Search Results

Search found 7249 results on 290 pages for 'https everywhere'.

Page 40/290 | < Previous Page | 36 37 38 39 40 41 42 43 44 45 46 47  | Next Page >

• Disable SSL / TLS compression in Apache 2.2.x

  - by DevGav

  Is there a way to disable SSL/TLS Compression in Apache 2.2.x when using mod_ssl? If not, what are people doing to mitigate the effects of CRIME/BEAST in older browsers? Related Links: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 https://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512 http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

  Read the article

• Apache + plesk vhost problem: .htaccess ignored!

  - by DaNieL

  Hi guys, i have a problem with a simple apache configuration. When the user ask for https://mydomain.com i have to redirect it to https://www.mydomain.com, becose my https certificate is valid just for the domain with www. I create the vhost.conf into my /var/www/vhosts/mydomain.com/conf/ directory, with inside: <Directory /var/www/vhosts/mydomain.com/httpsdocs> AllowOverride All </Directory> And my .htaccess file into the /var/www/vhosts/mydomain.com/httpsdocs/ is: RewriteEngine on RewriteCond %{HTTPS_HOST} ^mydomain\.com RewriteRule ^(.*)$ https://www.mydomain.com/$1 [R=301,L] But seem like the .htaccess is completely ignored. Any idea?

  Read the article

• .htaccess redirection resulting alias plus directory name

  - by austin cheney

  I am using .htaccess file to redirect all web traffic in a folder to ssl, because the directory prompts users for a login. When a user logs in they are redirected from https://subdir.mailmarkup.org/ to https://subdir.mailmarkup.org/~homedir/subdir. I want users to be redirected from http to https, and this is occuring successfully, however, I do not want users redirected from the first path mentioned above to the second. How do I prevent this?

  Read the article

• curl can't verify cert using capath, but can with cacert option

  - by phylae

  I am trying to use curl to connect to a site using HTTPS. But curl is failing to verify the SSL cert. $ curl --verbose --capath ./certs/ --head https://example.com/ * About to connect() to example.com port 443 (#0) * Trying 1.1.1.1... connected * Connected to example.com (1.1.1.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: ./certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. I know about the -k option. But I do actually want to verify the cert. The certs directory has been properly hashed with c_rehash . and it contains: A Verisign intermediate cert Two self-signed certs The above site should be verified with the Verisign intermediate cert. When I use the --cacert option instead (and point directly to the Verisign cert) curl is able to verify the SSL cert. $ curl --verbose --cacert ./certs/verisign-intermediate-ca.crt --head https://example.com/ * About to connect() to example.com port 443 (#0) * Trying 1.1.1.1... connected * Connected to example.com (1.1.1.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: ./certs/verisign-intermediate-ca.crt CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-SHA * Server certificate: * subject: C=US; ST=State; L=City; O=Company; OU=ou1; CN=example.com * start date: 2011-04-17 00:00:00 GMT * expire date: 2012-04-15 23:59:59 GMT * common name: example.com (matched) * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3 * SSL certificate verify ok. > HEAD / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 > Host: example.com > Accept: */* > < HTTP/1.1 404 Not Found HTTP/1.1 404 Not Found < Cache-Control: must-revalidate,no-cache,no-store Cache-Control: must-revalidate,no-cache,no-store < Content-Type: text/html;charset=ISO-8859-1 Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 1267 Content-Length: 1267 < Server: Jetty(7.2.2.v20101205) Server: Jetty(7.2.2.v20101205) < * Connection #0 to host example.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): In addition, if I try hitting one of the sites using a self signed cert and the --capath option, it also works. (Let me know if I should post an example of that.) This implies that curl is finding the cert directory, and it is properly hash. Finally, I am able to verify the SSL cert with openssl, using its -CApath option. $ openssl s_client -CApath ./certs/ -connect example.com:443 CONNECTED(00000003) depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 /C=US/ST=State/L=City/O=Company/OU=ou1/CN=example.com verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=City/O=Company/OU=ou1/CN=example.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- Server certificate -----BEGIN CERTIFICATE----- <cert removed> -----END CERTIFICATE----- subject=/C=US/ST=State/L=City/O=Company/OU=ou1/CN=example.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 1563 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: D65C4C6D52E183BF1E7543DA6D6A74EDD7D6E98EB7BD4D48450885188B127717 Session-ID-ctx: Master-Key: 253D4A3477FDED5FD1353D16C1F65CFCBFD78276B6DA1A078F19A51E9F79F7DAB4C7C98E5B8F308FC89C777519C887E2 Key-Arg : None Start Time: 1303258052 Timeout : 300 (sec) Verify return code: 0 (ok) --- QUIT DONE How can I get curl to verify this cert using the --capath option?

