and the internal validation that I do. What we need, is that when the people are logged in, they can click on a link a proceed to a payment (Paypal, credit card, etc). After the payment is done, the "billing module" will return a value to my site to validate that the payment is done so the account will be flagged as "paying member". I'm guessing this is the way to do, maybe I'm wrong! So my questions are: -What is the name of this kind of billing module? (I will do some research on that) -Do you know any ready to go module that does this kind of thing? -(I push my luck) Do you know any FREE module that do this kind of things. If something is not clear, don't hesitate to ask question :) Thanks a lot! DarkJaff

    Read the article

< Previous Page | 35 36 37 38 39 40 41 42 43 44 45 46  | Next Page >