security

问题 Is there any solution for secure user registration and authentication without SSL? With "secure" I mean safe from passive eavesdropping , not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security). The registration (password setup, i.e. exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess). I prefer established and well tested solution . If possible, I don't want to reinvent the wheel and

问题 I am implementing a service which uses a URLClassloader to load classes dynamically. In the interest of security I would like to restrict the access of loaded classes. eg no network, file or db access etc. Anybody got any good resources or tutorials on the web for this kind of thing? 回答1: Google for "JavaSeal". But they didn't publish the code though. 回答2: http://java.sun.com/developer/technicalArticles/Networking/classloaders/ might be useful 来源： https://stackoverflow.com/questions/1791060

问题 Hey, I am wondering how void pointers is applied in the real world in terms of making a software more secure, more flexible. For example, I know that void pointers, what pointer it will cast to is hidden to outside, which will make a software more secure. Are there other reasons why you would use void pointers? 回答1: Void pointers don't make the software any more secure. The reason to use void* in c is a form of polymorphism - if you don't know what type the data will be you can pass a void*

问题 I have a private/public key pair generated and stored inside Secure Enclave. It is 256-bit elliptic curve key. (The only key type that can be stored in Secure Enclave). I use SecKeyCreateWithData and SecKeyCopyExternalRepresentation to import/export the public key between iOS devices, and it works. However, the exported key doesn't seem to work with OpenSSL. Because it always show 'unable to load Key' on this command. openssl ec -pubin -in public_key_file -text What's the way to export the

问题 A website I maintain pro-bono was hacked, dishing out 302s to gaming sites, etc. www.rebekahshouse.org. After much searching through my hosting company's control panel, I found the culprit in the htaccess file. It looked something like this: RewriteEngine on RewriteCond %{HTTP_REFERER} .oogle.com [NC,OR] RewriteCond %{HTTP_REFERER} .ahoo.com [NC,OR] RewriteRule .*hxxp://87.248.180.89/topic.html?s=s- [C,L] (I think that was C, L; I overwrote it and tried to recreate it above, might've missed a

问题 I have been reading up on Iframes with different domains then the parent document and I am slightly confused. I understand that if the Iframe is from the same domain as its parent document, the parent document can access the iframe's document. It seems like I could circumvent this with the following hack: I set up a web server at mydomain.com I serve the original page from mydomain.com/index.html I setup a proxy on my webserver for mydomain.com/othersite -> site2.com Add <iframe src="mydomain

问题 I'm creating a website where I'm doing ajax requests to load some dynamic content AFTER I load a static container page. Basically, I need to pass an array of integers to the page from the server, and I'm using jQuery to load data. I am writing the ints inside a tag with a know name, and using eval to read data from it. Here's a sample tag (returned from ajax): <span runat="server" class="hidden" id="PhotoList" /> with the codebehind list.ForEach(p => { sb.Append(p.ID.ToString() + ","); } );

问题 I'm writing some ASP code to service requests from a simple HTML form on my company's intranet. The code needs to call methods from a (COM) dll. I'm using the code: myObject = Server.CreateObject("myDLL.myClass") but it's giving an error at this line. I'm not sure if the dll is registered on the server, but I suspect it may not be. I'm not sure how to find this out. If it's not registered, is it possible/best practice to: Use the dll without registering it on the server (I have the .dll file)

问题 I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device). Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file? Any hint

问题 Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages. Idealy the lib would be: Free Lightweight Easy to use Thanks in advance to the SO community who will happily reply :) 回答1: Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip. http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html Edit: Escaping can save you from injection attacks