Search Results

Search found 2043 results on 82 pages for 'newly insecure'.

Page 42/82 | < Previous Page | 38 39 40 41 42 43 44 45 46 47 48 49  | Next Page >

  • Can't boot to Windows 7 after installing Ubuntu 11.10

    - by les02jen17
    Here's what happened: I have 2 HDDs. 1st HDD is partitioned like this: C - Windows 7 D* - Empty drive where I installed Ubuntu E - Personal Files F - Personal Files 2nd HDD is partitioned like this: G - Personal Files *the D partition is originally part of the C partition. I resized it (using Easus Partition Master in Windows) and defragged it prior to installing Ubuntu. I installed Ubuntu by booting to the Ubuntu Secure Remix CD, and chose the D partition to install Ubuntu. I did not create a swap drive, and I mounted the / to the D partition. I didnt know where to mount the others, so I just thought by mounting the / to D, it would be okay. After the long installation, upon rebooting, I can't access Windows AND Ubuntu. I get an infinite bootloop and eventually the choices to boot to Safe Modes, Last Known Good Configuration and Start Windows normally. After failing in all of them, I placed the CD back and ran the Boot Repair. I chose the MBR 1st, it didn't work. I then chose the GRUB 2nd and now I was able to boot to the Ubuntu I installed, but not to my Windows 7! I'm using my newly installed Ubuntu while writing this. I hope you can help me. I did the best I could! Here's the link to the boot repair log: http://paste.ubuntu.com/919354/ Thanks in advance!

    Read the article

  • 2012 EC Election Results

    - by heathervc
    The 2012 Fall Executive Committee Election process is now complete. The ballot closed at midnight pacific time on Monday, 29 October.  Congratulations to Cinterion Wireless Modules GmbH, Credit Suisse, Fujitsu Limited, Hewlett-Packard (all four candidates were ratified),  and CloudBees and London Java Community (two elected candidates) as the new and re-elected merged EC Members. For more information regarding the merged EC, please refer to JSR 355 and the JCP 2.9 Process Document. Ratified Seats: Cinterion Wireless Modules GmbH, Credit Suisse, Fujitsu Limited and Hewlett-Packard Open Election Seats: CloudBees and London Java Community Newly elected EC Members take their seats on Tuesday, 13 November 2012. Detailed Election Results:Number of Eligible Voters: 1131 Percent of Eligible Members Casting Votes: 23.70% Ratified Seats: Candidate Yes Votes (%) No Votes (%) Abstentions Cinterion Wireless Modules GmbH 156 (76) 48 (24) 64 Credit Suisse 205 (85) 35 (15) 28 Fujitsu Limited 195 (85) 35 (15) 38 Hewlett-Packard 182 (81) 44 (19) 42 Open Election Seats: The top two candidates have been elected. Candidate Votes (%) Cisco Systems 37 (7) CloudBees 101 (20) Giuseppe Dell'Abate 6 (1) Liferay, Inc. 35 (7) London Java Community 164 (33) MoroccoJUG 46 (9) North Sixty-One Ltd 26 (5) Software AG 19 (4) ZeroTurnaround 64 (13) None of the above 5 (1) For more information about the candidates who ran for the 2012 Executive Committee Election, please visit the 2012 Executive Committee Elections Nominees page.

