One main source of problems working with encryption is the creation of your private key and your certificate. You must create the key pair correctly, have it imported at the right place and if you just miss one important option, you can go on an endless hunt for the problem – one exception at the time.
Over the last weeks I run in to constant login problems with my Git repositories hosted in Azure DevOps. One day everything works, the next day I cannot connect. I seems as if Microsoft is pushing more actively the move to personal access tokens and the older approach with alternate credentials comes to an end. Those tokens offer more flexibility and you can create them in just a few simple steps.
Let's Encrypt offers free SSL certificates to protect the traffic between your website and the visitors. They are as good as the expensive commercial ones, but they need to be renewed every three months - thanks to automation, this is not a problem.
I use Let’s Encrypt for all my sites and never had any problems. A few clicks on the management interface of Plesk and all the traffic went over HTTPS – and the renewal just worked out of the box. With that experience I thought that using Let’s Encrypt on Azure should be no challenge at all. How wrong I was.
We recently run into a strange problem when we tried sign a message using a private and public key pair. Everything worked as expected on the developer machine, yet in the test environment the same code only throws this exception:
System.Security.Cryptography.CryptographicException: Keyset does not exist
Would it not be great if we as developer of a site could warn our users when their passwords are part of a data breach? There is a simple API we can use thanks to Troy Hunt’s "Have I been pwned?" site.
With nearly every application and website demanding an account, most developers will sooner or later have to store passwords. It is incredible how bad that can be implemented and how dire the consequences can be for the users. Take a quick look at the long list of sites taking part in "Have I been pwned?" and you can see how big the problem is.
Last week I blogged about password managers and how much help they are. However, not everyone can or want to use a service like LastPass and 1Password. Today I show you how KeePass manages all your passwords on your local machine.
A year went by since I blogged about "How many of your Accounts have been Compromised in a Data Breach?". At this time there where ~4 billion usernames and passwords collected on the site "Have I been pwned?" (or short HIBP). Since then, Troy Hunt could add another 1,500,000,000 accounts to the list. That is an enormous number and shows how big the problem of “lost” usernames and passwords is.
This post should help you to minimise the effect of a data breach. They happen all the time and when you reuse your passwords, those criminals cannot only access the site with the leak, but all sites where you used the same password.
If you want to check your dependencies for security vulnerabilities right in Visual Studio, then the approach with Dependency-Check and SonarQube is not good enough. In this case, you should try Audit.Net.
Welcome to the second part on Dependency-Check. Please make sure that you have read part one and got a working suppression file. Otherwise, you will get a lot of vulnerabilities reported in SonarQube.