Yes, the transfered data is still sent encrypted. `-k`/`--insecure` will &quot;only make&quot; `curl` skip certificate validation, it will not turn off SSL all together. 

More information regarding the matter is available under the following link:

 - [curl.haxx.se - Details on Server SSL Certificates][1]


  [1]: http://curl.haxx.se/docs/sslcerts.html

It will be encrypted but insecure. If you trust the certificate you should add the certificate to your certificate store instead of connecting insecurely.

macOS: 
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt

Ubuntu, Debian:	
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
sudo update-ca-certificates

CentOS 6:
yum install ca-certificates
update-ca-trust force-enable
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

CentOs 5:
cat foo.crt &gt;&gt;/etc/pki/tls/certs/ca-bundle.crt

Windows:
certutil -addstore -f &quot;ROOT&quot; new-root-certificate.crt

I am working on a site that uses jQuery and has a fair amount of javascript that is run using `$(document).ready()`. On my dev machine everything runs great but it&#39;s a pretty powerful machine. I have had reports from people using older hardware of behavior that seems strange and I am fairly convinced that it is down to the time taken to process this initial javascript on slower machines.

Clearly, the solution is to sort out this initial javascript but it got me wondering - does anyone know of a way to slow down the execution speed of javascript in either Chrome or Firefox to be able to simulate these slower clients on my dev machine?

Cheers!

***Update:***
Back when this question was posted, there weren&#39;t the same set of tools that there are today. At that time the VM option was the best option therefore I am leaving it as the accepted answer. However these days I would go straight for Chrome dev tools instead as suggested by Oded Niv

Is there a way to throttle javascript performance to simulate a slow client

Users are allowed to add explicit specializations to the `std` namespace. However, there are a few templates that I am explicitly forbidden from specializing.

What templates can and can&#39;t I specialize?

What can and can&#39;t I specialize in the std namespace?

I have a situation where the client makes a call through curl to a https url. The SSL certificate of the https url is self signed and therefore curl cannot do certificate validation and fails. curl provides an option `-k/--insecure` which disables certificate validation. 

My question is that on using `--insecure` option, is the data transfer that is done between client and server encrypted(as it should be for https urls)? I understand the security risk because of certificate validation not being done, but for this question I am only concerned about whether data transfer is encrypted or not. 

curl - Is data encrypted when using the --insecure option?

<p>I have a situation where the client makes a call through curl to a https url. The SSL certificate of the https url is self signed and therefore curl cannot do certificate validation and fails. curl provides an option <code>-k/--insecure</code> which disables certificate validation.</p>
<p>My question is that on using <code>--insecure</code> option, is the data transfer that is done between client and server encrypted(as it should be for https urls)? I understand the security risk because of certificate validation not being done, but for this question I am only concerned about whether data transfer is encrypted or not.</p>


I am trying to use one-time passwords that can be generated using [Google Authenticator application][1].

What Google Authenticator does
------------------------------

Basically, Google Authenticator implements two types of passwords:

- **HOTP** - HMAC-based One-Time Password, which means the password is changed with each call, in compliance to [RFC4226][2], and
- **TOTP** - Time-based One-Time Password, which changes for every 30-seconds period (as far as I know).

Google Authenticator is also available as Open Source here: [code.google.com/p/google-authenticator][3]

Current code
------------

I was looking for existing solutions to generate HOTP and TOTP passwords, but did not find much. The code I have is the following snippet responsible for generating HOTP:

    import hmac, base64, struct, hashlib, time
    
    def get_token(secret, digest_mode=hashlib.sha1, intervals_no=None):
        if intervals_no == None:
            intervals_no = int(time.time()) // 30
        key = base64.b32decode(secret)
        msg = struct.pack(&quot;&gt;Q&quot;, intervals_no)
        h = hmac.new(key, msg, digest_mode).digest()
        o = ord(h[19]) &amp; 15
        h = (struct.unpack(&quot;&gt;I&quot;, h[o:o+4])[0] &amp; 0x7fffffff) % 1000000
        return h

The problem I am facing is that the password I generate using the above code is not the same as generated using Google Authenticator app for Android. Even though I tried multiple `intervals_no` values (exactly first 10000, beginning with `intervals_no = 0`), with `secret` being equal to key provided within the GA app.

Questions I have
----------------

My questions are:

1. What am I doing wrong?
2. How can I generate HOTP and/or TOTP in Python?
3. Are there any existing Python libraries for this?

To sum up: please give me any clues that will help me implement Google Authenticator authentication within my Python code.

