sop4j.com rapport :   Visitez le site

Données techniques du sop4j.com

Geo IP vous fournit comme la latitude, la longitude et l'ISP (Internet Service Provider) etc. informations. Notre service GeoIP a trouvé l'hôte sop4j.com.Actuellement, hébergé dans United States et son fournisseur de services est Google Inc. .

the related websites

Analyse d'en-tête HTTP

Les informations d'en-tête HTTP font partie du protocole HTTP que le navigateur d'un utilisateur envoie à appelé GSE contenant les détails de ce que le navigateur veut et acceptera de nouveau du serveur Web.

DNS

HtmlToText

standard operating procedures for java wednesday, march 5, 2014 [anti-] jasypt: a misleading library this is not a flame! i am not trying to flame or overly criticize the efforts of daniel fernández or the jasypt team . i think their goal is a great one, and their efforts are appreciated (~8,000 lines of java, and ~13,500 lines of comments)! however, libraries like this worry me, and they should worry you too. why? because it seems to me from the documentation and code that the authors do not completely understand cryptography and have not gotten their efforts peer reviewed. [note: i disclosed this post to daniel in advance of publishing it because i consider that the proper thing to do with security relating findings. as such daniel and i have shared a few emails discussing this post. while he is not, and does not claim to be, a cryptography expert, he is much more knowledgeable about cryptography than the code and documentation would initially indicate.] why should i believe you? you shouldn't! you should read this blog. you should read the works of more knowledgeable people like nate lawson . you should read the works of more experienced people like coda hale . you should read the works of more knowledgeable and experienced people like d.j. bernstein . then with a grain of salt you can consider what i say (i have a phd in cryptography and 10 years industry experience, but know little compared to the folks linked above.) and form your own opinion. you need to know something about cryptography the goal of jasypt, as stated on their site, is to allow "the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works." on the surface it appears as though jasypt achieves this goal; however, when one dives into the documentation and implementation a few errors are found which, in my opinion, bring into question the security of the entire library. what makes this library potentially dangerous is that someone not well versed in cryptography and the "gotchas" of cryptography will assume they are "being secure" by using such a library. in reality they've potentially opened themselves up to weaknesses they don't even know exist. the unfortunate truth is that you need to have more than just a casual knowledge of cryptography if you plan on using it securely. if you plan on implementing a cryptographic library that hides details, then you need to be an expert in cryptography and get your work reviewed by people more knowledgeable and experienced than yourself. it does not appear that has been done with this library, yet it seems to have a fairly wide acceptance and integration into other projects . [note: again from my emails with daniel, there has been more peer review of this library than the documentation would lead you to believe.] in the next few sections i will describe the issues i've found with this library. two important statements before i continue: 1) i've probably missed other deficiencies in this library, if you find additional ones please leave a comment; 2) all is not lost, most of the issues can be easily fixed. [note: the timing attack has already have been fixed .] hashing != encryption one of the first examples on the homepage of jasypt is the following [note: the homepage has recently changed to use the strongpasswordencryptor as the example on the homepage]: basicpasswordencryptor passwordencryptor = new basicpasswordencryptor(); string encryptedpassword = passwordencryptor.encryptpassword(userpassword); ... if (passwordencryptor.checkpassword(inputpassword, encryptedpassword)) { // correct! } else { // bad login! } this seems straightforward enough. however, it shows a lack of the basic primitives of cryptography. encryption, by definition, is "two-way" meaning that whatever is encrypted can be decrypted. (for a more rigorous and precise definition of encryption and decryption, see the handbook of applied cryptography , chapter 1.) when you dig into the code of basicpasswordencryptor you see that in fact they are actually using a hash function, not encryption at all. am i being pedantic or overly academic, i don't think so. because the next example on the homepage is this: basictextencryptor textencryptor = new basictextencryptor(); textencryptor.setpassword(myencryptionpassword); string myencryptedtext = textencryptor.encrypt(mytext); ... string plaintext = textencryptor.decrypt(myencryptedtext); when you dig into the code behind basictextencryptor you find that it actually uses an encryption algorithm. at the very least this presents confusion. developers might believe that a basicpasswordencryptor and a basictextencryptor do the same thing when in fact they do not. [from daniel: the reason the word "encryption" is used there is basically marketing. jasypt is not a library created for the security expert, but for the average developer. and a good percent of the average developers think of "password encryption" and not of "password hashing". this is a term they usually understand better. and it is probably the way they searched it in google when they reached the jasypt website.] how can this be fixed? to start, renaming the passwordencryptor classes to something more appropriate like passwordhasher or passworddigester would be a good start. also, i would question why there is both a basicpasswordecnryptor and a strongpasswordencryptor? if the goal of this library is to prevent users from having to learn about cryptography, then why provide a choice? the differences are clearly documented (md5, 8 byte salt, and 1k iterations for basic and sha-256, 16 byte salt, and 100k iterations for strong), but now the user must know something about hash functions, salts, and the impact of iterations. this seems to go against the goal of the library. timing attacks i am not, and will never claim to be, an expert on timing attacks. they are subtle yet devastating attacks that pop up once you think you've done everything correctly ( nate lawson's talk , coda hale's blog on the issue i'm about to describe , djb on cache-timing attacks on aes , etc). this is where peer review is a must to ensure a properly formed library. someone like dj bernstein can probably find numerous timing attacks in the jasypt code. i only looked for, and found, one of the most classic... comparing hash results. if you look at the code for standardbytedigester you will find the following lines at the end of the matches() method: // digest the message with the extracted digest. final byte[] encryptedmessage = digest(message, salt); // if, using the same salt, digests match, then messages too. return (arrays.equals(encryptedmessage, digest)); the equals() method for the arrays class is used to compare the two digests (incorrectly labeled as an "encrypted message") to see if they are the same. the problem with using this method is that it opens the library up to a timing attack. this is the same bug found in the messagedigest.isequal(). essentially an attacker can work byte-by-byte to discover the digest of the password. it should be noted that the way in which jasypt uses this method i believe to be safe . however, as it is a public method, a developer can choose to use it in any way he/she wants. and considering this library is intended to be used by people not well versed in cryptography, i think it should be fixed. [from daniel: so the only vulnerable scenario would be one in which this matches(message, digest) method is called being the message argument the one considered secret, and in the specific case that what the attacker is trying to obtain is a suitable hash that matches (incl. salt and iteration) the hash that would be produced for such secret message. given this, i will admit that it would obviously be better if i change that line of code for a time-constant function, which i will do just in case.] fixing this particular issue is easy, just use messagedigest.isequal(). ho