  Read the article

• Adding multiple websites with different SSL certificates in IIS 7

  - by Timka

  I'm having troubles using SSL for 2 different websites on my IIS 7 server. Please see my setup below: website1: my.corporate.portal.com SSL certificate for website1: *.corporate.portal.com https/443 binded to my.corporate.portal.com website2: client.portal.com SSL certificate issued for: client.portal.com When I try to bind https in IIS7 with the client's certificate, I don't have an option to put host name(grayed out) and as soon as I select 'client.portal.com' cert, I'm getting the following error in IIS: At least one other site is using the same HTTPS binding and the binding is configured with a different certificate. Are you sure that you want to reuse this HTTPS binding and reassign the other site or sites to use the new certificate? If I click 'yes' my.corporate.portal.com website stops using the proper SSL cert. Could you suggest something?

  Read the article

• Setup IIS 7.5 with multiple website bindings and SSL?

  - by JK01

  On IIS 7.5 I am trying to achieve this with two websites: Default Web Site is bound to: (blank host header port 80 - http) (blank host header port 443 - https) go.example.com www71.example.com the IP address of go.example.com 2nd web site "Beta" is bound to: beta.example.com (blank host header port 443 - https) * using blank only because it doesn't seem to be possible to bind https to a named host header And both need to work with SSL. But I have these problems: When I type in beta.example.com, I see the go.example.com site instead I can not seem to add the SSL binding to both websites at once (I have a single *.example.com wildcard certificate). The beta site will not even start if I add the https binding to it. This is how I have set it up: What is the correct way to set it up?

  Read the article

• How do I make subsonic (media server) work with SSL?

  - by John Baber

  The roughly out-of-the-box setup as a regular user works fine (meaning the site appears at http://myserver.com:4040). From ps aux java -Xmx100m -Dsubsonic.home=/var/subsonic -Dsubsonic.host=0.0.0.0 -Dsubsonic.port=4040 -Dsubsonic.httpsPort=0 -Dsubsonic.contextPath=/ -Dsubsonic.defaultMusicFolder=/var/music -Dsubsonic.defaultPodcastFolder=/var/music/Podcast -Dsubsonic.defaultPlaylistFolder=/var/playlists -Djava.awt.headless=true -verbose:gc -jar subsonic-booter-jar-with-dependencies.jar but just giving an https port java -Xmx100m -Dsubsonic.home=/var/subsonic -Dsubsonic.host=0.0.0.0 -Dsubsonic.port=4040 -Dsubsonic.httpsPort=6060 -Dsubsonic.contextPath=/ -Dsubsonic.defaultMusicFolder=/var/music -Dsubsonic.defaultPodcastFolder=/var/music/Podcast -Dsubsonic.defaultPlaylistFolder=/var/playlists -Djava.awt.headless=true -verbose:gc -jar subsonic-booter-jar-with-dependencies.jar makes http://myserver.com:4040 say HTTP ERROR: 404 NOT_FOUND RequestURI=/index.view Powered by jetty:// and https://myserver.com:6060 say Unable to connect I'm only making the change by doing # SUBSONIC_ARGS="--port=80 --https-port=443 --max-memory=120" SUBSONIC_ARGS="--max-memory=100 --https-port=6060" in /etc/default/subsonic and issuing a sudo service subsonic restart (this is Ubuntu Oneiric)

  Read the article

• Apache mod_proxy

  - by mhouston100

  Uggh, I'm spewing that I can't figure this out, I'm so frustrated: <VirtualHost *:80> servername domain1.com.au ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Proxy *> Order Allow,Deny Allow from all </Proxy> RewriteEngine on ReWriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L] </VirtualHost> <VirtualHost *:443> servername domain1.com.au SSLEngine on SSLCertificateFile /etc/apache2/ssl/owncloud.pem SSLCertificateKeyFile /etc/apache2/ssl/owncloud.key DocumentRoot /var/www/html </VirtualHost> <VirtualHost *:*> Servername domain2.com.au ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / https://192.168.1.12/ ProxyPassReverse / https://192.168.1.12/ </VirtualHost> Not sure if it's clear what I'm trying to do, but I've read and read and READ, I still can't figure it out. Basically I have a working Apache server with a rewrite to force HTTPS, as seen in the first two VirtualHost entries. I now have a webmail service I set up on another server, under another domain name, however I only have one incoming public IP address. So I'm trying to have any incoming requests for the second domain to be proxied to the other server to access the webmail, whether its port 80 or 443. IMAP and POP3 are no problems, I can just forward the ports directly to the correct server. The results of the above configuration is that requests to domain2.com.au (port 80 or 443) are forwarded to https://domain1.com.au. Am I headed in the right direction?