  [1]: https://market.android.com/details?id=com.google.android.apps.authenticator
  [2]: https://www.rfc-editor.org/rfc/rfc4226
  [3]: http://code.google.com/p/google-authenticator/

Google Authenticator implementation in Python

In Swing, the password field has a `getPassword()` (returns `char[]`) method instead of the usual `getText()` (returns `String`) method. Similarly, I have come across a suggestion not to use `String` to handle passwords.

Why does `String` pose a threat to security when it comes to passwords?
It feels inconvenient to use `char[]`.

Why is char[] preferred over String for passwords?

I wonder about shared preferences security.

Is it possible to get access to sharedpreferences, even if they were created in MODE_PRIV (0) ?  
Is it possible to list all sharedpreferences available and then fetch all settings from other apps?  
Is sharedpreferences good place to put sensitive data, such as password or auth token?

Thanks

Android SharedPreference security

What is the simplest way of doing two way encryption in common PHP installs?

I need to be able to encrypt data with a string key, and use the same key to decrypt on the other end.

The security isn&#39;t as big of a concern as the portability of the code, so I&#39;d like to be able to keep things as simple as possible. Currently, I am using an RC4 implementation, but if I can find something natively supported I figure I can save a lot of unnecessary code.

Simplest two-way encryption using PHP

**What:** Can NodeJS apps be distributed as binary? ie. you compile the .js app via V8 into its native binary, and distribute the binary to clients? (if you had total access to the NodeJS server)... or is minifying the code all you can do?

**Why:** We build serverside applications in NodeJS for clients, that have often to be hosted on the client&#39;s servers. Distributing source code means clients can easily steal our solution and stop paying licensing fees. This opens up the possibility of easy reverse-engineering or reuse of our apps without our awareness.

Secure distribution of NodeJS applications

I am trying to create a middleware for Express.js to redirect all non-secure (port 80) traffic to the secured SSL port (443).
Unfortunately there is no information in an Express.js request that lets you determine if the request comes over http or https.

One solution would be to redirect **every** request but this is not an option for me.

Notes: 

1. There is no possibility to handle it with Apache or something else. It **has** to be done in node.

2. Only **one** server can be fired up in the application.

How would you solve that?

How to force SSL / https in Express.js

I applied a self-signed SSL certificate in IIS manager to Default Web Site(added the HTTPS binding) and after that when I&#39;m trying to start the web site, I&#39;m getting the following error message:
&quot;The process cannot access the file because it&#39;s being used by another process. (Exception from HRESULT: 0x80070020) &quot;. But when I remove the HTTPS binding, everything works fine.
So, what is the problem? What might have I done wrong?&quot;

Applying SSL certificate in IIS manager and &quot;The process cannot access the file because it&#39;s being used by another process&quot; error

I&#39;m using *openssl* to create self-signed certs. I&#39;m getting this error with the certs I generated:

&gt; javax.net.ssl.SSLHandshakeException:
&gt; java.security.cert.CertificateException: No subject alternative names
&gt; present

&lt;br&gt;
Does anyone know how to specify &quot;Subject alternative name&quot; while creating a cert?
This is how I&#39;m generating a keystore:
       
    sudo $JAVA_HOME/bin/keytool -genkey -dname &quot;CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA&quot; -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd

To generate a key:

     openssl s_client -connect 192.168.x.xxx:8443 2&gt;/dev/null

Please help! Thanks!

How to add subject alernative name to ssl certs?

How can I convert a PFX certificate file for use with Apache on a linux server?

I created the PFX from Windows Certificate Services. The PFX contains the entire certificate chain. (Which is just a root and the main cert, no intermediate.)

Lead me, wise ones. 


How can I convert a PFX certificate file for use with Apache on a linux server?

I have an Ubuntu VM that is having trouble connecting to sites with ssl, i.e. https.  It can successfully download artifacts from the internet if the url begins with http.

npm install will download dependencies via https.  Is there anyway make it download via http?


npm install without ssl

Thanks for reading.

I am new to iOS and I am trying to upload an Image and a text using &lt;code&gt;multi-part form encoding&lt;/code&gt; in iOS. 

The &lt;code&gt;curl&lt;/code&gt; equivalent is something like this: &lt;code&gt;curl -F &quot;param1=value1&quot; -F &quot;param2=@testimage.jpg&quot; &quot;http://some.ip.address:5000/upload&quot;&lt;/code&gt;

The &lt;code&gt;curl&lt;/code&gt; command above returns the expected correct response in &lt;code&gt;JSON.&lt;/code&gt;

**Problem:** 
I keep getting a HTTP 400 request which means I am doing something wrong while composing the HTTP POST Body. 