Analyse PopURL pour sop4j.com

http://www.sop4j.com/search?updated-max=2013-01-18t18:22:00-05:00&max-results=7
http://www.sop4j.com/2014/03/
http://www.sop4j.com/2013/
http://www.sop4j.com/2014/01/dbutils.html
http://www.sop4j.com/2013/02/
http://www.sop4j.com/2014/03/anti-sop4j-jasypt-misleading-library.html
http://www.sop4j.com/2014/
http://www.sop4j.com/2013/02/intraprocess-pub-sub.html#comment-form
http://www.sop4j.com/2013/01/
http://www.sop4j.com/2014/01/
http://www.sop4j.com/2013/11/
http://www.sop4j.com/2014/03/anti-sop4j-jasypt-misleading-library.html#comment-form
http://www.sop4j.com/2013/01/parsing-command-line.html#comment-form
http://www.sop4j.com/2013/11/simple-statistics.html#comment-form
http://www.sop4j.com/2013/01/document-templating-or-mail-merge.html

Informations Whois

Whois est un protocole qui permet d'accéder aux informations d'enregistrement.Vous pouvez atteindre quand le site Web a été enregistré, quand il va expirer, quelles sont les coordonnées du site avec les informations suivantes. En un mot, il comprend ces informations;

Domain Name: SOP4J.COM
Registry Domain ID: 1774292525_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-01-18T12:06:03Z
Creation Date: 2013-01-18T02:24:18Z
Registry Expiry Date: 2018-01-18T02:24:18Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS03.DOMAINCONTROL.COM
Name Server: NS04.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-12-15T15:29:22Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

  REGISTRAR GoDaddy.com, LLC

SERVERS

  SERVER com.whois-servers.net

  ARGS domain =sop4j.com

  PORT 43

  TYPE domain
RegrInfo
DOMAIN

  NAME sop4j.com

  CHANGED 2017-01-18

  CREATED 2013-01-18

STATUS
clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
clientRenewProhibited https://icann.org/epp#clientRenewProhibited
clientTransferProhibited https://icann.org/epp#clientTransferProhibited
clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited

NSERVER

  NS03.DOMAINCONTROL.COM 216.69.185.2

  NS04.DOMAINCONTROL.COM 208.109.255.2

  REGISTERED yes

Erreurs

La liste suivante vous montre les fautes d'orthographe possibles des internautes pour le site Web recherché.