Just after a few weeks since Apple's famous goto fail bug, there is one bug in OpenSSL which catches the attention from the world again. The bug is named HeartBleed, found in OpenSSL library, a famous open source library supporting lots of  SSL/TLS communication among server/client applications.The reason why this bug catches the attentions from the world is it affects almost all sites which are using the affected OpenSSL library, these includes many applications like Nginx server, some versions of Linux and many famous websites including Yahoo, Amazon. Private keys on the web server may ...

Spam comments are annoying and notorious. They are either malicious data from hackers to exploit the loopholes of the site or advertisements posted by robots. These kinds of comments have their own features and patterns, if we are careful enough, we can find ways to block most of them although it's not so easy.To block the comment with malicious executable codes such as JavaScript, we should remember one rule : never trust user input. So wherever there are user inputs, we need to check the validity of the data, we should escape the data inputted by users and remove unnecessary HTML tags from t...

The history of computer virus is the same as computer history. With more and more powerful computers, virus also are smarter and harder to be detected and killed. They have big impact on data security and system usability. We introduce 10 notorious computer virus in the history.1. CreeperIn 1971, the Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBN Technologies. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the...

We need to build a password protected website frequently such as an internal website within the team, demo website. Here what we are talking about is password protection in Nginx server level instead of application level registration and login. We are going to use Nginx server configuration and htpasswd file to achieve password authentication.The final result looks like below(Different browsers may have different interfaces):If the authentication fails, it will report a HTTP error: 401 Authorization Required.To achieve this function, we need to modify server configuration and create the userna...

Most websites need user login in order to provide personalized content to visitors. The usual way is to request user to register an user account.Actually, this is not so appealing since if we need to remember one password for each website, it's troublesome, while for developers, it's their responsibility to protect password, once password is leaked, then it's a big headache to a website's business and reputation.So long time ago people started thinking about password-less login, this is a big release for both users and websites. We discuss some common ways of password-less login.1. OpenIDOpenI...

Weak password is a serious security vulnerability, but the majority of network users still use some universal simple character sequences as the password.SplashData recently announced the world's worst password list in 2012.  "password","123456" and "12345678" are still at top places, while others have varying,  some new passwords like  "welcome" "Jesus" "ninja","mustang"and "password1 "are in the list.With the risk of password loss, SplashData CEO Morgan Slain said we hoped network users should be more careful about ourselves network status, be more conscious about password secu...

MD5 is a frequently used one-way hash algorithm, it is commonly used in following situations:Check data integrity. We take hash of the data stored in two different places and compare them. If the hash results are the same, then there is no need to check the actual data. This utilizes the collision-resistant feature. Two different data block will have little chance that their hash values will be the same. Many data service providers use such technique to check repeated data to avoild repeating uploading. Also, it is frequently used in transferring file to ensure the file is not modified during ...

Now almost every website requires the user to register, there are many benefits of registration for a website, such as retaining users, accommodating discussions, providing customized content and so on.But there is too much trouble if each site requires registration, right?Of course, users can also have their own way, for those less important sites, for example, using a unified user name, password and email so that you only need to remember one account. Then, we also see some advanced methods emerging, such as Facebook Connect, Twitter login, Google OAuth, etc., this indeed eliminates some tro...