**What I Did:**
For some reference, I tried  https://stackoverflow.com/questions/4683559/flickr-api-ios-app-post-size-too-large and https://stackoverflow.com/questions/5422028/objective-c-how-to-upload-image-and-text-using-http-post. But, I keep getting a HTTP 400. 

I tried the &lt;code&gt;ASIHttpRequest&lt;/code&gt; but had a different problem there (the callback never got called). But, I didn&#39;t investigate further on that since I&#39;ve heard the developer has stopped supporting the library: http://allseeing-i.com/[request_release]; 

Could someone please help me out?


ios Upload Image and Text using HTTP POST

How can we make a HTTP request like this in NodeJS? Example or module appreciated.

    curl https://www.googleapis.com/urlshortener/v1/url \
      -H &#39;Content-Type: application/json&#39; \
      -d &#39;{&quot;longUrl&quot;: &quot;http://www.google.com/&quot;}&#39;

send Content-Type: application/json post with node.js

I&#39;m trying to assign the output of cURL into a variable like so:

    #!/bin/sh
    $IP=`curl automation.whatismyip.com/n09230945.asp`
    echo $IP
    sed s/IP/$IP/ nsupdate.txt | nsupdate


However, when I run the script the following happens:

&gt;     ./update.sh: 3: =[my ip address]: not found

How can I get the output into `$IP` correctly?

Assign output to variable in Bash

I&#39;m sure the answer to this is going to be some painfully obvious character encoding issue...

I&#39;m using curl on the command line to test some endpoints in a python app.  The endpoint takes url params of latitude and longitude.  Nothing too special.  I put in the command:

    curl -v -L http://localhost:5000/pulse/?lat=41.225&amp;lon=-73.1

Server responds, with verbose curl output:

    * Connected to localhost (127.0.0.1) port 5000 (#0)
    &gt; GET /pulse/?lat=41.225 HTTP/1.1
    &gt; User-Agent: curl/7.21.6 (i686-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
    &gt; Host: localhost:5000
    &gt; Accept: */*
    &gt; 
    * HTTP 1.0, assume close after body
    &lt; HTTP/1.0 500 INTERNAL SERVER ERROR
    &lt; Content-Type: application/json
    &lt; Content-Length: 444
    &lt; Server: Werkzeug/0.8.1 Python/2.7.2+
    &lt; Date: Wed, 01 Feb 2012 17:06:29 GMT
    &lt; 
    {
        &quot;msg&quot;: &quot;TypeError: float() argument must be a string or a number&quot;, 
        &quot;flag&quot;: 0, 
        &quot;stack&quot;: [
            &quot;Traceback (most recent call last):&quot;, 
            &quot;  File \&quot;engine.py\&quot;, line 139, in dispatch_request&quot;, 
            &quot;    return getattr(self, &#39;action_&#39;+endpoint)(request, **values)&quot;, 
            &quot;  File \&quot;engine.py\&quot;, line 818, in action_getpulse&quot;, 
            &quot;    lon = float(request.args.get(&#39;lon&#39;))&quot;
        ], 
        &quot;err&quot;: 1
    * Closing connection #0
    }
    [1]+  Done

On the second line of that dump, it&#39;s obvious that the second param, `lon`, isn&#39;t being sent.  What am I doing wrong?  Thanks.

Why is curl truncating this query string?

So basically, I&#39;m trying to write a series of scripts to interact with Dot Net Nuke. I&#39;ve been analysing the traffic and can now login and do some basic tasks. However, I&#39;ve never handled binary file upload with curl. Would someone be willing to look at this to help me out? Here&#39;s the anatomy of the request:

http://pastebin.com/qU8ZEMaQ

Here&#39;s what I&#39;ve got for curl so far:

http://pastebin.com/LG2ubFZG

edit: For the lazy -

*length of the file is achieved and stored in LENGTH*  
STUFF is just a copy/paste of the request URL with parameters, minus the URL itself.

    curl -L --cookie ~/.cms --data-binary &quot;@background.jpg&quot; \
    --header &quot;Content-Length: $LENGTH&quot; \
    --header &quot;Content-Disposition: form-data&quot; \
    --header &quot;name=\&quot;RadFileExplorer1_upload1file0\&quot;&quot; \
    --header &quot;Content-Type: image/jpg&quot; \
    --header &quot;Filename=\&quot;background.jpg\&quot;&quot; \
    --data $STUFF \
    --referer &quot;Kept-Secret&quot; \
    &quot;Kept-Secret&quot;

