Q1: Is the IV returned by cipher.getIV() safe for me to use in this way? Yes, it is at least for the Oracle provided implementation. It is generated separately using the default SecureRandom implementation. As it is 12 bytes in size (the default for GCM) then you have 96 bits of randomness. The chance that … Read more
No real reason not to go with AES with 256 bits. Make sure to use this in CBC mode, and PKCS#7 padding. As you said, fast and secure. I have read (not tested) that Blowfish may be marginally faster… However Blowfish has a major drawback of long setup time, which would make it bad for … Read more
The page you’re setting as the source of the iframe (the Youtube /watch page) doesn’t want to be embedded in your page. You cannot force it to let you do that. The correct URL to embed is of the form: https://www.youtube.com/embed/<video-id> In your case https://www.youtube.com/embed/oHg5SJYRHA0
Under Linux, to find the location of $JAVA_HOME: readlink -f /usr/bin/java | sed “s:bin/java::” the cacerts are under lib/security/cacerts: $(readlink -f /usr/bin/java | sed “s:bin/java::”)lib/security/cacerts Under mac OS X , to find $JAVA_HOME run: /usr/libexec/java_home the cacerts are under Home/lib/security/cacerts: $(/usr/libexec/java_home)/lib/security/cacerts UPDATE (OS X with JDK) above code was tested on computer without JDK installed. … Read more
Check your .htaccess file Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it’s possible: AddType application/x-httpd-php .jpg You can test this if you like. Create a directory with … Read more
You can’t use session, as it requires the client to store a cookie for you, and an attacker is not going to help you out. You will need some global state. You needn’t bother tracking IP addresses, as a bad guy will just use an Anonymyzing Proxy. Don’t use account lock-out unless you have to … Read more
There’s means of CSRF whenever malicious HTML or JavaScript which is targeted on your website is been embedded in another HTML page (or an email message) which is been successfully executed. An example is the following which is been placed in another webpage which innocently asks for your name and age before proceeding: <form action=”http://yoursite.com/transferfunds” … Read more
Your Problem They provide me with an API token which I use to make the API calls from my android mobile app (react native) I know it is a bad practice to store this API token on the mobile client because attackers might still it and use my quota and money. Yes, its indeed a … Read more
I think a top reason for avoiding this is that it hides dependencies. Your functions get_data and run_html do not advertise in any way that they share data, and yet they do, in a big way. And there is no way (short of reading the code) to know that run_html will be useless if get_data … Read more
I put together this test app to reproduce the issue using the HTTP testing framework from the Apache HttpClient package: ClassLoader cl = HCTest.class.getClassLoader(); URL url = cl.getResource(“test.keystore”); KeyStore keystore = KeyStore.getInstance(“jks”); char[] pwd = “nopassword”.toCharArray(); keystore.load(url.openStream(), pwd); TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); tmf.init(keystore); TrustManager[] tm = tmf.getTrustManagers(); KeyManagerFactory kmfactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); kmfactory.init(keystore, pwd); … Read more