  Read the article

• nginx ssl redirect

  - by Lari13

  I have SSL-sertificate for www. mydomain.com How is the right config for nginx to get desired: SSL request without www (https://mydomain.com/somefile) will be redirected to https://www. mydomain.com/somefile This doesn't work, broser shows SSL-warning (wrong domain) :( server { listen 443 ssl; server_name mydomain.com; rewrite ^(.*) https://www.mydomain.com$1 permanent; ssl_certificate intermediate.crt; ssl_certificate_key www.mydomain.com.key; }

  Read the article

• Exchange 2010 remote access

  - by evesirim

  Does anyone know how to configure more addresses for remote access to Outlook on our SBS 2008? Currently you can go to either 'https://remote.site.co.uk/remote' to acces the remote web workspace or 'https://remote.site.co.uk/owa' to go straight to remote exchange access. I would like to set it up so that by going to 'https://remote.site.co.uk/exchange' it takes you to same place that '/owa' would. Does anybody know if this is possible, and if so how? Many thanks

  Read the article

• Apache: serving SSL only

  - by elect

  I have a website that I want to be access only by https://myurl.com. A normal typing myurl.com should be forwarded to the https. I tried different things such as: RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://myurl.com/$1 [R,L] (rewrite mod ON) or NameVirtualHost *:80 <VirtualHost *:80> ServerName mysite.example.com DocumentRoot /usr/local/apache2/htdocs Redirect permanent /secure https://mysite.example.com/secure </VirtualHost> But they didnt work, which is the right way to do it? Debian & Apache 2

  Read the article

• why Apache with ssl but back end weblogic without ssl works?

  - by huangli

      Hello everyone. my question is very simple . The link below is a picture about my architecture. https://docs.google.com/open?id=0BxSXbpgYIZVOR212RVk4ZDN1Sm8.      The pic above shows the architecture right now and it works correctly ! which means I could visit apache with url https//apchehost:8080, could not visit the web app with https served by weblogic but I could visit these app with https served by Apache(Apache is proxy server).      My question is why the Apache is configured with ssl but weblogic without ssl works ? I think weblogic should also configured with ssl . If this works , what about security level ? Is the ssl really works if only Apache configured with ssl but Weblogic without it ? Thanks . condition: Apache 2.2.17 with weblogic module mod_wl_22.so Weblogic: 10.3 OS: Windows server 2003

  Read the article

• SSL on app - nginx web server

  - by Adam

  I am running an nginx web server where I redirect all http requests to https (with a self signed cert). Here is how I REDIRECT all http requests to https in the nginx config file: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name my.server.ip; return 301 https://$server_name$request_uri; Problem is - I cannot seem to do so for an app running on a port. Example: http://my.server.ip:1234 does not redirect to https://my.server.ip:1234 ir works fine on all other urls like http://my.server.ip/temp etc. How can I modify the nginx config file to force that app url through ssl?

  Read the article

• How can I change a search provider's URL in IE8?

  - by Traveling Tech Guy

  Now that Google finally allows searching over HTTPS, I switched all my browsers to use https://google.com by default (I documented my effort in my blog). The only browser I couldn't change the URL string in, is IE8. You can either add, remove, or change the priority of a search provider - as far as I've seen. Can anyone suggest a way to change the default search behavior in E8 to go to HTTPS? Thanks.

  Read the article

• Reverse Proxy Server SSL?

  - by valveLondon

  Context We currently have an Apache web server in the DMZ set up as a reverse proxy and load balancer for two machines running Windows Server 2008 (IIS) inside. The Apache server has a genuine SSL certificate and serves up both http and https, however, the balancer members in the load balancing section are set to: BalancerMember {https://server1} and {https://server2}. The IIS web servers have self-signed certificates in order to respond to the https requests. My question: Do we need to forward any requests from Apache (in the DMZ) to the inside using SSL? e.g can the reverse proxy forward the requests using HTTP? and if so, why would I choose to forward them with SSL? (how secure is the http line between the dmz and the inside); In other words, can I totally disable SSL on my inside web servers?

  Read the article

• Using Redirect for an SSL CDN to have a Custom Domain

  - by bendytree

  We're looking to move our website/app assets to a CDN. The problem is, our CDN doesn't offer custom domain names with SSL. In other words, for SSL they offer https://1234.cdn.hostingcompany.com but not https://assets.mysite.com. So this seems like a huge problem since I don't want to re-publish my app with their domain hard coded. So I read somewhere about a method where you send people to https://assets.mysite.com then redirect to https://1234.cdn.hostingcompany.com. Is there merit to that solution or would that completely defeat the purpose of the CDN.

