Questions tagged [client]
In a client-server model, the server serves services to the client.
130 questions
2
votes
2
answers
136
views
Understanding PKCE flow security after the first request
Pardon if this is meant to be obvious. As I understand it, the point of PKCE is to mitigate client-side credential hijacking by giving the auth server a way to distinguish legitimate client-side ...
- 23
1
vote
1
answer
359
views
In TLS1.3 server hello can the legacy version field set to 0x0304
As part of TLS1.3 handshake client hello sent containing the TLS1.3 version support as part of suppored_versions extension, consider if as part of server hello supported_versions extension is not ...
- 51
0
votes
0
answers
147
views
Can I setup and enforce additional WiFi connection (and password) requirements on managed laptops using Windows or MacOS?
Can I setup and enforce additional WiFi connection (and password) requirements on managed laptops using Windows or MacOS?
Such as:
blocking (or entirely hiding) the option to connect to open networks
...
- 7,725
2
votes
1
answer
1k
views
Public client or Confidential client: should I generate a client secret?
I've read about this but I don't fully understand how to choose.
I have two options:
Public client
"A native, browser or mobile-device app. Cognito API requests are made from user systems that ...
- 123
0
votes
1
answer
778
views
What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored ...
- 123
0
votes
1
answer
567
views
How to reliably identify referrer on client browser?
Is there any way to reliably identify the referring site on modern browsers (not considering manual HTTP requests outside of a browser e.g. cURL, etc.)?
Referrer header will not work because the ...
- 123
0
votes
2
answers
163
views
How would you enforce user to only connect on a given network?
How would you enforce user PC to only connect to a given network?
Answers need to be OS agnostic.
One weak solution could be to set client-side firewall rules to only allow communications with ...
- 213
1
vote
2
answers
879
views
How do I create a Client Authentication Certificate without a domain signed by a commercial CA?
For sending soap messages to a webservice we need to include a client authentication certificate with these messages. Normally we simply created a self signed client auth. certificate (with as a ...
- 375
0
votes
1
answer
3k
views
Client Authentication in SSL Handshake
I am trying to understand how client certificate authentication works in an SSL handshake.
Can someone help to clarify the following bullet points below:
Do we need to have a Client Leaf certificate ...
- 103
2
votes
1
answer
201
views
Defining scope of a software pen test
If I own a software and I want to conduct a pen test with pen testers, should I define the scope or do the pen testers assess the software first and they define the scope? How does scope definition ...
- 105
0
votes
0
answers
206
views
Client Identification using Self Signed Certificates
Taking the concept from the Gemini protocol that allows clients to identify themselves using their own self-signed certificate - is this a valid concept that could be used in other protocols and what ...
3
votes
1
answer
158
views
Is a client server model to do root operations without asking for password everytime secure?
I'm writing a python application that will do some operations that will require root privileges. Instead of asking for user password every time i decided to use server client model.
A python script ...
1
vote
1
answer
583
views
Is braintree clientToken supposed to be public?
I'm building an app that uses Braintree for processing payments. According to the documentation, I need a server-side endpoint that returns the clientToken, which is then used to manage a user's vault ...
- 11
1
vote
1
answer
2k
views
Wildcard Certificates and Client Authentication for Machine Authentication
If a wildcard certificate is provisioned for *.domain.fqdn, and has Client Authentication as a defined usage, does this mean the certificate can be used to essentially impersonate any domain machine?
...
- 113
0
votes
1
answer
440
views
How is CertificateVerify SSL is created? It can be cached?
When a HTTPS connection with a client certificate request is done, the client sends a CertificateVerify message with his public certificate so the server can verify that the client has a valid private ...
- 3