    Read the article

  • libapt-inst1.4:i386 fais to install

    - by user92834
    Today I was notifed of updates, some of them being libapt. So I press "Install Updates", and I got this error: The following packages have unmet dependencies: libapt-inst1.4:i386: Depends: libapt-pkg4.12 (>= 0.8.16~exp12ubuntu10.2) but 0.8.16~exp12ubuntu10.3 is installed Depends: libc6 (>= 2.4) but 2.15-0ubuntu10 is installed Depends: libgcc1 (>= 1:4.1.1) but 1:4.6.3-1ubuntu5 is installed Depends: libstdc++6 (>= 4.4.0) but 4.6.3-1ubuntu5 is installed So I open the terminal and typed sudo apt-get install -f I was shown this: The following extra packages will be installed: libapt-inst1.4 libapt-inst1.4:i386 libapt-pkg4.12:i386 The following NEW packages will be installed: libapt-pkg4.12:i386 The following packages will be upgraded: libapt-inst1.4 libapt-inst1.4:i386 2 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. 1 not fully installed or removed. Need to get 0 B/1,146 kB of archives. After this operation, 3,031 kB of additional disk space will be used. Do you want to continue [Y/n]? I selected "yes". And then: E: Internal Error, No file name for libapt-pkg4.12 Also, when I open the software center, I get a message that the database is broken... I'm using 12.04 64bit But why it wants to install the i386 version? I'm using 64 bit ubuntu...

    Read the article

  • Updating to linux-image-3.2.0-26-generic occupies all disk space

    - by user42228
    I just ran a normal update through the update manager that wanted to update me to linux-image-3.2.0-26-generic. The installation paused halfway with a message that the root was full. I checked the disk usage, and noticed that one of the newly installed files: /lib/modules/3.2.0-26-generic/modules.ccwmap took up 63GB(!). Compared to the previous version: /lib/modules/3.2.0-24-generic/modules.ccwmap that took up only 4KB it seems like something went awfully wrong! As mentioned the update was paused when i ran out of disk space. There is no option in the update dialog to cancel or perform rollback on the update. Is it asking for trouble to kill the update manager? Any ideas as to what went wrong, and what I can do to remedy it? It's only minimal how much space I can free on that partition (without deleting the above mentioned file). If it is any help, the update was paused after this: Examining /etc/kernel/postinst.d. run-parts: executing /etc/kernel/postinst.d/dkms 3.2.0-26-generic /boot/vmlinuz-3.2.0-26-generic

    Read the article

  • UnauthorizedAccessException on MemoryMappedFile in C# 4.

    - by Kevin Nisbet
    Hey, I wanted to play around with using a MemoryMappedFile to access an existing binary file. If this even at all possible or am I a crazy person? The idea would be to map the existing binary file directly to memory for some preferably higher-speed operations. Or to atleast see how these things worked. using System.IO.MemoryMappedFiles; System.IO.FileInfo fi = new System.IO.FileInfo(@"C:\testparsercap.pcap"); MemoryMappedFileSecurity sec = new MemoryMappedFileSecurity(); System.IO.FileStream file = fi.Open(System.IO.FileMode.Open, System.IO.FileAccess.ReadWrite, System.IO.FileShare.ReadWrite); MemoryMappedFile mf = MemoryMappedFile.CreateFromFile(file, "testpcap", fi.Length, MemoryMappedFileAccess.Read, sec, System.IO.HandleInheritability.Inheritable, true); MemoryMappedViewAccessor FileMapView = mf.CreateViewAccessor(); PcapHeader head = new PcapHeader(); FileMapView.Read<PcapHeader>(0, out head); I get System.UnauthorizedAccessException was unhandled (Message=Access to the path is denied.) on the mf.CreateViewAccessor() line. I don't think it's file-permissions, since I'm running as a nice insecure administrator user, and there aren't any other programs open that might have a read-lock on the file. This is on Vista with UAC disabled. If it's simply not possible and I missed something in the documentation, please let me know. I could barely find anything at all referencing this feature of .net 4.0 Thanks!