  Read the article

• Homepage 301 Redirect to SSL Homepage

  - by user33692

  I'm hoping somebody might be able to provide a bit of advice on an issue I am having. I have 1 site where we implemented a 301 redirect on the homepage from http to https. We have links on the homepage to other parts of the site that are not under SSL (in fact there is only one other page under SSL). When I go to our webmaster account I notice that we are not being provided with any webmaster information (search queries, backlinks) related to our homepage under SSL. I performed a Fetch Google on the homepage and the information it returned is: HTTP/1.1 301 Moved Permanently Date: Fri, 08 Nov 2013 17:26:24 GMT Server: Apache/2.2.16 (Debian) Location: https://mysite.com/ Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 242 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://mysite.com/">here</a>.</p> <hr> <address>Apache/2.2.16 (Debian) Server at mysite.com</address> </body></html> I am worried that the fact that Google Fetch is not getting the correct Title Tags and Meta information from our homepage and that this is hurting our search results. Additionally, I am worried that we need to do something specific with the SiteMap to ensure that Google is correctly indexing all our pages and being able to flow from the https to the http without issues. Does anybody have any advice on how we can correctly set this up or be sure that Google is fetching the correct information?

  Read the article

• OpenWorld Suggest-a-Session Voting on Oracle Mix now OPEN!

  - by keith.laker

  Last year the Oracle OpenWorld team decided to use Oracle Mix as a way to select some of the papers for OpenWorld and this year we are following the same process. The majority of papers for this year's conference have already been selected, however, there are some presentation slots still available so the OpenWorld team are giving you the chance to vote on which papers you want to see at this year's OpenWorld conference.The voting process has just opened and will close on June 20. I did a quick search on the list of sessions one paper really caught my eye: Case Study: Real-Time data warehousing and fraud detection with Oracle 11gR2 by Dr. Holger Friedrich. As a data warehouse product manager I would love to see this paper selected. I have attended a number of presentations over the years given by Holger and he is an excellent, knowledgeable and entertaining presenter. The subject area is, for me, very interesting as it covers topics that I know are important to our customers and this case study highlights the innovative use of key database features. I would strongly encourage everyone to please vote for this paper. You can vote for Holger's presentation by going here:https://mix.oracle.com/oow10/proposals/10566-case-study-real-time-data-warehousing-and-fraud-detection-with-oracle-11gr2There are some rules relating to the voting process and these are all explained here: https://mix.oracle.com/oow10/faqA Quick Overview of the voting rules?1) You have to a member of the Oracle Mix communityBut membership is free! To sign up for a Mix account and you are one your way. You can sign-up by clicking on the "Create an Account" link in the top right corner of the Oracle Mix home page: https://mix.oracle.com/2) You have to vote for 3 different papersBased on last year’s voting pattern, the Mix team found that a number of participants were only voting for their own sessions. This year voters are required to vote on at least three sessions. How do I find the list of presentations? The full list of all available presentations is here: https://mix.oracle.com/oow10/proposalsGood luck and happy voting. Look forward to seeing you all at OpenWorld.

  Read the article

• Tracking subdomains in the same profile as the main domain

  - by Osvaldo

  I have a site, let's call it http://www.example.com with a non-universal Google analytics account. Now we have to add new functionalities in a subdomain like https://subdomain.example.com as a micro site. On that subdomain the URL's will be something like https://subdomain.example.com?param1=foo&param2=bar We can't change the requirements as both main site and mini-site use a different CMS/application. This is strictly a Google Analytics question. But we need to count pageviews and events that happen in that subdomain (with URLs like https://subdomain.example.com?param1=foo&param2=bar) as belonging to the main domain. So pageviews and events in https://subdomain.example.com?param1=foo&param2=bar need to be recorded as if they happened in http://www.example.com/path/to/whatever/I/want Fortunately we have full control on JavaScript in the main domain site and in the subdomain site too. How can we make this work? Do we need to change tracking code both in the main domain and subdomains? Do we need to reconfigure Google Analytics? Please note again that we do not want to create a new view for the subdomain. Both mini-site and main site should be in the same account, property and view.

  Read the article

• Hostmonster can't change domains around?

