Server to server API authentication

We have an ASP.NET WEB API 2.0 that will be accessed by an MVC Core site. We want to restrict access to the API only to the MVC Core site (both sites will run on our VMs in Azure). Is it sufficient from an authentication and security perspective to pass a simple username and password in plaintext inside each HTTP request from the MVC Core site to the API as long as we are requiring HTTPS for all calls?

tls – How to use the ‘Client Authentication Issuers’ certificate store on Windows Server 2016

Problem:

We have a web site running on IIS, on Windows Server 2016 server (Server core).

Client certificate authentication is enabled for the website in IIS. When examining the TLS connection traffic to that site (using wireshark) we see a ‘Client Request (13)’ message that conveys the ‘trusted issuers’ list to the browser. That list currently contains all of the certificates in the ‘Trusted Root Certification Authorities’ store (with an certificate ‘Intended Purpose’ compatible with client auth).

We would like the list to contain only the single root certificate we choose (this happens to be the Origo Root certificate but I don’t believe that is relevant to the problem).

To achieve this we have placed the Origo root certificate in the ‘Client Authentication Issuers’ store, as described in this article:

Overview of TLS – SSL (Schannel SSP)

That certificate is also present in the ‘Trusted Root Certification Authorities’ store, so that it is trusted on the local machine.

Note. we have also set this registry key (as described in the above article) to enable sending the ‘trusted issuers list’ to the browser:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelSendTrustedIssuers = 1 (DWORD)

The server continues to send the full list of certificates from the ‘Trusted Root Certification Authorities’ store. The server has been rebooted.

I have confirmed that the origo certificate reports as ‘trusted’ by the server. There are no errors related to this certificate in the in the Windows CAPI2 event log, here:

Application and Services LogsMicrosoftWindowsCAPI2

Windows version info reported by systeminfo.exe

OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393

(all available Windows updates are installed)

authentication – Is there a security reason to require email address and password in separate steps?

I have noticed lately that instead of having an email address and password entry box on the same page/screen, a lot of websites and apps will instead ask for your email address first, then it will ask for your password in a separate step.

As I use a password manager, this means I cannot just fill in the email address and password in one easy step – I either have to manually type my email address, or I have to autofill with the password manager twice.

My question is: is there a good security reason why they are increasingly doing it this way, or is it just bad UI design?

settings – Mutt won’t let me send emails because “Sasl authentication failed”

I’ve installed all the required packages for mutt to send emails smtp.

mutt -v
Mutt 1.13.2 (2019-12-18)
Copyright (C) 1996-2016 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type mutt -vv’ for details.

System: Linux 5.8.0-38-generic (x86_64)
ncurses: ncurses 6.2.20200212 (compiled with 6.2)
libidn: 1.33 (compiled with 1.33)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/9/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v –with-pkgversion=’Ubuntu 9.3.0-17ubuntu1~20.04′ –with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs –enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 –prefix=/usr –with-gcc-major-version-only –program-suffix=-9 –program-prefix=x86_64-linux-gnu- –enable-shared –enable-linker-build-id –libexecdir=/usr/lib –without-included-gettext –enable-threads=posix –libdir=/usr/lib –enable-nls –enable-clocale=gnu –enable-libstdcxx-debug –enable-libstdcxx-time=yes –with-default-libstdcxx-abi=new –enable-gnu-unique-object –disable-vtable-verify –enable-plugin –enable-default-pie –with-system-zlib –with-target-system-zlib=auto –enable-objc-gc=auto –enable-multiarch –disable-werror –with-arch-32=i686 –with-abi=m64 –with-multilib-list=m32,m64,mx32 –enable-multilib –with-tune=generic –enable-offload-targets=nvptx-none=/build/gcc-9-HskZEa/gcc-9-9.3.0/debian/tmp-nvptx/usr,hsa –without-cuda-driver –enable-checking=release –build=x86_64-linux-gnu –host=x86_64-linux-gnu –target=x86_64-linux-gnu
Thread model: posix
gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