    Read the article

  • AWS Amazon EC2 - password-less SSH login for non-root users using PEM keypairs

    - by Mark White
    We've got a couple of clusters running on AWS (HAProxy/Solr, PGPool/PostgreSQL) and we've setup scripts to allow new slave instances to be auto-included into the clusters by updating their IPs to config files held on S3, then SSHing to the master instance to kick them to download the revised config and restart the service. It's all working nicely, but in testing we're using our master pem for SSH which means it needs to be stored on an instance. Not good. I want a non-root user that can use an AWS keypair who will have sudo access to run the download-config-and-restart scripts, but nothing else. rbash seems to be the way to go, but I understand this can be insecure unless setup correctly. So what security holes are there in this approach: New AWS keypair created for user.pem (not really called 'user') New user on instances: user Public key for user is in ~user/.ssh/authorized_keys (taken by creating new instance with user.pem, and copying it from /root/.ssh/authorized_keys) Private key for user is in ~user/.ssh/user.pem 'user' has login shell of /home/user/bin/rbash ~user/bin/ contains symbolic links to /bin/rbash and /usr/bin/sudo /etc/sudoers has entry "user ALL=(root) NOPASSWD: ~user/.bashrc sets PATH to /home/user/bin/ only ~user/.inputrc has 'set disable-completion on' to prevent double tabbing from 'sudo /' to find paths. ~user/ -R is owned by root with read-only access to user, except for ~user/.ssh which has write access for user (for writing known_hosts), and ~user/bin/* which are +x Inter-instance communication uses 'ssh -o StrictHostKeyChecking=no -i ~user/.ssh/user.pem user@ sudo ' Any thoughts would be welcome. Mark...

    Read the article

  • Why does Silverlight 4 ClientHttp WebRequest prompt the user for a login and password?

    - by James Cadd
    One of the new features of the client http stack in Silverlight 4 is the ability to supply network credentials. When I use this feature Windows shows a "Windows Security" message box that prompts the user for a login and password (text in the box is "The server xx at xx requires a username and password. Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection)."). I'm setting the login and password as shown below so I'm not sure why this is displayed. My code is: var request = WebRequestCreator.ClientHttp.Create(new Uri("http://myserver:8080/gui/?list=1")); request.Credentials = new NetworkCredential("login", "password"); request.BeginGetResponse(new AsyncCallback(OnRequestComplete), request); If I enter the username and password into the messagebox the request completes successfully. For a number of reasons I'd rather prompt the user for the login and password so I'd like to avoid the messagebox if possible. My setup is Silverlight 4 final, VS 2010 final, Windows 7 x86. The application is out of browser with elevated permissions.

    Read the article

  • How does Visual Studio decide the order in which stack variables should be allocated?

    - by Jason
    I'm trying to turn some of the programs in gera's Insecure Programming by example into client/server applications that could be used in capture the flag scenarios to teach exploit development. The problem I'm having is that I'm not sure how Visual Studio (I'm using 2005 Professional Edition) decides where to allocate variables on the stack. When I compile and run example 1: int main() { int cookie; char buf[80]; printf("buf: %08x cookie: %08x\n", &buf, &cookie); gets(buf); if (cookie == 0x41424344) printf("you win!\n"); } I get the following result: buf: 0012ff14 cookie: 0012ff64 buf starts at an address eighty bytes lower than cookie, and any four bytes that are copied in buf after the first eighty will appear in cookie. The problem I'm having is when I place this code in some other function. When I compile and run the following code, I get a different result: buf appears at an address greater than cookie's. void ClientSocketHandler(SOCKET cs){ int cookie; char buf[80]; char stringToSend[160]; int numBytesRecved; int totalNumBytes; sprintf(stringToSend,"buf: %08x cookie: %08x\n",&buf,&cookie); send(cs,stringToSend,strlen(stringToSend),NULL); The result is: buf: 0012fd00 cookie: 0012fcfc Now there is no way to set cookie to arbitrary data via overwriting buf. Is there any way to tell Visual Studio to allocate cookie before buf? Is there any way to tell beforehand how the variables will be allocated? Thanks, Jason

    Read the article

  • Best way for a remote web app to authenticate users in my current web app?