  - by loneboat

  (question imported from http://superuser.com/q/204439/53847 ) Horrible title, but I couldn't think of a succinct way to summarize it to fit. I have HostMonster for my web hosting. I have several domain names under the same account (using the same web space, IP address, etc...). Every HM account has one domain set up as the "main domain", and all other domains are "secondary". The only way I have ever encountered this being an issue is in trying to use HTTPS - since (from my limited understanding) HTTPS encrypts headers, you can't route HTTPS requests to different virtual hosts on a server - only unencrypted requests, since it must look in the request to know where to route it. When I registered for my account, I only had one domain name (A). I have since added domain names (B), (C), (D), etc... At one point I switched domain name (B) to be my "main" domain name - so I could use HTTPS with it. I have since sold domain name (B), and would like to make domain name (A) my "main" one again (as it was before), but HM support says, "no, once a domain name has been a 'main' domain name on an account once, we can't set it up to be a 'main' domain name again. You're welcome to use domains (C), or (D), though.". They tell me the only way to reuse domain (A) as a "main" domain would be to set up a new account and transfer over all my files. I'm confused here. If I have domains (D), (E), and (F), they say I'm welcome to make one of them my new main domain name, just never (A) again, since I've already "used" it once. Calls to support only reveal that they can't let me do it because doing so would somehow "break" my account. Can anyone think of any good reason why this should be so? The only thing I can think is that maybe they're using the domain names as keys in some database or something? But if that's the case, that's ridiculous - they need to reorganize their databases!

  Read the article

• Can we use both Google Analytics (Asynchronous) and Google Analytics with Display Advertising code in same page

  - by Gadde

  I have Google Analytics (Asynchronous) script <script type=”text/javascript”> _gaq.push(['_setAccount', 'UA-XXXXX-X']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> and Google Analytics with Display Advertising Script <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-XXXXX-X-yz']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> The UA - codes are different can i use both the codes ? I've read some where that Universal Analytics will not interfere with previous versions of Google Analytics. If i have upgraded to Universal Analytics, If the UA - codes are different should i use only the Universal Analytics script or should i use both Universal Analytics script and Universal Analytics script. please advise.....

  Read the article

• SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

  - by MOKANA

  Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

  Read the article

• chdir warning when opening .tar file on OS X

  - by denonth

  I need to unarchive a file to the /Developer folder. Install Qt for iOS SDK The Qt for iOS SDK has been configured to be installed in the default Xcode installation location /Developer. It is not possible to install the SDK into another location without first rebuilding it, as the install location is contained within the qmake executable, and that is built as part of Qt. To install the Qt for iOS SDK, open ‘Terminal’ and type the following from the command­-line: tar –xf qt­-everywhere-­ios­-4.8.0­-xxx.tar.gz –C /Developer (where xxx is an identifier which can be used to determine the build of the iOS SDK eg. arm7-­-nossl) This will install the Qt for iOS SDK into the following path: /Developer/Platforms/iPhoneOS.platform/Developer/usr/share/qt­-everywhere­-ios­-4.8.0 When I perform the operation I get the information: Lions-Mac:Documents User$ tar -xf qt-everywhere-ios-4.8.0-arm7-nossl.tar.gz -C /Developer tar: could not chdir to '/Developer' Any idea what is wrong?

  Read the article

• Unable to checkout svn repositories

  - by lucaghera

  I have an ubuntu 12.04 machine were apache2 is set up with SSL certificates. In the same machine there is a SVN server. It all worked great till the update to 12.04. Now I'm able to access the svn via a web-browser and also by using an eclipse plugin (subversive), but I'm not able to access the svn via command line. When I try to check out a repo from a Mac Os X client it returns: svn: E120171: Unable to connect to a repository at URL 'https://IP/svn/repo_name' svn: E120171: Error running context: An error occurred during SSL communication If I try to check out a repo from an Ubuntu client it returns: svn: OPTIONS of 'https://IP/svn/repo_name': SSL handshake failed: SSL error: A TLS warning alert has been received. (https://IP)

  Read the article

• Microsoft® MVP (Most Valuable Professional) in XNA / DirectX.

  - by uditha

  I got an email form Microsoft saying that i have been selected for MVP in XNA/DirectX category. It was really memorable moment for me.And proud to be a Microsoft MVP. There are now total 44 MVPs for XNA/DirectX. https://mvp.support.microsoft.com/communities/mvp.aspx?product=1&competency=XNA%2fDirectX About MVP Program. https://mvp.support.microsoft.com/gp/aboutmvp My MVP Profile. https://mvp.support.microsoft.com/profile/Uditha Official SEA MVP blog. http://seamvpblogaholic.spaces.live.com/default.aspx

  Read the article

< Previous Page | 36 37 38 39 40 41 42 43 44 45 46 47  | Next Page >