Configure options: ‘–build=x86_64-linux-gnu’ ‘–prefix=/usr’ ‘–includedir=${prefix}/include’ ‘–mandir=${prefix}/share/man’ ‘–infodir=${prefix}/share/info’ ‘–sysconfdir=/etc’ ‘–localstatedir=/var’ ‘–disable-silent-rules’ ‘–libdir=${prefix}/lib/x86_64-linux-gnu’ ‘–libexecdir=${prefix}/lib/x86_64-linux-gnu’ ‘–disable-maintainer-mode’ ‘–disable-dependency-tracking’ ‘–with-mailpath=/var/mail’ ‘–enable-compressed’ ‘–enable-debug’ ‘–enable-fcntl’ ‘–enable-hcache’ ‘–enable-gpgme’ ‘–enable-imap’ ‘–enable-smtp’ ‘–enable-pop’ ‘–enable-sidebar’ ‘–enable-nntp’ ‘–enable-dotlock’ ‘–disable-fmemopen’ ‘–with-curses’ ‘–with-gnutls’ ‘–with-gss’ ‘–with-idn’ ‘–with-mixmaster’ ‘–with-sasl’ ‘–without-gdbm’ ‘–without-bdb’ ‘–without-qdbm’ ‘–with-tokyocabinet’ ‘build_alias=x86_64-linux-gnu’ ‘CFLAGS=-g -O2 -fdebug-prefix-map=/build/mutt-j2y3Jo/mutt-1.13.2=. -fstack-protector-strong -Wformat -Werror=format-security’ ‘LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now’ ‘CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2’

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 -fdebug-prefix-map=/build/mutt-j2y3Jo/mutt-1.13.2=. -fstack-protector-strong -Wformat -Werror=format-security

Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE +USE_FCNTL -USE_FLOCK
+USE_POP +USE_IMAP +USE_SMTP
-USE_SSL_OPENSSL +USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM +HAVE_FUTIMENS
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME
-EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN -HAVE_LIBIDN2 +HAVE_GETSID +USE_HCACHE
+USE_SIDEBAR +USE_COMPRESSED +USE_INOTIFY
-ISPELL
SENDMAIL=”/usr/sbin/sendmail”
MAILPATH=”/var/mail”
PKGDATADIR=”/usr/share/mutt”
SYSCONFDIR=”/etc”
EXECSHELL=”/bin/sh”
MIXMASTER=”mixmaster”

To contact the developers, please mail to mutt-dev@mutt.org.
To report a bug, please contact the Mutt maintainers via gitlab:
https://gitlab.com/muttmua/mutt/issues

.muttrc

set from = “user@domain.com”
set realname = “Firstname Lastname”

set smtp_url = “smtp://user@domain.com@smtp.domain.com:587/”
set smtp_pass = “password”
set imap_user = “user@domain.com”
set imap_pass = “password”

set folder = “imaps://imap.domain.com:993”
set spoolfile = “+INBOX”
set editor = “nano

Any help with troubleshooting from here?

authentication – 2FA/MFA in a resource-constraint product

I’m working on a resource-constraint product and asked to enable support for MFA/2FA for all maintenance services. Given that MFA/2FA is about using two elements out of three(something you have, know, are). Our maintenance application is a desktop windows-forms application running over HTTPS protocol to interact with the product.

I’m just thinking about a model of using two-factor authentication to be pushed to the maintainer’s laptop/desktop as the product is resource constraint(no display/usb/ssh etc). As the product is to be installed in an enterprise setup, It is possible to enforce 2FA/MFA easily for the laptops/desktops to log into the enterprise network by using a combination of password and certificate. Also, the Organisation may enforce LDAP and/or 802.1x(PNAC) for authentication or AAA(AuthN, AuthZ, and Audit) service.

By doing this, I will be able to retain the existing product’s software as is which only performs single-factor authentication using the password. Also, the product is not internet-facing.

Is this the right approach or does it expose any security risk? Please suggest to me.

Which factor of authentication is an X.509 certificate

Given 3 factors of authentication:

  • Type 1: something you know
  • Type 2: something you have
  • Type 3: something you are

Which factor of authentication would be an X.509 certificate, assuming this certificate is stored in the filesystem of the device I use? For example, let’s place it in the context of TLS mutual authentication, where the aforementioned certificate is the client certificate. Please note this is not a question about a digital certificate stored on a separate hardware token or similar.

My understanding is that this is still a type 1, not type 2, because it does not relate to the physical posession of device other than the one client is using anyway. Is my understanding correct?

authentication – Securing client side code of react application

I’m developing application with react and all the main logic is on the client side. I want to force users to use the application only if they paid for the app subscription.

Are there any methods to prevent(or harden the ability to remove certain restrictions/api calls etc) users to access the app without paying? I was thinking of authentication obfuscation, to make it hard to delete a simple check of auth(if authenticated – proceed, otherwise – block), but this is very simple. Are there anything else I can do / you can suggest?

Thanks

authentication – How do I assure that a site that I visit does not know I have been there before?

If I use the same machine (my PC) but with a different IP address and a different browser that I have never used to visit a site, will that site still be able to identify me? I don’t understand the browser fingerprinting thing that well. To clarify, suppose I have visited a website with Chrome but later I visit that same site with Firefox on the same computer but a different IP address…will both visits be logged as the same person visiting them?