    - by jklp
    So a bit of background, I'm working on an existing web application which has a set of users, who are able to log in via a traditional login screen with a user name and password, etc. Recently we've managed to score a client (who have their own Intranet site), who are wanting to be able to have their users log into their Intranet site, and then have their users click a link on their Intranet which redirects to our application and logs them into it automatically. I've had two suggestions on how to implement this so far: Create a URL which takes 2 parameters (which are "username" and "password") and have the Intranet site pass those parameters to us (our connection is via TLS so it's all encrypted). This would work fine, but it seems a little "hacky", and also means that the logins and passwords have to be the same on both systems (and having to write some kind of web service which can update the passwords for users - which also seems a bit insecure) Provide a token to the Intranet, so when the client clicks on a link on the Intranet, it sends the token to us, along with the user name (and no password) which means they're authenticated. Again, this sounds a bit hacky as isn't that essentially the same as providing everyone with the same password to log in? So to summarise, I'm after the following things: A way for the users who are already authenticated on the Intranet to log into our system without too much messing around, and without using an external system to authenticate, i.e. LDAP / Kerberos Something which isn't too specific to this client, and can easily be implemented by other Intranets to log in

    Read the article

  • latex list environment inside the tabular environment: extra line at top preventing alignment

    - by Usagi
    Hello good people of stackoverflow. I have a LaTeX question that is bugging me. I have been trying to get a list environment to appear correctly inside the tabular environment. So far I have gotten everything to my liking except one thing: the top of the list does not align with other entries in the table, in fact it looks like it adds one line above the list... I would like to have these lists at the top. This is what I have, a custom list environment: \newenvironment{flushemize}{ \begin{list}{$\bullet$} {\setlength{\itemsep}{1pt} \setlength{\parskip}{0pt} \setlength{\parsep}{0pt} \setlength{\partopsep}{0pt} \setlength{\topsep}{0pt} \setlength{\leftmargin}{12pt}}}{\end{list}} Renamed ragged right: \newcommand{\rr}{\raggedright} and here is my table: \begin{table}[H]\caption{Tank comparisons}\label{tab:tanks} \centering \rowcolors{2}{white}{tableShade} \begin{tabular}{p{1in}p{1.5in}p{1.5in}rr} \toprule {\bf Material} & {\bf Pros} & {\bf Cons} & {\bf Size} & {\bf Cost} \\ \midrule \rr Reinforced concrete &\rr \begin{flushemize}\item Strong \item Secure \end{flushemize}&\rr \begin{flushemize}\item Prone to leaks \item Relatively expensive to install \item Heavy \end{flushemize} & 100,000 gal & \$299,400 \\ \rr Steel & \begin{flushemize}\item Strong \item Secure \end{flushemize} & \begin{flushemize}\item Relatively expensive to install \item Heavy \item Require painting to prevent rusting \end{flushemize} & 100,000 gal & \$130,100 \\ \rr Polypropylene & \begin{flushemize}\item Easy to install \item Mobile \item Inexpensive \item Prefabricated \end{flushemize} & \begin{flushemize}\item Relatively insecure \item Max size available 10,000 gal \end{flushemize} & 10,000 gal & \$5,000 \\ \rr Wood & \begin{flushemize}\item Easy to install \item Mobile \item Cheap to install \end{flushemize} & \begin{flushemize}\item Prone to rot \item Must remain full once constructed \end{flushemize} & 100,000 gal & \$86,300\\ \bottomrule \end{tabular} \end{table} Thank you for any advice :)

    Read the article

  • Cross-platform game development: ease of development vs security

    - by alcuadrado
    Hi, I'm a member and contributor of the Argentum Online (AO) community, the first MMORPG from Argentina, which is Free Software; which, although it's not 3D, it's really addictive and has some dozens of thousands of users. Really unluckily AO was developed in Visual Basic (yes, you can laugh) but the former community, so imagine, the code not only sucks, it has zero portability. I'm planning, with some friends to rewrite the client, and as a GNU/Linux frantic, want to do it cross-platform. Some other people is doing the same with the server in Java. So my biggest problem is that we would like to use a rapid development language (like Java, Ruby or Python) but the client would be pretty insecure. Ruby/Python version would have all it's code available, and the Java one would be easily decompilable (yes, we have some crackers in the community) We have consider the option to implement the security module in C/C++ as a dynamic library, but it can be replaced with a custom one, so it's not really secure. We are also considering the option of doing the core application in C++ and the GUI in Ruby/Python. But haven't analysed all it's implications yet. But we really don't want to code the entire game in C/C++ as it doesn't need that much performance (the game is played at 18fps on average) and we want to develop it as fast as possible. So what would you choose in my case? Thank you!