Binary Data Posting with curl

I am running the following java program in the Eclipse IDE: 
    
    import java.net.*;
    import java.io.*;

    public class HH
    {
        public static void main(String[] args) throws Exception
        {
            //if i comment out the system properties, and don&#39;t set any jvm arguments, the program runs and prints out the html fine.
            System.setProperty(&quot;http.proxyHost&quot;, &quot;localhost&quot;); 
            System.setProperty(&quot;http.proxyPort&quot;, &quot;8888&quot;); 
            System.setProperty(&quot;https.proxyHost&quot;, &quot;localhost&quot;); 
            System.setProperty(&quot;https.proxyPort&quot;, &quot;8888&quot;); 

            URL x = new URL(&quot;https://www.google.com&quot;);
            HttpURLConnection hc = (HttpURLConnection)x.openConnection();

            hc.setRequestProperty(&quot;User-Agent&quot;,&quot;Mozilla/5.0 (Windows NT 6.0)
            AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2&quot;);

            InputStream is = hc.getInputStream();

            int u = 0;
            byte[] kj = new byte[1024];
            while((u = is.read(kj)) != -1)
            {
                System.out.write(kj,0,u);
            }
            is.close();
        }
    }
     
This produces the following exception, if fiddler is RUNNING, both while capturing, and not capturing:

    Exception in thread &quot;main&quot; javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown ...

If I close fiddler, the program runs fine without any exceptions, producing the html on the url i am connecting to.

alternatively, if i specify `System.setProperty(&quot;https.proxyPort&quot;, &quot;443&quot;);`, instead of: `System.setProperty(&quot;https.proxyPort&quot;, &quot;8888&quot;);`, it runs and prints out all html, without exceptions, even while fiddler is open, in capturing mode, but there is still no capturing from fiddler at all.


Then if I set these system properties through eclipse&#39;s jvm arguments like: `-DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=8888`, the same exact exception happens again, so long as the fiddler app is running, both in capturing and non capturing mode. If i close fiddler, the program will run perfectly fine.

If i use: `System.setProperty(&quot;http.proxyHost&quot;, &quot;127.0.0.1&quot;);`  instead of: `System.setProperty(&quot;http.proxyHost&quot;, &quot;localhost&quot;);`, it runs fine with fiddler application running, both cap-/non capturing mode, but also NO captured traffic.

Is anyone out there, able to capture their own https traffic with fiddler, NOT through a web browser, but through a java program? What are the jvm arguments, how do you set it up to do this? thanks

how to Capture https with fiddler, in java

I&#39;m trying to figure out how the best way to easily send HTTP/HTTPS requests and to handle gzip/deflate compressed responses along with cookies.

The best I found was https://github.com/mikeal/request which handles everything _except_ compression. Is there a module or method that will do everything I ask?

If not, can I combine request and zlib in some manner? I tried to combine zlib and `http.ServerRequest`, and it failed miserably.

Easy HTTP requests with gzip/deflate compression

I just learned from a colleague that omitting the &quot;http | https&quot; part of a URL in a link will make that URL use whatever scheme the page it&#39;s on uses.

So for example, if my page is accessed at http://www.example.com and I have a link (notice the &#39;//&#39; at the front):

    &lt;a href=&quot;//www.google.com&quot;&gt;Google&lt;/a&gt;

That link will go to http://www.google.com.  

But if I access the page at https://www.example.com with the same link, it will go to https://www.google.com

I wanted to look online for more information about this, but I&#39;m having trouble thinking of a good search phrase.  If I search for &quot;URLs without HTTP&quot; the pages returned are about urls with this form: &quot;www.example.com&quot;, which is not what I&#39;m looking for. 

Would you call that a schemeless URL?  A protocol-less URL?  

Does this work in all browsers?  I tested it in FF and IE 8 and it worked in both.  Is this part of a standard, or should I test more browsers?



URL without &quot;http|https&quot;

For example, running `wget https://www.dropbox.com` results in the following errors:

    ERROR: The certificate of `www.dropbox.com&#39; is not trusted.
    ERROR: The certificate of `www.dropbox.com&#39; hasn&#39;t got a known issuer.


How do I fix certificate errors when running wget on an HTTPS URL in Cygwin?

The sysadmin for a project I&#39;m on has decided that SSH is &quot;too much trouble&quot;; instead, he has set up Git to be accessible via an `https://` URL (and username/password authentication). The server for this URL presents a self-signed certificate, so he advised everyone to turn off certificate validation. This does not strike me as a good setup, security-wise.

