community official site – What is the insecure orange tag in the modules release pages?

It’s a tag that is automatically added when a more recent release for the same branch has been tagged as release that fixes security issues. In the case of the 3.0.1 release, it’s the 3.0.2 release.

screenshot

The Security update tag is manually added from the Security Team, and it cannot be removed once added. (Actually, the release type cannot be anymore changed, once Security update is selected.)

screenshot

How to enable insecure content for automating downloading pds using selenium for python?

I wanted to enable autodownloading of pdfs using selenium for python. However, while I have enabled auto-download of the pdfs, the pdfs themselves are not actually downloading. The reason for this is because I need to allow for insecure content from the url. Because this is not happening, the autodownloading is not happening and there is just a grey screen. I looked at some posts and have added some options to enable insecure content but it is not working.

Here is my code:

from selenium import webdriver 
from selenium.webdriver.chrome.options import Options
import time


chromeOptions = webdriver.ChromeOptions()

chromeOptions.add_experimental_option('prefs', {
"download.default_directory": "/Users/xxxx/DownloadedPDFs", #Change default directory for downloads
"download.prompt_for_download": False, #To auto download the file
"download.directory_upgrade": True,
"plugins.always_open_pdf_externally": True, #It will not show PDF directly in chrome
"safebrowsing_for_trusted_sources_enabled": False,
"safebrowsing.enabled": False
})

chromeOptions.add_argument("--disable-web-security")
chromeOptions.add_argument("--allow-running-insecure-content")
chromeOptions.add_argument("--ignore-ssl-errors=yes")
chromeOptions.add_argument("--ignore-certificate-errors")
chromeOptions.add_argument("--allow-insecure-localhost")

driver = webdriver.Chrome(options=chromeOptions)



driver.get("url")
time.sleep(10)

elements = driver.find_elements_by_class_name("annualreports_link")
for element in elements: 
    element.click()

What I do know is that the pdfs do get downloaded to a separate folder properly if the url gets added to insecure content and the setting for that can be found here when clicking for Insecure content for site settings:

Url needs to get added to show insecure content

javascript – Mitigation for Insecure Deserialization

It may be a bit tricky to get a clear answer on that. Let’s try it anyway and to do so let’s go back to the roots. What is serialization about?

Serialization is about translating the inner state of an object into a byte stream. Deserialization is about translating the byte stream back into an object. We usually do the serialization/deserialization stuff for the purpose of storing data on some drive or data transmission over the wire.

So is passing JSON or XML objects over the wire related to serialization/deserialization of data? Yes. Is it relevant from the perspective of insecure deserialization vulnerabilities? No. Why is that? It’s kind of a historical thing. The term of insecure deserialization vulnerabilities has been created to tackle an issue that was not known before and mostly related to Java applications at that time (please have a look here, it shows a brilliant timeline). Parsing issues with JSONs and XMLs have their own categories of related risks (like A4:2017-XML External Entities) and the deserialization of Java objects (which could lead to remote code execution) was thought to cover a different ground at first. Make no mistake. It’s not only Java related. You can have issues in PHP and other languages too, but it was meant to address something else although the name does not clearly imply this.

Having said that, it’s not common understanding and you may still have some discussions if you face some security engineers, as this is only a definition matter.

active directory – Read-Only Domain Controller (RODC) in Insecure Networks – Security Benefits

RODCs can be deployed in locations where physical security cannot be guaranteed, to improve the security. This is the primary use case where a RODC should be deployed.

An other scenario would be to deploy a RODC in an insecure network segment (e.g. where client systems resides), disable or not allow credential caching on the RODC and block connections from the clients to RW Domain Controllers. Obviously a connection between the RODC and a RW Domain Controller must be allowed.

Now my question for this scenario: what are the security benefits here? E.g. if the RODC gets compromised, credentials cannot be dumped or used for Pass-the-Hash attacks but RODC can be abused as jumphost to RW Domain Controllers if a high privileged users gets compromised?

encryption – Is it insecure to encrypt a message with a key thats almost the same as the message

As long as you’re using a standard modern cipher, it shouldn’t matter at all how related (or unrelated) the key and message are. As a practical matter, you should perhaps be hashing the inputs to the key, both to produce a fixed-length key regardless of the number and length of inputs, and (if you use a slow hash, rather than a fast one) to make attempting to brute-force the key much more computationally expensive. That would make the key and the message superficially quite different (though this isn’t why you would do it, exactly). In theory you don’t need the same data as duplicated inputs to generating the “password”, but it doesn’t hurt.

The actual security of this scheme, in terms of ability to prevent something that is not one of your terminals from logging in, or prevent terminal A’s user/owner from logging in as terminal B, is questionable. You haven’t provided enough info about that to be sure, but what you have provided is concerning (there’s very little entropy in MAC addresses or in serial numbers). But that’s not what you asked about.

signature – Why is adding s values in half aggregation insecure?

Jonas Nick an Tim Ruffing discussed in a presentation that summing up the s values in signature half aggregation would be insecure (without giving the reason)

They presented a secure solution which basically multiplied each value s_i with a hash that committed to the r-values, messages and public keys of the previous i-1 signatures and messages.

Why is that trick necessary? How does it produce security or in other words why does the aggregation become insecure if that was left out?

(I understand that this fixes the order of tx in a block and if we didn’t do that reorganizing transactions would leave us with the same half signature for a different block. However I don’t see a direct problem as the order of tx should already be fixed by the merkle root anyway so I assume there is another reason?)

network – Why is connecting a range extender to a point isolated access point considered “insecure”?

Just trying to understand. Spectrum actively blocks any third party router, switch, range extender, etc from being able to use the ethernet port on my Ruckus R610 for “security” concerns.

I also don’t understand how the router can distinguish between me connecting my laptop via ethernet vs the range extender.