    Read the article

  • Where are the real risks in network security?

    - by Barry Brown
    Anytime a username/password authentication is used, the common wisdom is to protect the transport of that data using encryption (SSL, HTTPS, etc). But that leaves the end points potentially vulnerable. Realistically, which is at greater risk of intrusion? Transport layer: Compromised via wireless packet sniffing, malicious wiretapping, etc. Transport devices: Risks include ISPs and Internet backbone operators sniffing data. End-user device: Vulnerable to spyware, key loggers, shoulder surfing, and so forth. Remote server: Many uncontrollable vulnerabilities including malicious operators, break-ins resulting in stolen data, physically heisting servers, backups kept in insecure places, and much more. My gut reaction is that although the transport layer is relatively easy to protect via SSL, the risks in the other areas are much, much greater, especially at the end points. For example, at home my computer connects directly to my router; from there it goes straight to my ISPs routers and onto the Internet. I would estimate the risks at the transport level (both software and hardware) at low to non-existant. But what security does the server I'm connected to have? Have they been hacked into? Is the operator collecting usernames and passwords, knowing that most people use the same information at other websites? Likewise, has my computer been compromised by malware? Those seem like much greater risks. What do you think?

    Read the article

  • How to verify the SSL connection when calling an URI?

    - by robertokl
    Hello, I am developing an web application that is authenticated using CAS (A single-sign-on solution: http://www.ja-sig.org/wiki/display/CAS/Home). For security reasons, I need two things to work: The communication between CAS and my application needs to be secure My application needs to accept the certification coming with CAS, so that I can guarantee that the CAS responding is the real CAS Server. This is what I got so far: uri = URI.parse("https://www.google.com/accounts") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = (uri.scheme == 'https') https.verify_mode = (OpenSSL::SSL::VERIFY_PEER) raw_res = https.start do |conn| conn.get("#{uri.path}?#{uri.query}") end This works just great in my Mac OSX. When I try to reach an insecure uri, it raises an exception, and when I try to reach a secure uri, it allow me normally, just like expected. The problem starts when I deploy my application on my Linux server. I tried in both Ubuntu and Red Hat. Independing of what uri I try to reach, it always raises me this exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect' from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect' from /usr/local/lib/ruby/1.8/net/http.rb:553:in `do_start' from /usr/local/lib/ruby/1.8/net/http.rb:542:in `start' from (irb):7 I think this have something to do with my installed OpenSSL package, but I can't be sure. This are my installed OpenSSL packages: openssl.x86_64 0.9.8e-12.el5 installed openssl-devel.x86_64 0.9.8e-12.el5 installed I tried using HTTParty as well, but it just ignores the SSL certificated. I hope someone can help me, either by telling me a gem that works the way I need. Thanks.

    Read the article

  • Broken ssl, what to do

    - by TIT
    I have a site and i implemented ssl there. but when i browse it, the security seals dont come. i asked to godaddy, they replaid: Thank you for contacting online support. I cannot replicate the issue you have described. The error you described is caused by the way your site has been designed. If you receive this error, you have a combination of secure and non-secure objects on the page. For example, if your secure website was https://www.domain.tld and you added an object (an image, script, flash file, etc.) to that page that was located at http://www.domain.tld/image.jpg, you would break the seal. You will need to change your design to link to objects using https (ie https://www.domain.tld/image.jpg) or modify your site design to use relative paths (/image.jpg). This error can only be corrected by modifying your site design. Please contact your web designer or the manufacturer of your web design software if you require additional assistance modifying your site design. but the problem is i made everything,all my images javascripts are unders https, but the seal still not coming, saying: some content insecure. what is the problem.