Is it possible to tell Git that for remote X (or better, any remote in any repository that happens to begin with `https://$SERVERNAME/`) it is to accept a particular certificate, and *only* that certificate?  Basically reduplicate SSH&#39;s server-key behavior.

configure Git to accept a particular self-signed server certificate for a particular https remote

I am using npm v1.0.104/node 0.6.12 on ubuntu - I am receiving the error copied below while attempting to install any new modules via npm (I tested socket.io earlier using http, not https though &amp; am wondering if that could have resulted in the issue with npm/unsigned certs).  The error pops up once npm tries to resolve the &#39;https://registry.npmjs.org&#39; URL.  Is there anyway I can ignore the error or perhaps locate/add the cert to a trusted store in order to continue using npm. 

Any insight on what needs to be done to resolve the issue will be appreciated (I would prefer to resolve the issue through configuration as opposed to re-installing if possible).


&gt; Error: &quot;Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN&quot;

Full Message:

    npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
    npm ERR!     at ClientRequest.&lt;anonymous&gt; (/usr/lib/node_modules/npm/node_modules/request/main.js:252:28)
    npm ERR!     at ClientRequest.emit (events.js:67:17)
    npm ERR!     at HTTPParser.onIncoming (http.js:1261:11)
    npm ERR!     at HTTPParser.onHeadersComplete (http.js:102:31)
    npm ERR!     at CleartextStream.ondata (http.js:1150:24)
    npm ERR!     at CleartextStream._push (tls.js:375:27)
    npm ERR!     at SecurePair.cycle (tls.js:734:20)
    npm ERR!     at EncryptedStream.write (tls.js:130:13)
    npm ERR!     at Socket.ondata (stream.js:38:26)
    npm ERR!     at Socket.emit (events.js:67:17)
    npm ERR! Report this *entire* log at:
    npm ERR!     &lt;http://github.com/isaacs/npm/issues&gt;
    npm ERR! or email it to:
    npm ERR!     &lt;npm-@googlegroups.com&gt;
    npm ERR! 
    npm ERR! System Linux 2.6.38-13-generic
    npm ERR! command &quot;node&quot; &quot;/usr/bin/npm&quot; &quot;install&quot; &quot;jed&quot;
    npm ERR! node -v v0.6.12
    npm ERR! npm -v 1.0.104



receiving error: &#39;Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN&#39; while using npm

I&#39;m adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps:

    openssl req -new &gt; cert.csr
    openssl rsa -in privkey.pem -out key.pem
    openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
    cat key.pem&gt;&gt;cert.pem

This works, but I get some errors with, for example, Google Chrome:

&gt; This is probably not the site you are looking for!&lt;br&gt;
&gt; The site&#39;s security certificate is not trusted!

Am I missing something? Is this the correct way to build a self-signed certificate?


How to generate a self-signed SSL certificate using OpenSSL?

I&#39;m trying to connect a Java Web API via HTTPS; however, an exception is thrown:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException

I followed these steps which I learned from online keytool &amp; SSL cert tutorials:

1. I copied the HTTPS URL into the browser, downloaded the SSL certificates &amp; Installed them in the browser using Internet Explorer.

2. Exported the certificates to a path on my computer, the certificates were saved as `.cer`

3. Used the keytool&#39;s import option. The command below executed without any errors.

        keytool -import -alias downloadedCertAlias -keystore C:\path\to\my\keystore\cacerts.file -file C:\path\of\exportedCert.cer


4. I was prompted for a password at the command prompt, which I entered then I was authenticated. 

5. The `cmd` window printed some certificate data &amp; signatures and I was prompted with the question:  

    &gt; Trust this certificate?

 I answered yes.

6. The cmd prompt displayed 
  
    &gt; Certificate was added to keystore

  However after that message, another exception was displayed:

        keytool error: java.io.FileNotFoundException: C:\Program files\...\cacerts &lt;Access Denied&gt;

Finally when I checked the keystore , the SSL certificate was not added and my application gives the same exception I was getting earlier when trying to connect:

    (javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException)

Content Type	Original Author	Original Content on Stackoverflow
Question	randomuser	View Question on Stackoverflow
Solution 1 - Security	Filip Roséen - refp	View Answer on Stackoverflow
Solution 2 - Security	Becky Conning	View Answer on Stackoverflow

curl - Is data encrypted when using the --insecure option?

Security Problem Overview

Security Solutions

Solution 1 - Security

Solution 2 - Security

What can and can't I specialize in the std namespace?

Is there a way to throttle javascript performance to simulate a slow client

Attributions