How to protect my self against replay + MiTM - rest

Let's picture the following scenario:
Bob talks Alice using HTTP/HTTPS
Bob want Alice to send him some data ex: /rest/getAllItems. + some token auth
Eve intercept the packet and send it to Alice without even knowing what it contains
Alice verify the request token contenent (signature etc...) and send the respence to Eve instead of Bob.
How to prevent such scenario from happening.

Related

AWS SES Reply To Previous Email

Is it possible to reply to an email that I previously sent the user using AWS SES? I don't see anything within the documentation that would accomplish this.
So I want to:
(1) Send email to email address X
(2) Reply to email thread from (1)
With more complicated mailing schemes, filling the "References" and "In-Reply-To" headers of the proceeding message with the "Message-ID" generated by SES for the first message can nudge email clients to keep both messages in the same thread.
For instance, my use case was Alice referring a client to Bob. First, I wanted to send a message from Alice to Bob with the client's info (not seen by the client); then a message to the client, from Alice, CC'ing Bob, introducing the client and Bob.
I think it will not be possible, as a reply is nothing more than a new message that email clients decide to group by some criteria (eg: title and sender). You can try to send a new email with "RE:" before the original title and test if your most common clientes (corporate email, gmail, outlook, etc.) group as you expect.
Using the same subject counts as a reply within gmail.

XMPP - Roster Subscription Explaination

Consider I've 2 users Alice and Bob on my Jabber Server. To add into the rosters with subscription as both, I need to do the following steps:
Alice sends a subscription request to Bob.
When Bob receives the request, he approves it.
Bob may also be interested in Alice's presence, so he subscribes to her.
And Alice needs to approve Bob's request.
BUT
Now consider, Bob was not on the server, i.e. he is unregistered and Alice tries to add him into her roster.
Following are the steps which will take place:
Alice sends a subscription request to Bob.
Bob, being unregistered, didnt receive the request.
Alice->Bob subscription set as None.
Process ends Here.
Now, Bob got himself registered. How would Alice get to know that Bob got himself registered and she needs to send the subscription request again OR How would Bob pushes a notification to every user who added him into his/her roster? Which XEP/Ejabberd Module handles this?
We debugged Whatsapp and got to know that, in this case, Bob pushes a notification to all those users who added him in their rosters.
Well the way I see it's more like, which type of configuration do you employ as several scenarios come into factoring when setting up your environment. Here are a few ways I know such things might turn out.
The server in question plays a key role in connecting Xmpp clients, in a situation such as the on the Internet DNS servers play a prominent role in interconnecting clients, so if Bob was not registered at the time Alice sent a request, he might have a caching service that records all interconnection service, and when he becomes registered and he has an Xmpp service that auto-discovers peers on the network(like I said this would be user specific), but there has to be some type of user setting involved in the discovery process; his service would then pull all past requests from the cache and depending on time limits be able to retrieve Alice's request and then he can respond. This is more from a philosophical perspective. But if you are a developer , you can write plugins for all the described scenario above. If you need some more technical parameters we can talk about that such as the type of discovery method you want to write on Bobs server , the type of caching engine you might want to put on Bobs network and how to plug it into his Jabber server etc, this was just my own two cents. Just consider the situation somewhat similar as having a packet collector and retrieving offline messages when you log in, but in this case it would encompass the Jabber server and the packet collector would be the caching service engine you plug in to your server.
If it were a LAN, it might be a little more difficult to be as dynamic as retrieving host records and all inter-connectivity issues, but the plausible solution I can muster is to have a preemption of all available contacts, or better still operate withing a specific sub-net.

How to create a masked email system?

I would like to implement a system of email masking on my web site/server similar to those ones of some ads' websites.
Example scenario: mysite.com
1) Bob posts an ad with ID #1234
2) Alice is interested and she contacts him through the website control panel
3) Bob receives an email from a-1234#mysite.com to his email bob#bob.com
4) Bob answers to a-1234#mysite.com, my web server receive the email and forwards it to alice#alice.com
5) Alice receives the email to her email alice#alice.com from b-1234#mysite.com
6) Alice answers to b-1234#mysite.com, my web server receive the email and forwards it to bob#bob.com
7) ...and so on
How can do that?
Thank you

Possible secuirty flaw in symmetric authentication

Alice wants to talk to Bob.
Bob validates Alice is Alice by sending Alice a nonce.
Alice encrypts the nonce with a key.
Ben also knows what this key is.
Ben cannot remember asking Alice for communication due to the fact that he is operating on a stateless server.
To get around this Alice send Ben his first communication request by sending the original nonce along with the encrypted nonce.
Would I be right in saying this is insecure because if this message containing the original nonce and the encrypted nonce were to be intercepted by a hacker - the two could be reverse engineering and the key 'K' could be obtained?
thanks
I initially wanted to say "don't give the raw string and the encrypted string", but that's pretty much the same as posting the raw data along with the HMAC-hash of the data + secret key at the end. If you're confident that your encryption algorithm is good and you are using a secret key then I don't see how this could be an issue.
However, the entire point of a nonce is to be used ONCE. Alice sends Bob a request with a nonce, and Bob knows that if he gets a request from Alice with that same nonce, ignore it, because it likely came from an attacker and not Alice herself. So you shouldn't be doing this in the first place.

How can I inform an XMPP sender of other clients sending messages on the sender's behalf?

I'm building a chat service that supports connectivity over the web as well as XMPP. Assume we have two users, Alice and Bob, chatting with each other over the web interface. Alice is simultaneously logged via web and XMPP. If Bob sends a message to Alice, she sees the message in both clients, but if she replies via the web, the XMPP client ends up with a one-sided conversation: Alice's messages won't be part of the chat history, but Bob's messages will continue to arrive.
Is there any way in XMPP to inform a sender that a different client sent a message on the sender's behalf, to keep the conversations synchronized?
Get your server vendor to implement XEP-0280: Message Carbons. Then you'll need to turn it on in your client.