    Read the article

  • Security implications of writing files using PHP

    - by susmits
    I'm currently trying to create a CMS using PHP, purely in the interest of education. I want the administrators to be able to create content, which will be parsed and saved on the server storage in pure HTML form to avoid the overhead that executing PHP script would incur. Unfortunately, I could only think of a few ways of doing so: Setting write permission on every directory where the CMS should want to write a file. This sounds like quite a bad idea. Setting write permissions on a single cached directory. A PHP script could then include or fopen/fread/echo the content from a file in the cached directory at request-time. This could perhaps be carried out in a Mediawiki-esque fashion: something like index.php?page=xyz could read and echo content from cached/xyz.html at runtime. However, I'll need to ensure the sanity of $_GET['page'] to prevent nasty variations like index.php?page=http://www.bad-site.org/malicious-script.js. I'm personally not too thrilled by the second idea, but the first one sounds very insecure. Could someone please suggest a good way of getting this done?

    Read the article

  • How to verify the SSL connection when calling a URI?

    - by robertokl
    Hello, I am developing a web application that is authenticated using CAS (A single-sign-on solution: http://www.ja-sig.org/wiki/display/CAS/Home). For security reasons, I need two things to work: The communication between CAS and my application needs to be secure My application needs to accept the certification coming from CAS, so that I can guarantee that the CAS responding is the real CAS server This is what I got so far: uri = URI.parse("https://www.google.com/accounts") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = (uri.scheme == 'https') https.verify_mode = (OpenSSL::SSL::VERIFY_PEER) raw_res = https.start do |conn| conn.get("#{uri.path}?#{uri.query}") end This works just great in Mac OS X. When I try to reach an insecure URI, it raises an exception, and when I try to reach a secure URI, it allows me normally, just like expected. The problem starts when I deploy my application on my Linux server. I tried in both Ubuntu and Red Hat. Independent of what URI I try to reach, it always raises this exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect' from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect' from /usr/local/lib/ruby/1.8/net/http.rb:553:in `do_start' from /usr/local/lib/ruby/1.8/net/http.rb:542:in `start' from (irb):7 I think this have something to do with my installed OpenSSL package, but I can't be sure. This are my installed OpenSSL packages: openssl.x86_64 0.9.8e-12.el5 installed openssl-devel.x86_64 0.9.8e-12.el5 installed I tried using HTTParty as well, but it just ignores the SSL certificate. I hope someone can help me, or tell me about a gem that works the way I need. Thanks.

    Read the article

  • Safe way to set computed environment variables

    - by sfink
    I have a bash script that I am modifying to accept key=value pairs from stdin. (It is spawned by xinetd.) How can I safely convert those key=value pairs into environment variables for subprocesses? I plan to only allow keys that begin with a predefined prefix "CMK_", to avoid IFS or any other "dangerous" variable getting set. But the simplistic approach function import () { local IFS="=" while read key val; do case "$key" in CMK_*) eval "$key=$val";; esac done } is horribly insecure because $val could contain all sorts of nasty stuff. This seems like it would work: shopt -s extglob function import () { NORMAL_IFS="$IFS" local IFS="=" while read key val; do case "$key" in CMK_*([a-zA-Z_]) ) IFS="$NORMAL_IFS" eval $key='$val' IFS="=" ;; esac done } but (1) it uses the funky extglob thing that I've never used before, and (2) it's complicated enough that I can't be comfortable that it's secure. My goal, to be specific, is to allow key=value settings to pass through the bash script into the environment of called processes. It is up to the subprocesses to deal with potentially hostile values getting set. I am modifying someone else's script, so I don't want to just convert it to Perl and be done with it. I would also rather not change it around to invoke the subprocesses differently, something like #!/bin/sh ...start of script... perl -nle '($k,$v)=split(/=/,$_,2); $ENV{$k}=$v if $k =~ /^CMK_/; END { exec("subprocess") }' ...end of script...

    Read the article

  • How important is it to use SSL?

    - by Mark
    Recently I installed a certificate on the website I'm working on. I've made as much of the site as possible work with HTTP, but after you log in, it has to remain in HTTPS to prevent session hi-jacking, doesn't it? Unfortunately, this causes some problems with Google Maps; I get warnings in IE saying "this page contains insecure content". I don't think we can afford Google Maps Premier right now to get their secure service. It's sort of an auction site so it's fairly important that people don't get charged for things they didn't purchase because some hacker got into their account. All payments are done through PayPal though, so I'm not saving any sort of credit card info, but I am keeping personal contact information. Fraudulent charges could be reversed fairly easily if it ever came to that. What do you guys suggest I do? Should I take the bulk of the site off HTTPS and just secure certain pages like where ever you enter your password, and that's it? That's what our competition seems to do.

    Read the article

  • How can I validate/secure/authenticate a JavaScript-based POST request?

    - by Bungle
    A product I'm helping to develop will basically work like this: A Web publisher creates a new page on their site that includes a <script> from our server. When a visitor reaches that new page, that <script> gathers the text content of the page and sends it to our server via a POST request (cross-domain, using a <form> inside of an <iframe>). Our server processes the text content and returns a response (via JSONP) that includes an HTML fragment listing links to related content around the Web. This response is cached and served to subsequent visitors until we receive another POST request with text content from the same URL, at which point we regenerate a "fresh" response. These POSTs only happen when our cached TTL expires, at which point the server signifies that and prompts the <script> on the page to gather and POST the text content again. The problem is that this system seems inherently insecure. In theory, anyone could spoof the HTTP POST request (including the referer header, so we couldn't just check for that) that sends a page's content to our server. This could include any text content, which we would then use to generate the related content links for that page. The primary difficulty in making this secure is that our JavaScript is publicly visible. We can't use any kind of private key or other cryptic identifier or pattern because that won't be secret. Ideally, we need a method that somehow verifies that a POST request corresponding to a particular Web page is authentic. We can't just scrape the Web page and compare the content with what's been POSTed, since the purpose of having JavaScript submit the content is that it may be behind a login system. Any ideas? I hope I've explained the problem well enough. Thanks in advance for any suggestions.

    Read the article

  • How can I change Rails view code for site visitors using SSL?

    - by pjmorse
    My Rails app has some pages which are SSL-required and others which are SSL-optional. The optional pages use some assets which are served off-site (images from a vendor) which have both http and https URLs. I need to use https when the page is accessed via SSL to avoid the dreaded "this page contains both secure and insecure elements" warning. I've written code to return the image URLs as http by default and https if requested. My problem now is determining in the view how the request came in. request.ssl? doesn't work in views. I've tried using a before_filter which sets something like @ssl_request using request.ssl?, but that also always returns false. Is there a more elegant way to do this? The server stack is Nginx and Passenger. Other apps with Apache = Mongrel stacks pass an X_FORWARDED_PROTO header to tell Rails that SSL is or isn't being used; is it possible that Nginx/Passenger doesn't do this?

    Read the article

  • Is there any way to filter certain things in pages served by IIS?

    - by Ruslan
    Hello, This is my first time posting here so please keep that in mind... I'll try to be short and get right to defining the problem. We have an ASP.NET 2 application (eCommerce package) running on IIS (Windows Server 2003). The main site's page(s) are using plain HTTP (no SSL), but the whole checkout process and the shopping cart page is using SSL (HTTPS). Now, the problem is that the site's header is located in a template file, and inside it it has a plain HTML 'img' tag calling an image with the "http://" portion hard-coded into it... This header appears on absolutely every page (including the https pages), and due to its insecure image tag, a warning box pops up in IE on every stage of the checkout process... Now, the problem: The live application cannot be touched in any way (no changes can be made to the template (so simply changing "http://" to "//" is not an option), IIS cannot be restarted, and the website/app pool cannot be restarted). Is there any way in the world (maybe plugin for IIS or a setting somewhere) that I can filter the pages right before they are served to replace the '<img src="http://example.com/image.jpg">' with '<img src="//example.com/image.jpg">' in the final HTML? Possibly via a regular expression or something? Thanks to everybody in advance.

    Read the article

  • How important is it to use SSL on every page of your website?

    - by Mark
    Recently I installed a certificate on the website I'm working on. I've made as much of the site as possible work with HTTP, but after you log in, it has to remain in HTTPS to prevent session hi-jacking, doesn't it? Unfortunately, this causes some problems with Google Maps; I get warnings in IE saying "this page contains insecure content". I don't think we can afford Google Maps Premier right now to get their secure service. It's sort of an auction site so it's fairly important that people don't get charged for things they didn't purchase because some hacker got into their account. All payments are done through PayPal though, so I'm not saving any sort of credit card info, but I am keeping personal contact information. Fraudulent charges could be reversed fairly easily if it ever came to that. What do you guys suggest I do? Should I take the bulk of the site off HTTPS and just secure certain pages like where ever you enter your password, and that's it? That's what our competition seems to do.

    Read the article

  • What is the benefit of using ONLY OpenID authentication on a site?

    - by Peter
    From my experience with OpenID, I see a number of significant downsides: Adds a Single Point of Failure to the site It is not a failure that can be fixed by the site even if detected. If the OpenID provider is down for three days, what recourse does the site have to allow its users to login and access the information they own? Takes a user to another sites content and every time they logon to your site Even if the OpenID provider does not have an error, the user is re-directed to their site to login. The login page has content and links. So there is a chance a user will actually be drawn away from the site to go down the Internet rabbit hole. Why would I want to send my users to another company's website? [ Note: my provider no longer does this and seems to have fixed this problem (for now).] Adds a non-trivial amount of time to the signup To sign up with the site a new user is forced to read a new standard, chose a provider, and signup. Standards are something that the technical people should agree to in order to make a user experience frictionless. They are not something that should be thrust on the users. It is a Phisher's Dream OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy. [ taken from David Arno's Answer below ] For all of the downside, the one upside is to allow users to have fewer logins on the Internet. If a site has opt-in for OpenID then users who want that feature can use it. What I would like to understand is: What benefit does a site get for making OpenID mandatory?

    Read the article

  • How to properly load HTML data from third party website using MVC+AJAX?

    - by Dmitry
    I'm building ASP.NET MVC2 website that lets users store and analyze data about goods found on various online trade sites. When user is filling a form to create or edit an item, he should have a button "Import data" that automatically fills some fields based on data from third party website. The question is: what should this button do under the hood? I see at least 2 possible solutions. First. Do the import on client side using AJAX+jQuery load method. I tried it in IE8 and received browser warning popup about insecure script actions. Of course, it is completely unacceptable. Second. Add method ImportData(string URL) to ItemController class. It is called via AJAX, does the import + data processing server-side and returns JSON-d result to client. I tried it and received server exception (503) Server unavailable when loading HTML data into XMLDocument. Also I have a feeling that dealing with not well-formed HTML (missing closing tags, etc.) will be a huge pain. Any ideas how to parse such HTML documents?

    Read the article

  • UDP security and identifying incoming data.

    - by Charles
    I have been creating an application using UDP for transmitting and receiving information. The problem I am running into is security. Right now I am using the IP/socketid in determining what data belongs to whom. However, I have been reading about how people could simply spoof their IP, then just send data as a specific IP. So this seems to be the wrong way to do it (insecure). So how else am I suppose to identify what data belongs to what users? For instance you have 10 users connected, all have specific data. The server would need to match the user data to this data we received. The only way I can see to do this is to use some sort of client/server key system and encrypt the data. I am curious as to how other applications (or games, since that's what this application is) make sure their data is genuine. Also there is the fact that encryption takes much longer to process than unencrypted. Although I am not sure by how much it will affect performance. Any information would be appreciated. Thanks.

    Read the article

< Previous Page | 38 39 40 41 42 43 44 45 46 47 48 49  | Next Page >